The Role of Penetration Testing in the Automotive Industry

The esteemed hackathon Pwn2Own has had its first ever automotive-focused event in Tokyo, Japan this January. At the end of the three-day hackathon, hackers identified 49 unique zero-day exploits, accumulating over a million dollars in awarded bounties. Hackathons like this have been common practice in the tech industry for years, however, they are just getting popular in the automotive sector.

During these hackathons, white-hat hackers gather to uncover zero-day vulnerabilities in vehicles and their systems. While hacking may have its negative connotations, ethical hacking performed in these events is better defined by the term penetration testing.

As technology advances, vehicles become increasingly vulnerable to cyber threats. Securing vehicles from these cyber threats requires extensive and proactive cyber security practices that not only protect vehicles but also actively search for new vulnerabilities in constantly developing systems. In this blog, we delve into the realm of automotive penetration testing, a critical practice aimed at identifying weaknesses in vehicle security systems.

Understanding Automotive Penetration Testing

Automotive penetration testing, or pentesting, is a process designed to identify vehicle vulnerabilities by means of hacking into specific components of a vehicle. This proactive way of cybersecurity testing allows for the uncovering of security gaps in a controlled environment. 

Penetration tests can be conducted internally by cybersecurity experts employed by an OEM, as well as externally, by independent ethical hackers. Upon successful identification of a vehicle vulnerability, hackers share their findings with an OEM for further investigation and remediation.

Besides vulnerability assessment, penetration testing provides positive feedback that can be used for attack surface analysis and compliance assessment.

Attack surface analysis allows cybersecurity experts to evaluate potential entry points that malicious actors could exploit to breach a vehicle’s system. The adoption of connected features in vehicles, such as IoT devices, telematics systems, and infotainment units, has opened up new avenues for cyber attacks. The exponential growth in vehicle technology multiplies the avenues hackers can exploit to gain unauthorized access to vehicle systems, compromise safety features, or steal sensitive data. Hence, penetration testing can be used to uncover the vulnerabilities within the system and also the various entry points and attack vectors that can be used to exploit said vulnerability.

For instance, to identify security gaps in a vehicle’s external communications a hacker may conduct a penetration test on ECUs responsible for a vehicle’s connectivity functions like Wi-Fi or V2X. Hacking into these individual ECUs allows cybersecurity experts to generate a threat model that lays out the potential entryways, threats, and influences that may impact an ECU.

Why Automotive Penetration Testing Matters

By conducting thorough security assessments manufacturers can identify vulnerabilities in vehicle systems and address them proactively. This not only enhances the overall security of vehicles but also helps meet regulatory obligations effectively.

Vehicle security regulations have evolved to include robust cybersecurity measures as compliance requirements. UN Regulation No. 155 (UN R155), aimed at ensuring the cybersecurity of vehicles, mandates manufacturers to implement measures to protect against unauthorized access, manipulation, and theft of data.

To comply with the regulations manufacturers must conduct and document risk assessment tests, implement appropriate cybersecurity measures, detect, and respond to possible cyber attacks, as well as log data to support the detection of cyber attacks. Considering the extent of risk assessment required, it is clear that automotive penetration testing serves as a crucial tool in achieving and maintaining compliance with UN R155 requirements.

The Importance of Collaboration for Cybersecurity Testing

Compliance with regulations may be time-consuming and costly for vehicle manufacturers. Therefore, collaboration between automotive manufacturers, cybersecurity experts, and regulatory bodies is essential for effective security assessments. Comprehensive solutions that allow for continuous testing, threat intelligence gathering, and integrating security measures into the development process are crucial to ensure cybersecurity best practices.

AutoCrypt CSTP serves as a comprehensive cybersecurity testing platform that enables automotive OEMs to conduct cybersecurity testing for regulatory compliance and share integrated results for vehicle type approval. The newly launched platform runs a variety of vulnerability testing techniques, like penetration testing, engineering specification testing, and fuzz testing, using test cases mapped out for UN R155/156 and GB (GB/T).

As vehicles become increasingly connected, securing them against cyber threats is paramount. Automotive penetration testing emerges as a vital practice in safeguarding vehicles and ensuring the safety and security of drivers and passengers. By adhering to best practices, collaborating with industry stakeholders, and staying on top of regulatory requirements, automotive manufacturers can build resilient vehicles capable of withstanding the challenges of the digital age.

3 Ways of Testing Automotive Cybersecurity Management Systems

The future looks bright for connected and autonomous vehicles (CAVs) – in fact, analysts at McKinsey say that by 2030, 45% of new vehicles will be at SAE level 3 or higher, with market share value at 450 to 750 Billion USD. But as the market grows, so does the risk for cybercrime for new automotive technologies. This is precisely the reason that governments and manufacturers are on edge, implementing regulations like the 2020 WP.29 regulations mandating cybersecurity management systems be in place. In the next couple of years, manufacturers will have to ensure that their vehicle models meet the requirements to obtain type approval for cybersecurity measures. However, what many tend to forget is that implementation of cybersecurity management systems (CSMS) is not the end of the road. Testing is a major part of ensuring that the CSMS is fulfilling its duties. After all, there is really no point in implementing a system if you cannot be sure that it is working properly.

Here are the tests that will help make sure that the CSMS is really safeguarding your vehicle, defending your car and its systems from potential attacks.

1) Vulnerability Scanning

In any cybersecurity management system, assessing and mitigating any vulnerabilities is a key responsibility to ensuring that the product is functioning at the maximum secure level. Vulnerability scanning is not a one-stop check, but should be executed at each level of the product development process to allow for maximum mitigation and comprehensive analysis of additional threats.

Now, there are two specific testing analyses that should be taken note when vulnerability scanning, and both are just as important.

Software Static Testing

Software static testing is testing the source or object code without executing it to find and eliminate errors or ambiguities. It is usually done in the early stages of development. This step is crucial as it can uncover major issues like leaks, buffer overflows, and deviations from standards. Because testing is done at an early stage, it can ward against increased development timescales, and allow for fewer issues to be found at later stages of development, which can often be much more costly and time-consuming to fix.

Software Dynamic Testing

Static testing’s counterpart, dynamic testing tests with execution of code in order to find weak areas in runtime environments and in the behavior of dynamic variables. The main goal of dynamic testing is to make sure that the system is functioning properly without any flaws. Since the codes are actually executed, dynamic testing can take a bit longer than static testing and can increase the costs of the final product as the flaws that are found will take more resources to mitigate. However, dynamic testing will find the issues that were missed by static testing, usually finding more complex defects.

2) Fuzz Testing, or “Fuzzing”

The next step is “fuzzing” or fuzz testing. Fuzz testing is basically providing “fuzz” or invalid or random data into the application or software in order to monitor for crashes, potential memory leaks, or failed code. Generating this invalid or random data is usually done via an automatic program that generates the fuzz.
Fuzzing can be useful because it adds an element that cannot be generated by a human. However, there are limitations as it usually detects simple or basic threats, meaning it needs to be combined with other testing techniques to fully secure your security management system.

3) Penetration Testing

While fuzzing uses random or invalid data to test the system, penetration testing (also known as “pentesting”) utilizes known cyberattacks or vulnerabilities to initiate simulated attacks, identifying potential vulnerabilities and selecting countermeasures to mitigate those vulnerabilities. Think of pentesting as getting someone to act like a car thief to try to break into your car and gain access: through this “ploy” to take over, the manufacturer can learn a lot about how they can better secure their vehicle’s access systems.

Through pentesting and finding flaws within the cybersecurity infrastructure, manufacturers can upgrade their security systems to remediate any flaws in the system.

Testing is a major part of CSMS; arguably, it is just as important as the CSMS itself. However, as seen through the many different techniques, there is no single test that will ensure that a cybersecurity management system is perfectly foolproof. By utilizing regular different testing techniques like fuzzing or pentesting, manufacturers can ensure comprehensive security. As technological developments are constantly being applied in a vehicle, the system will need to go through multiple rounds and various types of tests to ensure that the risk is as minimal as possible.

If working with a security solutions provider to implement your CSMS, ensure that they will be routinely testing and working with you as the client long-term. For more information about AUTOCRYPT’s testing services as part of our WP.29 solutions, click here or contact us here.