The Top 3 Security Aspects of Pentests in Automotive Cyber Security

20. September 2023

Connected Vehicles: Infotainment. Autonomous Driving. Cloud Backend.

Amidst these developments, new opportunities are emerging for businesses, but also entirely new attack paths for cybercriminals. At the same time, they pose new challenges for cybersecurity assessments.
A significant tool in this context is penetration testing, or pentest for short.

To take a closer look at this important topic, Tim Kranz, responsible for usd pentests, took the online stage for the webinar "Cyber Security Testing for Product and Company: Pentesting, Code Analysis and Other Methods." This event is part of the webinar series "Secure Connected Vehicles - Challenge, Opportunities and Risks for the Industry in Bayern" organized by bayern innovativ.

This event series focuses on cybersecurity questions in the automotive, commercial vehicle and supplier industries. In his presentation, Kranz provided insights into security assessment through penetration testing and now shares his three key findings from the event.


1) Car2Car, Car2X, Car2Cloud: Networking creates attack vectors

Modern vehicles are equipped with integrated computer systems that communicate with each other, their environment and the traffic infrastructure through interfaces. These enables functions such as infotainment systems, on-board computers and autonomous driving, while also providing remote access via the cloud and backend systems.

This networking poses security risks, as hackers could exploit vulnerabilities in these components to infiltrate vehicles or even take control of them remotely. Therefore, a thorough security review of these interfaces is essential.

2) Pentests and technology-specific analyses enhance automotive industry security

The IT environment of connected vehicles consists of conventional software and IT components as well as tailored solutions.

For security assessment of conventional components in the automotive industry, traditional pentests are suitable. For example, the back-end system can be examined for vulnerabilities through a classic system pentest or the environment can be examined with a cloud security audit or cloud pentest. The smartphone app for managing one's own vehicle can be analyzed with a classic mobile pentestration test.

On the other hand, to check a wireless car key for security vulnerabilities, a technology-specific analysis is advisable, involving an inspection of the cryptography and protocols used.

3.) Tailored security testing: Aligned with individual protection needs

An important aspect is adapting the security assessments to the individual protection needs of each vehicle component. Not all components require the same intensity of security testing. It is crucial to concentrate resources on the most vulnerable areas and adjust the depth of testing accordingly.
For example, it is particularly important to subject critical components that have a direct or indirect impact on traffic safety or vehicle control to intensive security assessment. This is of utmost importance due to the potential impact on road traffic.

Depending on the type of component to be tested, addressing vulnerabilities can become a major challenge. If vulnerabilities are found in components that may be installed thousands of times in the vehicle and cannot be remedied through over-the-air updates, replacement can be costly for the manufacturer. For this reason, we recommend considering security assessments early in the production cycle.


Would you like to learn more about our security solutions? Contact us. We are happy to assist you.

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories