IT-based penetration testing (pen-testing) is a well-known method of conducting a simulation of a cyber attack. In a pen-testing project, researchers imitate a hacker’s behavior, methods, and tools in order to simulate a real world attack scenario on the enterprise computer network to find vulnerabilities and other security gaps or to validate that security requirements were implemented properly.
With vehicles becoming increasingly connected and software driven, and in the wake of UNECE R155, pen-testing vehicles has now become a critical step for OEMs and Tier 1s seeking to reduce their cyber risk exposure. After completing dozens of pen-testing projects for OEMs and Tier 1s, with a 100% success rate of penetration, we came up with this list of MUST DO’s of vehicle pen-testing to ensure that you get the most out of your next vehicle pen-test.
Vehicle Penetration Testing Must-Do #1: Use Your Pen Test Time Wisely
After all, it’s about penetrating your vehicle, not your pocket.
Often, OEMs and Tier 1s fall victim to the misconception that they will get the best results from a pen-test if they make it as hard as possible for the pen-testing team, providing them with almost no information about the object being tested. What is commonly known as a black box project – one in which the researchers are provided with absolutely no information about the target component.
However, determined hackers will always be able to hack the system, it is just a matter of time. The big question is what vulnerabilities lay in the code and what other security gaps will they find. This is the true purpose of a pen-test.
For example, in one Argus pen-testing project, the pen-testing team was asked to perform a test of a telematics unit. The team spent weeks extracting the unit’s firmware, reverse-engineering the software, and building a decompiler in order to study the code. While the researchers enjoyed the challenge, two valuable weeks were invested in retrieving the telematic unit’s code, instead of finding vulnerabilities. We eventually identified multiple vulnerabilities but could have used the additional month to find more security gaps and ultimately contribute to increasing the cyber-safety of the unit .
Vehicle Penetration Testing Must-Do #2: Share Critical Information with Your Pen-Testers
If I don’t know what you’re protecting against, I am going to have to guess what to test
In a Threat Analysis and Risk Assessment (TARA) project, the vehicle architecture, systems, and different ECUs are being assessed for cyber threats. Threat analysis identifies and models the relevant threats, and risk assessment classifies the impact and likelihood associated with each threat. This helps OEMs understand the vehicle security posture at a very early stage of the vehicle design and development process.
OEMs and Tier 1s sometimes choose not to share the threat assessment with the pen testers, out of the assumption that this information is irrelevant or confidential.
Full transparency leads to optimal results. Performing a pen-test based on a prior threat assessment will enable the test team to focus their efforts on high priority threats. By not sharing a threat assessment report, you are paying for the pen test team to run their own assessment in order for them to determine what to test.
Vehicle Penetration Testing Must-Do #3: Treat It Like Any Project
By failing to prepare, you are preparing to fail
Pen-tests should be managed like any project, by both the organization performing the test and the OEM initiating the project.
A project includes multiple stages, for example: requirements analysis, scope definition, test strategy, identification of the required tools, effort estimations, and a project plan. These are all crucial steps to the success of a pen testing project. Our pen-test team learned the importance of prior preparation in one memorable pen-testing project. The team was tasked with performing a pen test on a unit that was not connected to the cellular network, with all of its connected features disabled. This oversight resulted in a two month delay that could have been avoided.
Vehicle pen-testing is a project; every complex project requires proper planning.
Vehicle Penetration Testing Must-Do #4: Know When to Stop
The proof is not in the pudding
In a typical pen-testing project, after mapping all the vulnerabilities discovered, the pen testers may try to exploit them based on the OEM or Tier 1 requirements. Exploiting vulnerabilities is time and resource consuming, as the pen testers need to use their background as well as their intuition in order to demonstrate the different attacks.
As determined hackers will always succeed in exploiting the vulnerabilities discovered, pen-testers should only exploit vulnerabilities when the added value is absolutely clear. For example, when it is necessary to prove to upper management the impact of an attack, which in most cases is already well understood.
Determine your pen-testing goals ahead of time and stop when you’ve reached them.
Vehicle Penetration Testing Must-Do #5: Prepare for the Unexpected!
Expect the best, plan for the worst, and prepare to be surprised
Vehicle pen-testing projects can have serious consequences for car OEMs and Tier 1s, as researchers might discover vulnerabilities in vehicles that are already on the road. Without over-the-air security update capabilities, the automaker will be forced to initiate a cyber recall, which can potentially lead to significant financial and brand damage. Automakers initiating pen-testing projects should always be prepared for the worst and have an incident response plan in place.
Vehicle Penetration Testing Must-Do #6: Align Expectations in the Organization
Sharing is caring!
OEMs and Tier 1s face the same challenge many large organizations are facing – the challenge of effective knowledge transfer. Often, a pen-testing project is initiated by a specific department, that doesn’t share the results internally in the organization.
In a past project, the Argus Research Team was asked to pen-test a unit by a Tier 1’s team in a specific region. Later we learned the results were not shared with teams in other regions, working on the exact same unit. Lack of knowledge transfer leads to inefficiencies inside the organization, and does not bring us closer to our goal of improving the security posture of the units tested.
On behalf of the Argus research team, I hope these tips will help you to optimize your automotive pen testing projects. If you would like to discuss an upcoming pen testing project, or have any other related questions, fill out the form below and one of our pen-test experts will get back to you shortly.