What is a penetration test? And what are the most important steps IAV can take for customers?
Penetration testing plays a crucial role in assessing the cybersecurity of a product, such as a vehicle. In contrast to requirements-based functional testing from software development, which follows a strict pattern, penetration tests are exploratory tests. While functional testing involves setting requirements for the software and checking whether it implements them correctly through one or more test cases per requirement, penetration testing aims to elicit undesirable behavior from the software. We try to exploit this behavior to achieve a certain effect, such as stealing protected data.
How is the process of a penetration test carried out?
First, we define the test focus with our customers. In this, we determine which key topics we want to concentrate on. This step is important because, unlike cyber criminals, we are limited in terms of time and capacity. In the test focus, we define a model of the attacker and identify attack opportunities that we want to investigate.
The typical steps of a penetration test include planning, in which the test focus and the attacker model already play a role. We then scan the target system to gather as much information as possible about potential vulnerabilities. If we find vulnerabilities, we attack them. If some of these attacks are successful, we try to penetrate deeper and exploit the vulnerability to cause a specific damage scenario. Finally, we document our findings and start the next round of test focus planning with our customers.
Do functional tests or their results also play a role in this approach?
Exploratory testing is at the heart of our penetration testing process. Especially when scanning, it is important that we actively provoke unwanted behavior in the system. For example, one step could be to carry out functional tests and supplement these with negative tests. In these functional tests, we expect the software not to react or to issue an error message. We can also extend this with fuzz testing to perform a wide range of software stimulation. This is how we discover unexpected behavior of a system, where we then dig deeper and drill further.
How is an attacker model developed as part of a penetration test at IAV?
To develop an attacker model for a penetration test at IAV, we ask ourselves how a potential attacker would proceed to discover and exploit vulnerabilities in the system. We pay particular attention to the attacker's skills, equipment and motivation. We define the attackers to be investigated together with our customers. This is crucial in order to be able to carry out the penetration test in a targeted manner.
Which tools or techniques does IAV use for penetration tests?
We use various tools and techniques for our penetration tests. We have been using some of these for a long time in vehicle development, such as DiagRA. Our testers create special test scripts to uncover vulnerabilities in the CAN bus. Another tool is Kali Linux, which can use many programs for penetration tests and digital forensics. We customize the various libraries and scripts specifically for our test tasks, especially for network tests. We also use HW analysis methods. This includes identifying and contacting debug interfaces and reading out the software present on the ECU. Sometimes we desolder the chip of an ECU and place it on an adapter for reading out on the PC. We then make the read-out binary software readable for humans using tools such as IDA Pro. Then we manipulate the software and try to upload it to the chip and reinstall it in the ECU.
Can you give an example of a security vulnerability that was discovered during a penetration test and subsequently fixed?
We actually discovered a security vulnerability in a project in which the flashback protection of an ECU could be bypassed. After successfully flashing the software, i.e. installing the ECU software, the same key could be used to flash the ECU to an older or manipulated version. Fortunately, this loophole was rectified by the supplier after our report.
How does IAV go about assessing the cybersecurity of a connected vehicle? What challenges arise here, and how are they overcome?
To assess the cybersecurity of a connected vehicle, we basically work with a layered model. First, we look at wireless communication channels that can also be carried out over longer distances, such as mobile radio or WLAN in the immediate vicinity. These pose the greatest risks to a vehicle fleet due to their scalability of damage. Next, we check wireless interfaces in the immediate vicinity of the vehicle, i.e. Bluetooth and NFC. Here, we first check all remote interfaces for vulnerabilities and possible attack vectors. V2X is also an important aspect for the future. Then, as a third layer, we check the communication network and the local interfaces, such as the car's USB ports. Finally, we examine the ECU hardware and the security of the network of critical functions.
What services does the IAV Security Lab offer its customers?
We offer various services in the IAV Security Lab. These include testing ECUs, carrying out security code reviews, testing complete vehicles and, in the future, we are also planning to test the communication of charging stations. The security lab is an essential part of our holistic strategy to protect vehicles against cyberattacks. We offer all services within the framework of UN ECE155 and ISO 21434.
How do you stay up to date with the latest threats and vulnerabilities in the automotive industry?
We use various sources to keep track of current threats and vulnerabilities in the automotive industry. We are members of associations of security researchers, subscribe to newsletters, use databases and take part in specialist conferences. In this way, we gather important findings that we integrate into our tests if they have not yet been taken into account.
Contact: