{"id":6906,"date":"2018-01-15T09:06:49","date_gmt":"2018-01-15T08:06:49","guid":{"rendered":"https:\/\/www.intellias.com\/?p=6906"},"modified":"2024-04-26T13:26:37","modified_gmt":"2024-04-26T11:26:37","slug":"penetration-testing-of-connected-car-apps","status":"publish","type":"post","link":"https:\/\/intellias.com\/penetration-testing-of-connected-car-apps\/","title":{"rendered":"Penetration Testing of Connected Car Apps"},"content":{"rendered":"

Business challenge<\/h2>\n

One of the world\u2019s biggest automotive companies, our German client operates dozens of manufacturing facilities across Europe, Asia, Africa, and the Americas. Their production workforce comprises more than a quarter of a million people. Our client\u2019s product range includes vehicles of every kind, size, and purpose under more than half a dozen brands. They bring in hundreds of billions of euros in annual revenue selling vehicles and spare parts worldwide.<\/p>\n

\"Penetration<\/p>\n

Since Henry Ford\u2019s introduction of\u00a0assembly line manufacturing for the\u00a0Model T, the automotive<\/a> industry has seen only a few genuinely groundbreaking\u00a0technologies.\u00a0The\u00a0IoT-powered\u00a0connected car\u00a0can\u00a0definitely\u00a0be\u00a0regarded as\u00a0one\u00a0of\u00a0these\u00a0few.\u00a0<\/span><\/p>\n

As an innovative company, our client has introduced a number of extended IoT connectivity features into their entire range of passenger cars. But as with all things linked to the web, connected cars tend to be inherently hackable. That\u2019s way our client searched for a reliable security partner<\/a> to ensure driver safety and privacy. With years of diverse experience in the automotive domain, Intellias was a good fit. Our client requested a series of security assessments and car penetration tests on their connected cars and the underlying ecosystem.<\/p>\n

Technology solution<\/h2>\n

We kicked off this partnership with a series of requirements management workshops that involved our client\u2019s product teams and our own team, which was composed of a security architect and two car penetration testing engineers. These workshops yielded valuable input for threat modelling. We managed to identify a range of potential threat agents, vulnerabilities, at-risk information assets, and impacts of exploitation. Our testing gear included an actual car that we communicated with remotely.<\/p>\n

We mostly performed manual tests, as little could be automated with off-the-shelf solutions. We used automated testing for basic coverage, however, including to test insecure storage of sensitive data and leaks of personally identifiable information (PII). Manual testing covered the whole attack surface and included network analysis, web and mobile penetration testing, code analysis, and reverse engineering.<\/p>\n

We mimicked client-side attacks against smartphone apps (iOS and Android) and smartwatch apps (watchOS, Android Wear, and Tizen) to enable remote vehicle access, perform infotainment operations, and breach emergency services. In particular, our team set up dedicated infrastructure that allowed us to sniff Bluetooth traffic to ensure the security of smartwatch-smartphone communications.<\/p>\n

To perform automotive security penetration testing, our team simulated two types of attacks. To address parameter tampering vulnerabilities, we tried to manipulate client-server exchange data such as user credentials and permissions. To assess man-in-the-middle vulnerabilities, we attempted to intercept and alter communications between the client and server. We verified backend immunity using techniques including triggering of unhandled exceptions, SQL injection, and cross-site scripting (XSS).<\/p>\n

Each testing round resulted in a comprehensive report detailing identified vulnerabilities, reproduction scenarios, and recommendations for patching. After our client\u2019s development team fixed the reported security issues, we performed remediation testing to validate the fixes.<\/p>\n

We used the following industry-recognized guidelines and standards\u202fduring\u202fpenetration testing of automotive devices:\u202f<\/b>\u00a0<\/span><\/p>\n