What is an Automotive Security Assessment?
Due to rapidly increasing interconnection and digitalization in the automotive environment, the potential attack surface for current and future vehicles is also growing continuously. As early as 2015, security researchers demonstrated the so called Jeep-Hack of the Jeep Cherokee, which showed the serious consequences of vulnerabilities in the vehicle environment. Especially in vehicles, IT security risks often pose a direct threat to the health or safety of people due to the physical context. But also access to personal data (e.g. current position and driving behavior) or unlocking of paid services are conceivable attack scenarios.
To address these security risks, the ISO/SAE 21434 standard, which was adopted in August 2021, defines various measures for developing secure vehicles. This includes checking for vulnerabilities through appropriate security assessments as a key measure to prevent attacks with a high damage potential. The standard is also an important building block for type approval in accordance with UNECE Regulation R 155, which requires vehicle manufacturers to be certified with regard to a cyber security management system.
Since 2022, the UNECE R 155 regulation has set explicit requirements for the security of vehicles, which are mandatory for new type approvals. To meet these security requirements for homologation, manufacturers and suppliers can follow the recommendations of the ISO/SAE 21434 standard, which covers all phases of a vehicle’s life cycle and also requires security assessments to be carried out, among other things.
As part of an automotive security assessment, we analyze individual control units or even entire vehicles with regard to relevant attack scenarios, taking into account the respective regulatory requirements.
Objective
Identification of weaknesses in electronic control units (ECU) and risk assessment for specific threat scenarios
Question
How secure is the vehicle or electronic control unit (ECU) and what could external attackers or malicious users and employees achieve in the worst case?
Scope
Vehicles and ECUs including their hardware and interfaces
Automotive Security Assessment Process: Methodology & Approach
In an Automotive Security Assessment, both, hardware and software of electronic control units are examined and analyzed for existing vulnerabilities. The auditor takes the perspective of an external attacker as well as of privileged users. Examples of attacks range from dumping flash memory, over man-in-the-middle attacks to infiltrating systems by exploiting vulnerabilities in exposed interfaces (e.g. CAN, Ethernet, Bluetooth or USB).
In general, the assessment is based on the approach of an examination that is as comprehensive as possible. However, depending on the type of application or system and the relevant threats, a risk-based approach is also possible (comparable to a penetration test ). In this case, the focus is on particularly security-critical or endangered areas, whereby the scope of the test is determined by the time budget agreed upon in advance.
Core Components of SCHUTZWERK Automotive Security Assessment
Automotive Security Assessments usually include the following points:
- analysis of operating system and firmware checks (e.g. hardening measures, running services, AUTOSAR configuration or hex file analysis)
- analysis of update processes (e.g. signature validation and authentication)
- diagnostic access checks (e.g. certificate-based authentication or XCP access)
- analysis of special security measures (e.g. Secure Boot or HSM integration)
- analysis of hardware components (e.g. flash memory dumping or access via debug interfaces)
- analysis of ECU-internal communication (e.g. data transfer between different chips or processors)
- analysis of vehicle-internal communication (e.g. via CAN, FlexRay, Ethernet or LIN)
- analysis of communication with external components and backend services (e.g. via Bluetooth, NFC, wireless LAN or cellular radio)
- application-level checks (e.g. user input or backup capabilities of head units)
- Documentation including risk assessment and description of measures.
If required, the assessment can be extended with a source code analysis and concept analysis. This also takes into account security aspects of suppliers' production processes, e.g. key management and integration during production.
Assessment Results: Risk Evaluation & Security Measures
As a result of the assessment we will provide a detailed report. Depending on the type and scope of the project, the final report will include the following parts:
- Management summary with a description of the results and the security level
- Description of the project approach, scope, schedule and methodology
- Detailed description of identified vulnerabilities in order to understand underlying issues and to enable reconstruction of possible attacks (where necessary with proof-of-concept implementation)
- Detailed description of the iterative exploitation process when using chained vulnerabilities
- Risk assessment of identified vulnerabilities taking into account the IT environment or the application context (risk classification: low, medium, high, critical)
- Description of measures to remedy the vulnerabilities
- If necessary, a description of higher-level strategy, concept and process-related measures or optimization suggestions.
Blog & News Archive
Blogposts about: automotive security