Automotive Security Assessment
Due to rapidly increasing interconnection and digitalization in the automotive environment, the potential attack surface for current and future vehicles is also growing continuously. As early as 2015, security researchers demonstrated the so called Jeep-Hack of the Jeep Cherokee, which showed the serious consequences of vulnerabilities in the vehicle environment. Especially in vehicles, IT security risks often pose a direct threat to the health or safety of people due to the physical context. But also access to personal data (e.g. current position and driving behavior) or unlocking of paid services are conceivable attack scenarios. Therefore, IT security analyses of vehicles and their integrated control units are an indispensable step to avoid attacks with high damage potential.
As part of an Automotive Security Assessment, we analyze individual electronic control units or even entire vehicles regarding these attack vectors.
Objective
Identification of weaknesses in electronic control units (ECU) and risk assessment for specific threat scenarios
Question
How secure is the vehicle or electronic control unit (ECU) and what could external attackers or malicious users and employees archive in the worst case?
Scope
Vehicles and ECUs including their hardware and interfaces
Procedure
In an Automotive Security Assessment, both, hardware and software of electronic control units are examined and analyzed for existing vulnerabilities. The auditor takes the perspective of an external attacker as well as of privileged users. Examples of attacks range from dumping flash memory, over man-in-the-middle attacks to infiltrating systems by exploiting vulnerabilities in exposed interfaces (e.g. CAN, Ethernet, Bluetooth or USB).
In general, the assessment is based on the approach of an examination that is as comprehensive as possible. However, depending on the type of application or system and the relevant threats, a risk-based approach is also possible (comparable to a penetration test ). In this case, the focus is on particularly security-critical or endangered areas, whereby the scope of the test is determined by the time budget agreed upon in advance.
Components
Automotive Security Assessments usually include the following points:
- analysis of operating system and firmware checks (e.g. hardening measures, running services, AUTOSAR configuration or hex file analysis)
- analysis of update processes (e.g. signature validation and authentication)
- diagnostic access checks (e.g. certificate-based authentication or XCP access)
- analysis of special security measures (e.g. Secure Boot or HSM integration)
- analysis of hardware components (e.g. flash memory dumping or access via debug interfaces)
- analysis of ECU-internal communication (e.g. data transfer between different chips or processors)
- analysis of vehicle-internal communication (e.g. via CAN, FlexRay, Ethernet or LIN)
- analysis of communication with external components and backend services (e.g. via Bluetooth, NFC, wireless LAN or cellular radio)
- application-level checks (e.g. user input or backup capabilities of head units)
- Documentation including risk assessment and description of measures.
If required, the assessment can be extended with a source code analysis and concept analysis. This also takes into account security aspects of suppliers' production processes, e.g. key management and integration during production.
Result
As a result of the assessment we will provide a detailed report. Depending on the type and scope of the project, the final report will include the following parts:
- Management summary with a description of the results and the security level
- Description of the project approach, scope, schedule and methodology
- Detailed description of identified vulnerabilities in order to understand underlying issues and to enable reconstruction of possible attacks (where necessary with proof-of-concept implementation)
- Detailed description of the iterative exploitation process when using chained vulnerabilities
- Risk assessment of identified vulnerabilities taking into account the IT environment or the application context (risk classification: low, medium, high, critical)
- Description of measures to remedy the vulnerabilities
- If necessary, a description of higher-level strategy, concept and process-related measures or optimization suggestions.