Anyone who wants to know how well their networked systems are prepared to fend off cyber attacks must put themselves in the position of the potential attacker. And this is especially true for the connected car and its numerous interfaces. For this reason, the security experts from T-Systems use penetration tests to attack components of the connected car on behalf of the customers.
The targets of a hacker attack against a connected vehicle are as varied as the methods that can be used. Compromising systems, stealing confidential information or influencing the availability of services are just a few examples. By putting themselves in the role of the attacker and adopting their ways of thinking as well as their attack procedures, cybersecurity specialists can reliably identify and check technical vulnerabilities in order to derive targeted countermeasures.
With penetration tests, the experts from T-Systems check hardware components, interfaces, applications and networks in and around the connected vehicle.
In-depth hardware and software-based tests, such as glitching attacks, attacks on debug interfaces and side channel attacks, PCB manipulation and the bypassing of JTAG locks, attacks on individual ECU functions such as OTA software updates, feature activation or diagnostics, privilege escalation, hardening, service detection, secure activation of payment services, in-car apps/services (e.g. navigation services)
Testing for general vulnerabilities, checking the connections to the head unit, ECUs, backend and third-party services, testing car apps with convenience functions such as door openers and climate control (iOS & Android)
Analysis of radio communication between the head unit and control units, attacks on CAN bus (man-in-the-middle scenarios) and other onboard communication technologies (SOME/IP, BroadR-Reach), network control units (fuzzing of UDS communication), media interfaces (USB, Ethernet, WLAN), multimedia functions (e.g. attacks via manipulated MP3 files), other connections such as mobile communication, NFC, Bluetooth, V2X, SD card
Automated tests and manual attacks on authentication procedures and the detection of new software vulnerabilities in IT systems, analysis of source code (C, C++, Autosar, Java, iOS, Android), cryptographic concepts and implementations regarding vulnerabilities
The pentesters of T-Systems always follow a two-track approach. Virtually fully automated vulnerability assessments reveal the weak points for attacks on IT systems that are already known. However, if previously unknown - and above all automotive-specific - security gaps are to be identified, manual penetration tests are required. These systematic, flexible tests with realistic attack methods and tools are designed to uncover vulnerabilities before they can be exploited.
The procedure is based on established process models for the execution of penetration tests.
The testing of critical infrastructures is part of a comprehensive IT security strategy. As an ICT service provider, T-Systems has the know-how and the required independence to critically analyze the security status of your systems and applications. We determine the specific scope and type of testing together with you in advance, based on your business objectives and security requirements. As a result of the penetration tests, T-Systems produces a detailed final report that lists and prioritizes all identified security vulnerabilities and contains specific recommendations for eliminating them.
Automotive penetration testing from a single source: