Hologram of futuristic car in workshop.

Automotive Penetration Testing

Security experts examine hardware, software and IT networks in all areas of the connected vehicle

Cyber attacks on behalf of the customer

Anyone who wants to know how well their networked systems are prepared to fend off cyber attacks must put themselves in the position of the potential attacker. And this is especially true for the connected car and its numerous interfaces. For this reason, the security experts from T-Systems use penetration tests to attack components of the connected car on behalf of the customers.

Identify and check technical vulnerabilities

Computer graphics of a car from above

The targets of a hacker attack against a connected vehicle are as varied as the methods that can be used. Compromising systems, stealing confidential information or influencing the availability of services are just a few examples. By putting themselves in the role of the attacker and adopting their ways of thinking as well as their attack procedures, cybersecurity specialists can reliably identify and check technical vulnerabilities in order to derive targeted countermeasures. 

Hardware, software, infrastructure

With penetration tests, the experts from T-Systems check hardware components, interfaces, applications and networks in and around the connected vehicle.

Electronic Control Units (ECUs)

In-depth hardware and software-based tests, such as glitching attacks, attacks on debug interfaces and side channel attacks, PCB manipulation and the bypassing of JTAG locks, attacks on individual ECU functions such as OTA software updates, feature activation or diagnostics, privilege escalation, hardening, service detection, secure activation of payment services, in-car apps/services (e.g. navigation services)

Mobile Apps

Testing for general vulnerabilities, checking the connections to the head unit, ECUs, backend and third-party services, testing car apps with convenience functions such as door openers and climate control (iOS & Android)

Interfaces & Infrastructure

Analysis of radio communication between the head unit and control units, attacks on CAN bus (man-in-the-middle scenarios) and other onboard communication technologies (SOME/IP, BroadR-Reach), network control units (fuzzing of UDS communication), media interfaces (USB, Ethernet, WLAN), multimedia functions (e.g. attacks via manipulated MP3 files), other connections such as mobile communication, NFC, Bluetooth, V2X, SD card

Backend & Web Applications

Automated tests and manual attacks on authentication procedures and the detection of new software vulnerabilities in IT systems, analysis of source code (C, C++, Autosar, Java, iOS, Android), cryptographic concepts and implementations regarding vulnerabilities
 

Automatic and manual test procedures

Chip board from above

The pentesters of T-Systems always follow a two-track approach. Virtually fully automated vulnerability assessments reveal the weak points for attacks on IT systems that are already known. However, if previously unknown - and above all automotive-specific - security gaps are to be identified, manual penetration tests are required. These systematic, flexible tests with realistic attack methods and tools are designed to uncover vulnerabilities before they can be exploited.

We look forward to your project!

We would be happy to provide you with the right experts and to answer your questions about planning, implementation, and operation of security solutions for the connected vehicle. Get in touch!

Procedure during a pentest

The procedure is based on established process models for the execution of penetration tests.

Preparation

  • Define goals, the scope and procedure
  • Define the test environment and test requirements
  • Take legal and organizational aspects into consideration
  • Determine risks and the required emergency measures

Information procurement

  • Define and research the required information
  • Create an overview of systems and applications
  • Identify potential points of attack and known security flaws

Evaluation & Risk Analysis

  • Analyze and evaluate collected information
  • Define test objects and attack targets
  • Select relevant test methods
  • Create the test cases

Active penetration tests

  • Perform active attack attempts on selected systems
  • Verify potential vulnerabilities
  • Select and execute additional test modules

Final analysis

  • Evaluate the results
  • Present risks and define measures
  • Recommend decisions for utilization
  • Create final documentation

Automotive pentesting with T-Systems

Close-up man observes data texts on a transparent screen.

The testing of critical infrastructures is part of a comprehensive IT security strategy. As an ICT service provider, T-Systems has the know-how and the required independence to critically analyze the security status of your systems and applications. We determine the specific scope and type of testing together with you in advance, based on your business objectives and security requirements. As a result of the penetration tests, T-Systems produces a detailed final report that lists and prioritizes all identified security vulnerabilities and contains specific recommendations for eliminating them.

The advantages to you at a glance

Automotive penetration testing from a single source:

Cutting costs

  • Prevent damage before it occurs
  • Efficient, lower cost procedure thanks to specific recommendations for action 

Reliable

  • Experts from all technology areas available
  • Independent, neutral view as an external ICT service provider 

Secure

  • Review of standards and norms
  • Individually adapted intensive checks with penetration tests

Forward-looking

  • Test results as a basis and guideline for future security measures
  • Prepared for current and emerging threats
Do you visit t-systems.com outside of Indonesia? Visit the local website for more information and offers for your country.