PenTest: Automotive Security

Dear PenTest Readers,

In the current edition we dive into the fascinating realm of automotive security. The vehicle industry has undergone rapid development of technology over the recent years. That’s why it is so important to look into current security discussions and the biggest challenges mentioned by experts. Our contributors prepared great reads that contain both technical and managerial perspectives. This issue will undoubtedly help you understand more about this growing branch of cybersecurity.

Dr. Dennis Kengo Oka opens the edition with a really interesting article on detecting seemingly undetectable vulnerabilities in automotive environments with a fuzzing. Samantha Isabelle Beaumont presents you with a brilliant write-up that covers attacks on Remote Keyless Systems (RKS) by using Software Defined Radio, in the case of Rolljam. Kurt Gollinger provides a managerial outlook and industry risks and challenges for the business of autonomous vehicles. 

Next, you’ll read an interesting technical interview with Danila Parnishchev of PCAutomotive, where the interlocutor explains a lot of technical details, about which every pentester who’s not into the field might have questions.

John McShane also refers to fuzzing techniques in his article, underscoring the AI as the missing link for better tests. Aatif Khan provides you with a thorough overview when exploring security risks of autonomous vehicles in his write-up with a nice GNSS spoofing attack scenario. Deepan Dhingra describes 5 cyber attacks that were particularly spectacular in the industry in recent years, also making the readers familiar with the concept of Vehicle Security Operation Center (VSOC). 

As usual, there are also articles on other interesting cybersecurity topics.

Without further ado, 

Enjoy the content!

PenTest Magazine’s Editorial Team.

---

Table of Contents

---

Detecting “Undetectable” Vulnerabilities When Fuzz Testing Advanced Automotive Systems

by Dr. Dennis Kengo Oka

One common challenge with fuzz testing of advanced automotive systems, such as infotainment systems, connectivity units, and digital cockpits, is to be able to properly monitor the target system for exceptions, which can then be further analyzed to identify vulnerabilities. Often in-band instrumentation is used to monitor the target system, i.e., the same protocol being fuzzed is used for instrumentation. For example, using valid-case instrumentation, where a correct valid message is sent to the target system after a fuzzed message and the corresponding response is observed, it is possible to determine whether the target system is behaving correctly or not. However, this limited in-band instrumentation can lead to several exceptions being missed, such as memory leaks, zombie processes or core dumps.

---

Basics of Using SDR Against Keyless Entry Systems

by Samantha Isabelle Beaumont

Remote Keyless Systems (RKS) are an examples of such a newer, and more critical addition to the modern car. Consumers by design are able to change the state of their locked doors remotely, without resorting to any mechanical or physical mechanism, via the click of a button on a car key fob, or even by proximity to the car itself via RFID. RKS typically implements a request-response protocol between the fob and the car’s radio transceiver with minimal security protection. It is important to recognise that there are several keyless entry attacks that can be utilised against RKS - Signal Amplification Relay Attacks (SARA), Keyless Jamming and Rolljam - to name a few. For the purpose of this publication, we will be discussing the Rolljam attack.

---

Cybersecurity and the Automotive Industry: A Management Perspective [FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION]

by Kurt Gollinger

Like any connected device, EV chargers face a variety of cyber threats. Attackers can target EV charging system hardware and software, apps for locating and paying for charging station services, and wireless communication links. Charging stations can be a conduit for DDoS attacks, ransomware, and data theft. Several vulnerabilities have already been identified in commercially available Extreme Fast Charging (XFC) systems that — if compromised — could inflict severe damage to power delivery systems and even threaten the power grid itself. 

---

“White box engagement is not easy to implement for the whole vehicle.”

an interview with Danila Parnishchev of PCAutomotive

Binary emulation is a powerful technique that allows to run firmware of an ECU in a virtual controlled environment, making it possible to instrument and fuzz software pieces that parse files, network packets, and other data that can be externally controlled. The drawback, however, is that there is no universal solution to emulate any CPU architecture and any hardware platform. Consequently, emulation usually requires a significant amount of time to set up the environment. Still the result – good coverage of binary bugs that are easy to miss during manual source or binary code review – is usually worth the price.

---

Fuzz Testing Using Artificial Intelligence

by John McShane

There is a solution to address the challenges with test coverage, protocol implementation and limited functions – artificial intelligence (AI). Using AI as part of CAN bus fuzz testing incorporates automation into major aspects of the process – designing test cases, smart mutations of test cases, deriving the root cause of issues identified – which helps improve the quality of the results and reduce overall run time.

---

Car Hacking: Exploring Security Risks of Autonomous Vehicles

by Aatif Khan

To initiate the GNSS spoofing attack, hackers need to be physically near the autonomous vehicle. Once the Hacker is at the nearest position, she will turn on the spoofing device that will send GNSS signals to an autonomous vehicle. GNSS signal receivers present at the autonomous vehicle will receive the fake signals from the hacker’s spoofing device. There are a number of vulnerabilities present in the current GNSS system that allow a hacker to exploit it and establish communication with the autonomous vehicle.

---

5 Cyberattacks on Vehicles

by Deepan Dhingra

Modern vehicles are not just vehicles; they are connected vehicles. With the involvement of hundreds of Electronic Control Units (ECU) and million lines of code, vehicles can capture and share information of not only its infrastructure and the driver’s information, but the vehicles around them, their surroundings, and other personal information. These ECU devices are vulnerable to a variety of cyberattacks. In this article, I am going to talk about five cyber-attacks on vehicles and, at the end, will recommend some solutions that could help secure the next generation of vehicles from cyber-attacks.

---

How Automated Pentesting Will Replace Humans

by Alton Johnson 

The cyber security threat landscape is constantly changing on a minute-by-minute basis, and because of that, companies simply cannot keep up fighting off new threat variants. Even if a manual pentest were to be done, there will be newer attack vectors that come out, even as the pentesting exercise is being conducted. This defeats the purpose of performing a pentest in the first place.

---

Think Before You Click

by Nikhil Santosh Mahadeshwar and Kirankumar Ramarao Subuddi

People tend to think if the domain name is the same then it is relatively safe to access the URL but nowadays the attackers are smart and use advanced techniques like IDN Homograph attack. The internationalized domain name (IDN) homograph attack is used to form domain names that visually resemble legitimate domain names using a different set of characters. For example, the IDN “xn--micrsft-djgb.com” which appears in Unicode as “microsoft.com” visually resembles the legitimate domain name “microsoft.com”. Attackers often apply IDN homograph attacks to form domain names that are used for malicious purposes, such as malware distribution or phishing, while appearing trustworthy to victims.

---

Best Practices for Mobile Device Security

by Hariharann R

Security is always an interesting battle between defenders and hackers. Due to the increase in mobile technology, securing the mobile device keeps on changing day to day. Hence we should take necessary and required actions periodically to keep the hackers away from our mobile devices, computing devices and much more. The outcome of this article is a holistic picture that shows why hackers are very much interested in exploiting the mobile device and best security practices to overcome it.