CONNECTED VEHICLE TESTING
Today’s vehicles are more complex and more connected than ever before. This results in a significantly increased attack surface and, for the typical vehicle, a weaker security posture. Vehicle security is now about more than just physical security and connected vehicle cybersecurity testing is a requirement for every manufacturer.
The impact of automotive vehicle cybersecurity issues can be large and affect personal safety. Criminals are using increasingly sophisticated attacks to steal vehicles, compromise their systems, compromise privacy and safety, and more.
There are a large number of points of ingress for an attacker. Modern vehicles typically have USB connections, connected entertainment systems, advanced navigation capabilities, various wireless systems and more. This presents an opportunity to compromise a connected vehicle both locally and remotely. Further, most manufacturers are now providing mobile applications that interact with the vehicle; both tracking and functional interaction is possible.
Connected vehicles often measure and store telemetry which includes personal data. Mobile applications often have vehicle tracking capabilities. It is highly likely that such data will be in scope for GDPR, thus a connected vehicle security breach could have significant repercussions.
Automotive cybersecurity standards
There are currently no commonly accepted standards for automotive cybersecurity. This is likely to change, though. LRQA Nettitude are closely following ISO 26262. This standard is titled “Road Vehicles – Functional Safety” and applies to the functional safety of electric systems in production automobiles. It is likely that version two of the standard, which is in development, will address the issue of automotive cybersecurity.
Likewise, J3061 by SAE is a standard in development for cyber-physical vehicle systems which LRQA Nettitude consider to be a useful resource. Between these work in progress standards and LRQA Nettitude’s own experience, it is possible to provide leading connected vehicle assurance services.
Connected vehicle cybersecurity services
LRQA Nettitude have a wealth of experience assessing the security posture of a connected vehicle. Specifically, we will focus on:
- Design flaws
- Specification flaws
- Implementation flaws
The approach will vary depending on the requirement, but we recommend including all components of the connected vehicle system, assessing:
- Dynamic analysis, including fuzzing and manual probes
- Static analysis, including code review and coding standard review
- Unit testing, hardware testing, integration testing
- Using a white box approach where maximum information sharing occurs