Penetration Testing of Connected Car Apps

Our client came with the challenge 

Since Henry Ford’s introduction of assembly line manufacturing for the Model T, the automotive industry has seen only a few genuinely groundbreaking technologies. The IoT-powered connected car can definitely be regarded as one of these few. 

As an innovative company, our client has introduced a number of extended IoT connectivity features into their entire range of passenger cars. But as with all things linked to the web, connected cars tend to be inherently hackable. That’s way our client searched for a reliable security partner to ensure driver safety and privacy. With years of diverse experience in the automotive domain, BitsByteSoft was a good fit. Our client requested a series of security assessments and car penetration tests on their connected cars and the underlying ecosystem.

BitsByteSoft developed the solution 

We kicked off this partnership with a series of requirements management workshops that involved our client’s product teams and our own team, which was composed of a security architect and two car penetration testing engineers. These workshops yielded valuable input for threat modelling. We managed to identify a range of potential threat agents, vulnerabilities, at-risk information assets, and impacts of exploitation. Our testing gear included an actual car that we communicated with remotely.

We mostly performed manual tests, as little could be automated with off-the-shelf solutions. We used automated testing for basic coverage, however, including to test insecure storage of sensitive data and leaks of personally identifiable information (PII). Manual testing covered the whole attack surface and included network analysis, web and mobile penetration testing, code analysis, and reverse engineering.

We mimicked client-side attacks against smartphone apps (iOS and Android) and smartwatch apps (watchOS, Android Wear, and Tizen) to enable remote vehicle access, perform infotainment operations, and breach emergency services. In particular, our team set up dedicated infrastructure that allowed us to sniff Bluetooth traffic to ensure the security of smartwatch-smartphone communications.

To perform automotive security penetration testing, our team simulated two types of attacks. To address parameter tampering vulnerabilities, we tried to manipulate client-server exchange data such as user credentials and permissions. To assess man-in-the-middle vulnerabilities, we attempted to intercept and alter communications between the client and server. We verified backend immunity using techniques including triggering of unhandled exceptions, SQL injection, and cross-site scripting (XSS).

Each testing round resulted in a comprehensive report detailing identified vulnerabilities, reproduction scenarios, and recommendations for patching. After our client’s development team fixed the reported security issues, we performed remediation testing to validate the fixes.

We used the following industry-recognized guidelines and standards during penetration testing of automotive devices:  

• OWASP Top 10 
• OWASP Testing Guide v4 
• OWASP Mobile Security Project 
• OWASP Top 10 Mobile Risks 

We achieved great results together 

Since 2014, we have gone through three rounds of car penetration testing, each triggered by new releases of connected car applications. The findings of these security tests have helped our client strengthen their connected car solutions in terms of safety, security, and privacy.

We helped our client 

• Identify critical safety issues such as two-factor authentication bypasses and Bluetooth vulnerabilities that exposed cars to remote attacks  
• Detect a number of medium security weaknesses, including PII leakage in the customer portal and insecure storage of credentials 
• Acquire complete protection for their connected car ecosystem 
• Get a permanent security partner to contribute to the OEM development process 
• Offer more fun and innovation to their customers while keeping them safe