As complexity increases in the connected car ecosystem, comprised of hardware, software, communications and back-end infrastructure, concerns about security vulnerabilities are growing.
Planning to offer its customers an aftermarket connected car “plug-in” solution, the manufacturer engaged IBM® X-Force® Red to conduct end-to-end penetration testing. The investment paid off when the X-Force Red team of veteran hackers uncovered extensive vulnerabilities — and provided a framework that helped the manufacturer improve the security of the solution.
Identifiedvulnerabilities that were only revealed by integrated end-to-end testing
Improvedthe security of the connected car ecosystem before going to market
Avoidedbrand damage, loss of customer trust and potential financial losses
Business challenge story
The connected car ecosystem and security risks
For a global automotive manufacturer, it seemed like a great idea. Offer customers a customized aftermarket “black box” plug-in that would transform their cars into connected cars. Using a mobile app, customers could enjoy benefits such as locating their car in a parking lot by retrieving its GPS coordinates, or finding out via telematics data where the vehicle had been driven and how fast it was going.
The car manufacturer contracted with a device manufacturer to develop the solution, which consisted of three parts: the device that gets installed in the car; cloud-based applications for data collection and communications; and a mobile app that the customer uses to access data or communicate with the car.
With these new capabilities, the car could collect volumes of data about the customer, some of which is sensitive. Because it was aware of the potential vulnerabilities and security risks that are associated with connected cars, the car manufacturer engaged X-Force Red to perform penetration testing.
From paper to penetration testing — unveiling the vulnerabilities
The first part of the testing exercise took place on paper. The X-Force Red team, comprised of industry-leading veteran hackers, created a threat model to get a “big picture” view of the solution’s vulnerability level. The team then manually tested the individual parts of the solution, including reverse engineering the in-car device. When testing, X-Force Red’s hackers used the same tools and methodologies criminal attackers would use if they tried to compromise the plug-in solution.
The manufacturer’s initial concern was that a criminal attacker could read the data that was collected by the in-car device and transmit it to the back-end infrastructure in the cloud. The testing uncovered security vulnerabilities in the communication between the device and the cloud — so the concern was justified. The X-Force Red team devised a way to redirect communications to its own GSM (Global System for Mobile communication) access point, capture and tamper with the data.
But what the team found in “cracking” the hardware and firmware was far more concerning. The testing revealed that the in-car device didn’t have any controls preventing it from interfering with the car’s operation, and an attacker that could tamper with the device could exploit vulnerabilities to, in theory, activate the brakes while the car was being driven or, in another scenario, lock the windows and turn on the heating system.
“We could even interfere with the firmware of the in-car device and make it work for us. And we could exploit available ports that were not in use,” said an X-Force Red consultant on the team. “We were able to find vulnerabilities in every component of the solution, including the mobile app and the cloud service as well as the hardware.”
By bringing the findings of the penetration test back into the initial threat model, the X-Force Red team and manufacturer could understand the security weaknesses and threat level. From there, the team developed a framework intended to help the manufacturer resolve the issues that were identified. It also developed a methodology that could be used during hardware development to avoid some of the problems that were found.
Going to market with a connected car solution
Applying the framework developed by X-Force Red, the car manufacturer was able to improve the security of its aftermarket connected car solution. It also chose to limit the scope of the offering to lower-risk capabilities such as finding the car in the parking lot — and excluding the ability to control the door locks or other operations. The manufacturer was then in a position to introduce the secure, connected car solution to the market.
By testing the whole solution ecosystem, the manufacturer identified vulnerabilities that resulted from the interaction between several components, which may not have been identified if the components were tested individually. The investment in X-Force Red penetration testing services helped the manufacturer avoid brand damage, loss in customer trust and financial losses that may have occurred had the solution not been tested before going to market.
Global automotive manufacturer
This company manufacturers cars that are distributed and sold around the world.
Take the Next Step
To learn more about X-Force Red automotive testing services, visit: https://www.ibm.com/security/services/automotive-testing
Follow the "X-Force Red in action”podcast series to hear how X-Force Red is protecting clients.