Strategies for the Future of Automotive Penetration Testing

June 07, 2023

Blog

As security requirements and legislation for auto manufacturers continue to increase, so does the demand for penetration testing, or "pentesting." Pentesting is becoming a requirement for all new Electronic Control Units (ECUs) that need to be cyber-secure, but the rising cost of pentesting is a major concern. This is due to the growing number of devices that must be tested, the limited number of available penetration testers with the appropriate skills, and the lack of automated tools.

Remote pentesting and automation tools are a game-changer for automotive security because it results in shorter times to complete pentests and lower costs.

The traditional approach requires pentesters to have physical access to the ECUs being tested. This can be time-consuming and expensive. Remote pentesting eliminates these challenges by allowing pentesters to test ECUs from anywhere in the world and, when combined with automation, provides several other advantages. These benefits include:

• Eliminating the need to ship ECUs or for pentesters to travel
• Sharing a single ECU between multiple pentesters
• Around the clock testing with pentesters in different time zones
• Fewer ECUs needed for testing
• Automation of repeatable tests (e.g. fuzzing, scanning)
• Shift left! Run tests earlier in the development cycle including CI/CD regression testing
• Validation and verification of security features
• Real-time reporting of results
• New automated ways of reporting vulnerabilities to management systems
• Aligns with ISO SAE 21434 specified testing requirements
• Integration of pentesting with incident response for vulnerability validation

Remote pentesting allows skilled researchers to contribute from anywhere in the world, without being limited by time zones or distance. This helps to bridge the cybersecurity skills gap caused by a limited number of pentesters in a particular area. 

Innovative solutions, such as BG Networks' collaborative and remote pentesting platform, offer a new approach to address the challenges of automotive pentesting. This platform combines a software-managed remote bench with a collaborative testing framework, automation to re-run tests, and logging of results.

By using a remote bench, pentesters can collaboratively test multiple ECUs simultaneously, without the need for physical access. The flexibility of remote access means that testing can take place at any time of the day, providing maximum convenience for both testers and developers. Live reporting of testing results allows engineers to quickly reproduce any findings and address them more quickly.

Requirements for Penetration Testing of Automotive ECUs

The automotive industry has increasingly focused on cybersecurity in recent years. This focus has led to the staffing of expert product security teams and the development of significant cybersecurity capabilities. Regulation has been a driver behind this development. When it comes to critical infrastructure, regulation is needed to ensure that the right level of cybersecurity is included to provide resilience against Advanced Persistent Threat (APT) groups and adversarial nation states.

The key regulations and security standards that have been the driver for cybersecurity in automotive systems are:

• UNECE Regulations UN R155 & UN R156 for Vehicle Cybersecurity
• ISO/SAE 21434 Road Vehicle Cybersecurity Standard, which is the reference implementation for R155 compliance

These regulations require companies to implement a full Cybersecurity Management System (CSMS). This includes development of security from initial stages of design, implementation of cybersecurity features to protect devices from cyberattacks, testing to validate and verify security has been implemented correctly, monitoring for newly exposed vulnerabilities, and an incident response team to quickly remediate any attacks that are detected.

At a high level, a secure development process requires the following steps:  

• Performing security threat assessment/risk analysis (TARA) to identify potential vulnerabilities and to guide the implementation of security features.  A TARA identifies the right amount of security for the given system considering potential threats and risks including financial, data, operational and safety impacts. 
• Implementing cybersecurity features such as secure boot, authenticated communication, secure key storage, secure software update mechanisms, and device security monitoring.
• Managing supply chain security to ensure vulnerabilities are not introduced when open-source software or commercial third-party solutions are utilized in developing a product.
• Penetration testing to uncover security vulnerabilities.

Without penetration testing, it is impossible to know if a device is truly secure. No one would consider releasing an automotive ECU without extensive testing of core features for functionality and safety. Penetration testing provides analogous testing for security features of an ECU.

Furthermore, ISO/SAE 21434 specifies testing for "unidentified weaknesses,” and cites penetration testing as a method for doing this. Given that all new vehicles in the EU need to be R155 certified by July 2024, there is an increasing need for pentesting.

Pentesting of Automotive ECUs

Penetration testing is performed by personnel who have not been involved in the design of the product and that have a unique skill set. Pentesters essentially act as hackers and use the same techniques to identify cybersecurity vulnerabilities and potential attacks. This is a critical step in ensuring that security has been implemented correctly and there are no open security gaps. It is very easy to make a mistake that leads to a significant vulnerability such as:

• Not setting the secure boot mode bit in an embedded processor
• Forgetting to remove engineering test code from the production code release
• Using keys that were meant to be temporary and are not secure
• Forgetting to close all unused network ports
• Using default or easy to guess passwords
• Allowing root privilege in a shell
• Not locking JTAG
• Software buffer overflows

These are all common security mistakes that pentesting can uncover.  A simple security mistake, such as these, can turn into a serious safety and operational problem.

Pentesters simulate real-world attacks and attempt to exploit vulnerabilities in the device’s firmware, software, and hardware. The goal is to identify weaknesses that could be exploited by hackers to gain unauthorized access to the ECU or its data, use it as a pivot point to attack other ECUs in the vehicle, or most seriously, compromise the integrity of an ECUs that controls a physical actuator (steering, breaking, acceleration, ADAS, etc.).

Pentesting for automotive ECUs typically involves the following steps:

1. Reconnaissance: Gathering information about the device, such as its firmware version, supported interfaces, and software configuration.
2. Identification of vulnerabilities: using hacking tools and clever tricks of the trade to identify vulnerabilities and weaknesses. This can take many forms:
   1. Privilege escalation: Attempting to gain administrative access to the device or its data.
   2. Running tests/attacks against known protocols and interfaces using hacking tools.  
   3. Scanning vulnerability databases for known vulnerabilities in the software components running on the ECU
   4. Reverse engineering the code running on the ECU to search for weaknesses and vulnerabilities.
3. Exploitation: Attempting to exploit vulnerabilities found during the identification phase. This includes chaining vulnerabilities that could lead to very significant exploits.
4. Post-exploitation persistence: Attempting to maintain access to the device, exfiltrate data from the device, or use it as a pivot point to attack other ECUs in the vehicle.
5. Reporting: Documenting the vulnerabilities found and providing recommendations for remediation.

Once vulnerabilities have been identified, these weaknesses can be remediated to eliminate the potential for adversarial exploitation to occur in the wild.

Pentesting Challenges

Pentesting for ECUs requires specialized knowledge and skills, including knowledge of ECU device architecture, firmware analysis, reverse engineering, software development, hardware, network and automotive protocols.  It is typically performed by experienced security professionals with specialized training in software, IoT, embedded systems, and automotive security.

Pentesting for ECUs presents several unique challenges, which can lead to high costs and long schedules, including:

1. Heterogeneity of ECU architectures: ECUs are built on a wide range of hardware and software platforms/operating systems, and utilize a variety of communication protocols and buses, some of which are unique to automotive ECUs. This makes it challenging to develop standardized testing methodologies that can be applied across all devices.
2. A large attack surface with many types of interfaces: Knowledge of a wide array of interfaces and associated software stacks is needed to test for weaknesses. Interfaces include Ethernet, CAN, USB, JTAG, LIN, cellular, Wi-Fi, Bluetooth, SD Card, V2X, and EV charging interfaces.
3. Heterogeneity of ECU suppliers: Every vehicle has many ECUs, and ECUs within a given vehicle are often developed by numerous tier 1 suppliers. As a result, multiple software stacks for the same interface are often independently developed. Each implementation needs to be tested as it may have unique security vulnerabilities.
4. Limited processing power and memory: Many ECUs have limited processing power and memory, which can make it challenging to run vulnerability scanning tools or requires more time to craft tests.
5. Components of a larger system: Automotive ECUs are designed to work as components of the overall vehicle. It is necessary to test these ECUs in isolation, but that is not sufficient. Penetration testing must also consider how these devices will be used in the vehicle and what attacks are possible at a system level. For example, what attacks are possible against ECUs connected to a common CAN bus if the infotainment ECU is hacked? This requires additional knowledge of how the overall system operates and what are the most significant cyber-risks at the vehicle level. Challenges are also presented in setting up and running a single ECU that is designed to operate in a large system (e.g., creating needed cable harnesses, providing power, providing the correct message sequences to have the ECU respond, etc.). 

Overcoming these challenges requires specialized skills and expertise in automotive ECU security testing, as well as a thorough understanding of the unique characteristics of automotive systems. Pentesters must be able to work with a wide range of tools and techniques to identify vulnerabilities and provide recommendations for remediation.

Attack Types

Automotive ECUs are subject to a variety of attack types.  Attacks may originate on remote networks over a cellular interface. They may also originate from local networks, such as an automotive dealers’ network that is used to update and diagnose vehicles in an auto-shop. Other attacks require a local presence, such as attacks over a Bluetooth interface or physically gaining access to a CAN bus (e.g., removal of a headlight) to steal a vehicle. 

Hackers can also compromise a local host, such as an infotainment or telematics ECU and then pivot and use the compromised ECU to find weakness in other ECUs or the automotive OEM’s cloud system. For example, certificates that allow cloud access to millions of vehicles have been found, without adequate cyber-security, in telematics units. Older remote keyless entry protocols have been shown to be insecure against man in the middle attacks.  Finally, hackers can perform physical attacks by connecting directly to an ECU bus or memory and performing fault injection attacks or reading data directly from the device.

Multiple attack types must be considered when pentesting Automotive ECUs

Pentesters must consider each attack type when assessing the security of automotive ECUs. 

The Future of Pentesting

To enable pentesting at scale, better tools are required. BG Networks’ remote pentesting platform is designed to address these challenges. This platform includes a remote workbench, supporting remote desktop access via VPN enabling pentesters to access an ECU as if it were in their local lab. The solution supports:

• Access to ECUs by local and remote pentesters
• Automation of scanning and fuzzing tests
• Remote access to debugger interfaces and buses (LIN, CAN & Ethernet) on the ECU
• Remote control of power to the ECU
• Spectator mode for training and demonstration of discovered vulnerabilities
• Logging of all activity during testing

The solution also provides a testing framework that enables collaboration among pentesters, security engineers, and ECU hardware & firmware engineers. 

The BG Networks workbench enables pentesting of ECUs by local and remote teams.

The workbench is designed specifically for ECU pentesting and provides multiple automotive interfaces that can be utilized by pentesters. These include LIN, CAN, and Ethernet. It also supports standard debug interfaces, such as JTAG.  This allows pentesters to execute tests and monitor interfaces, just as they would if they had physical access to the ECU.

The platform also allows tests to be scripted for repeatability.  Once a test is developed, it can be added to a set of regression tests that are run each time a new version of the ECU hardware, firmware, or software is released. As more tests are developed, testing moves from custom testing of the new capabilities to an automated process in which known tests are automatically run. 

Summary

The automotive industry is adapting to new legislation and industry standards requiring manufacturers to be proactive in adding security to their devices. Penetration testing is now a must-have for automotive ECUs, but current pentesting processes don’t scale to meet the growing needs of the industry.

Automated tools for pentesting are needed. Of particular importance are tools to allow remote penetration testing, and to automate execution of existing tests. A remote workbench to allow testing without physical access to an ECU combined with automation tools will dramatically increase productivity, increase collaboration, and enable repeatable testing. 

---

Dr. Roman Lysecky is Co-founder and CTO of BG Networks and Professor Emeritus of Electrical and Computer Engineering at the University of Arizona. He is an expert on embedded systems, IoT security, medical device security, automated threat detection and mitigation, performance and energy optimization, and non-intrusive observation methods.