About the client
Our client is a German auto manufacturer with annual sales totaling millions of cars across five continents. Managing multiple brands, the company produces a wide range of internal combustion engine and electric vehicles from motorcycles, family sedans, and SUVs to high-end sports cars, work vans, and light- and heavy-duty commercial vehicles. Our client has been a longtime member of the Fortune Global 500 list and has been steadily improving their ranking year over year.
Our client came with the challenge
Modern cars are packed with high-tech gadgetry; they’re really interconnected information systems on wheels. Engine controls, onboard diagnostics, active safety systems, infotainment systems – the average car nowadays has more computational capacity than the guidance system of the Apollo spacecraft. And with this complexity comes increased susceptibility to hacks and privacy breaches.
With this in mind, our client wanted to perform a cybersecurity assessment of the infotainment system installed in their family car range. The objective was to determine overall susceptibility to intrusions into safety-critical car subsystems through insecure in-car data transmissions.
Intellias developed the solution
Given the high profile of the client and the project, we formed a team of experienced security experts and test engineers who each hold Certified Ethical Hacking (CEH) and Offensive Security Certified Professional (OSCP) certifications. Our team’s primary task was to analyze requirements and build a strong testing strategy. The actual testing involved attacks on a real car simulated at our client’s car testing site.
Our team spent about one month on-site in Germany performing a series of tests. These tests focused on assessing the safety and security of certain parts of the in-car infotainment system. We paid particular attention to certain head unit services that operate wirelessly through proprietary mobile applications. As part of our testing, we attempted to break into the car’s inner systems by intercepting and meddling with the traffic flow between a smartphone and the head unit.
Our engineers also applied reverse engineering techniques to parts of the head unit software. As a result, we checked how internal head unit services worked and learned how to better build our security tests.
Intellias performed the following security tests on a real car:
- Attacks on critical car subsystems, including brakes and steering, via the head unit
- Investigation of the CAN bus and ways to attack it
- Analysis of in-car TCP/IP and Ethernet
- TCP-over-USB and remote attacks on services available in the same network segment
- Detection of insecure in-car data transmissions
- DoS attacks on the infotainment system
- Interface tests involving attacks on MirrorLink, Android Auto, and Apple CarPlay
- Various XML attacks on internal car services
We have achieved great results together
Our collaboration resulted in a comprehensive report illustrating identified vulnerabilities along with detailed proofs and descriptions of how to reproduce the attacks. For future reference during development, we provided our client with recommendations on how to enhance the security of head unit software and mobile apps for smartphone-car interactions.
Our findings helped our client
- Fix several medium to critical security issues, including one that posed a potential safety threat
- Re-engineer vulnerable parts of head unit software
- Protect their cars from DoS attacks
- Close potential security gaps that could be exploited for disguised discrediting attacks by dishonest competitors
- Build more secure architectures for future vehicle-related software products