Addressing Security Vulnerabilities in Automotive Systems

It wasn’t so long ago that securing an automobile meant rolling up the windows and locking all the doors. Fast forward a few decades, and today’s vehicles have joined the Internet of Things, becoming technological wonders on wheels with impressive connectivity built into almost every aspect of their designs. In fact, industry researchers predict that by 2024, there will be more than 400 million connected vehicles around the world.

Software + Connectivity = A Hotbed for Cybercrime

While backup cameras, in-dash navigation, entertainment systems, diagnostic tools, and much more have made maintenance easier and travel safer, these advances aren’t without pitfalls. Specifically, the hundreds of connected electronic control units (ECUs) that comprise modern vehicles are all driven by their own software. This means connected vehicles are prone to all the security vulnerabilities that plague organizations in every other industry as they try to secure sensitive data from sophisticated—and relentless—threat actors.

Automotive cybersecurity defined: The National Highway Traffic Safety Administration defines road vehicle cybersecurity as the protection of automotive electronic systems, communication networks, control algorithms, software, users, and underlying data from malicious attacks, damage, unauthorized access, or manipulation.

Built with advanced software and always-on connectivity, vehicles of all makes and models are a real target for attackers because they are teeming with the kinds of valuable, sensitive data that can fetch major bounties on the black market. This includes identifying details about drivers and their habits as well as the potential to completely overtake control of a car or truck from a remote location (lest we not forget the infamous 2015 Jeep hacking incident). The rigorous testing and protection of software code now directly impacts driver safety just as much as antilock brakes and seatbelts.

Vast Automotive Supply Chains Introduce Cybersecurity Complexity

The automotive supply chain is often considered a thing of beauty, with just-in-time production, robotic precision, and streamlined sourcing that have yielded impressive gains in product quality, reliability, and availability (current pandemic-related issues notwithstanding). But what does it mean now that many of the 20,000 to 30,000 components that comprise a single vehicle now have software controlling their function? How do automakers verify that the applications each OEM has developed are being thoroughly tested to root out vulnerabilities and mitigate the risk of cyberattack in the final product? How can supply chain attacks be prevented when so many parts by so many different vendors are involved?

Proactive identification and remediation of security weaknesses is the name of the game. The fact is, because so many different suppliers manufacture automotive parts, there is an increased risk of cyberattack. All software must be rigorously tested and audited to ensure botched code, inadvertent misconfiguration, holes, and other potentially devastating errors are found and rectified swiftly.

Understanding the Newest Standards and How to Meet Them

Industry regulators are meeting the rise in cybercrime by strengthening mandates related to the way automotive components are produced and tested. Fast-changing cybersecurity threats require regulations and best practices to evolve quickly to keep pace. Identifying and correcting security vulnerabilities in connected systems is critical in this next phase of the evolution of connected cars, particularly as autonomous vehicles are knocking at the door. Fortunately, standards are keeping up with the times.

ISO/SAE 21434

On Aug. 31, 2021, the International Organizations for Standardization (ISO) and Society of Automotive Engineers (SAE) International jointly published ISO/SAE 21434. As an extension of 2016’s SAE J3061, the new mandate extends the initial requirements to incorporate cybersecurity into automotive systems throughout a vehicle’s lifecycle. Specifically, it focuses on protecting electrical and electronic (E/E) systems with state-of-the-art technology capable of responding to changing threats. Engineers must also address design and development risks with structured processes according to Security by Design principles.

Finding Flaws and Vulnerabilities with Testing: DAST and SAST

Meeting these regulations requires manufacturers to leverage two essential component testing methods—SAST and DAST—which dig deep into systems in search of vulnerabilities and misconfiguration.

SAST (static application security testing) is considered white box testing and requires access to software source code. This is a deep dive into an application’s underlying framework to spot vulnerabilities and misconfiguration errors. It’s testing from the inside out and is typically done early in the development process.

DAST (dynamic application security testing) is considered black box testing from the outside in. This doesn’t require access to source code and tests the software as it runs. DAST looks at the code through the eyes of a cybercriminal, pressure testing to find areas of weakness that could be exploited.

Comparing Legacy and Modern Testing Tools

When comparing SAST and DAST, there are differences in complexity to consider. Legacy DAST can be more complicated overall because it can require customization or special hardware to effectively assess the variety of software interfaces in use. Legacy DAST solutions can also be prone to identifying extraneous edge cases or may require test cases to be built from the ground up before the software in question can even be evaluated. Modern DAST options have advanced to include pre-built capabilities to streamline processes and eliminate false positives. They can also include black box fuzzers that provide additional insight to identify unknown or unpublished vulnerabilities that can be missed by other methods of testing.

Likewise, SAST tools have come a long way. Whereas legacy solutions were known to generate slews of false positives when running vulnerability scenarios, tools can now trace execution paths to determine likely concerns based on what a threat actor would actually be able to access. Highly effective SAST solutions are configured to align with industry-standard regulations so developers can identify relevant and actionable issues.

Going Beyond Compliance to Elevate Safety to New Heights

While meeting compliance mandates is an essential part of modern connected vehicle production, it’s important to consider the role of changing a manufacturer’s cultural mindset to one of proactive testing, continuous improvement, and stopping at nothing to protect drivers from both physical and cyber harm. Building DAST and SAST into manufacturing operations from the start helps manufacturers and developers elevate safety and build trust in these fast-evolving vehicles. Bolstering consumer confidence through rigorous testing and safety protocols will be necessary to strengthen trust during this rapid phase of technological change and the dangers that accompany it.

Take Action

HelpSystems works with major automotive companies to combat emerging cybersecurity challenges using comprehensive, dynamic security testing on software and hardware. Learn more.
Aviram Jenik is a cybersecurity professional and entrepreneur. In the early days of computer viruses, Aviram was involved in the fields of encryption and security vulnerabilities detection and research. He worked as a programmer, team leader, and project manager in several start-ups before co-founding the SecuriTeam.com security portal in 1998 and then Beyond Security in 1999. In 2021, Beyond Security was acquired by HelpSystems and Aviram joined the HelpSystems’ Strategic Resource Group as senior director of strategic initiatives. Aviram and his team have been involved in cyber warfare since the early 2000s, including playing an active role in helping defend Estonia in what was later dubbed “the first cyber war”. In the mid-2000s. Aviram participated in Israel’s defense strategy against a long series of ‘cyber attacks’ on civilian and government websites and networks. Aviram has co-authored several books on vulnerability assessment and black-box testing (fuzzing).