Situation
NCC Group worked with a vehicle manufacturer to determine the security profile of a connected vehicle it was developing. This was done by assessing multiple aspects of the vehicle including its infrastructure, web applications, and mobile applications.
The assessments highlighted the individual risks associated with each vulnerability, and the real-world impact of exploitation. The organization was then able to improve the overall security posture of the vehicle at a crucial stage of its development.
At a Glance
Organization: Vehicle Manufacturer
Industry: Automotive Manufacturing
Challenge: Assess the security posture of a connected vehicle
Solution: NCC Group performed a series of assessments to deliver a technical and risk-based assessment for the organization
Result: NCC Group delivered a comprehensive review of the vehicle and its associated risks and vulnerabilities, allowing the organization to improve the vehicle’s overall security posture
Challenge
Over recent years automotive cyber security has gained prominence as a result of vehicles becoming more connected, which increases their attack surface. This hasn’t gone unnoticed by the hacker community, who have demonstrated a range of potential attacks against vehicle systems at security conferences and on Internet forums.
In some instances, these public disclosures have even resulted in vehicle recalls. The Original Equipment Manufacturer (OEM) wanted to ascertain the security posture of the connectivity within a new SUV in their range.
Solution
NCC Group works with many OEMs across the world on cyber security projects delivering technical and risk-based security assessments of Automotive projects, from ECU testing through to full vehicle assessments. The opportunity to engage NCC Group allowed the client to inform its development teams with technical risk analysis and security assessment of the connectivity of the SUV in scope.
A series of pragmatic cyber security assessment activities were carried out, including:
Web Application and Infrastructure Assessment: An assessment was performed against the web application and associated infrastructure used by customers to register their vehicles for connected services. The primary areas of concern in web application security are authentication bypass, injection, account traversal, privilege escalation, and data extraction.
NCC Group’s Methodology: Covers all of the ISO21434 risks as well as the top ten web application security risks and more.
Infrastructure Assessment: An assessment against the Mobile Backend was completed to gather information about the systems and their topology. Information such as OS identification and software type or version, along with associated potential vulnerabilities was researched and collated. Where appropriate, attempts were made to exploit the systems.
Mobile Application Assessment: An assessment was performed against the OEM’s mobile application for various platforms. The purpose of this was to identify security vulnerabilities that may be exploited to compromise user data, either on the device or accessed via a remote server using a web service or other network interface.
Result
Following this assessment, our OEM client received a comprehensive technical document highlighting individual risks with a rating associated with each vulnerability, and the real-world impact of exploitation.
The report also contained an executive summary, which detailed business impact and technical remediation actions, to enable them to improve the cyber posture of the connected vehicle.
NCC Group exists to make the world safer and more secure.
As global experts in cyber security and risk mitigation, NCC Group is trusted by over 14,000 customers worldwide to protect their most critical assets from the ever-changing threat landscape.
Get Started on Your Cyber Security Journey
Our experts are ready to help you stay ahead in a constantly changing threat landscape. Contact us today to learn more about what NCC Group can do for your organization's unique cybersecurity needs.