Automotive Penetration Test


Highly-experienced Consultants Take the Initiative and Use Tools to Diagnose Vulnerabilities in the Equipment and Systems Installed in Automobiles

Recently, the quest to improve fuel efficiency and make automatic driving a reality has made it increasingly common for automobiles to be equipped with information communication equipment that connects with external networks, smartphones, USB memory sticks, and other devices. With these items attracting attention as potential targets for cyber-attacks, any unauthorized remote access could lead to serious problems and may potentially jeopardize human lives.

A Dedicated Team to Support Security Goals for Vehicles'

The Automotive Penetration Test Service (hereinafter referred to as "the Service") involves conducting penetration tests based on various guidelines for incorporated devices and on the expertise that NRI Secure has cultivated thus far through "Device Security Diagnostics" for IoT (the Internet of Things) equipment. NRI Secure is launching a dedicated team comprised mainly of members with extensive backgrounds and achievements in vehicle system penetration testing. This team of specialists will identify risk scenarios and intrusion pathways through offline threat analysis and then run security assessments and diagnostics on the actual vehicles and their onboard devices. In addition, they can also support automobile manufacturers or other clients who prefer to perform the diagnostic in-house.

Overview of the Automotive Penetration Test Service

The equipment installed in automobiles (the engine control unit, referred to as "ECU" in the image below) and its systems can be classified broadly into three categories: "information systems" which connect to external networks or devices, "control systems" which control the vehicle body, and "gateway (GW)" technology which separates these two systems. If an information system is attacked by an external network or device, there is a risk of intrusion into the control system via the GW, which could ultimately allow an attacker to manipulate the vehicle.

With the Service, assessments are done in the following two phases in order to verify how robust the security is against such threats.

PhaseImplementation Items
Phase 1 The security of the information system and control system equipment and the GW is assessed individually, both on review and penetration test.
Phase 2 After any vulnerabilities detected in phase 1 are compiled together, a penetration test is done using the entire vehicle to determine whether an attack from an external network or device could allow the attacker to manipulate the vehicle.