Penetration Testing of Connected Car Mobile Apps
Overview
A leading automotive industry client, a giant Indian auto manufacturing company employing over 25,000 workers and setting up numerous manufacturing facilities in Asia, approached us with an ambitious project of transitioning onto the level of connected cars.
Understanding the fact that IoT-based technologies are inherent in certain security threats or vulnerabilities, particularly in online business operations, the client was in search of a competent technology partner to enhance the security of their mobile app against possible hacks. Due to DevOps Experts India’s previous involvement in cybersecurity services, the company was deemed perfect for the job.
Automotive
Cloud & DevOps
Our Process
Our collaboration was initiated by a number of requirements definition meetings that included key stakeholders. These workshops provided useful information to threat modeling.
We described different threat agents, threats, and entry, control, and exploitation points. We conducted both manual and automation penetration tests with a view to revealing the vulnerability and insecure storage of user information.
App security penetration testing was conducted based on two kinds of attacks by our team. As you may note, our initial attack point was the manipulation of the client-server exchange data comprising of the client’s credentials and permissions.
To prevent the man in the middle attack, we attempted to intercept the messages between the client and the server. Every testing phase has a list of the discovered vulnerabilities and potential security fixes as well.
Requirements Gathering
To identify the requirements, DevOps Experts India team arranged a series of workshops with other related departments. This was useful in the process of mobilization of threat intelligence to inform threat modelling and discover threat agents.
Threat Modeling
Based on the requirements gathered during the requirements gathering process, DevOps Experts India conducted an end-to-end threat modeling exercise to evaluate the threats entailed. This paved the way for planned security assessments.
Penetration Testing
For the defensive preparations in different areas of the application, testers conducted two kinds of penetration tests. The first was conducted by selectively modifying client-server exchanging data, while the second estimated the susceptibility to man-in-the-middle attacks.
Comprehensive Reporting
Each testing round made a comprehensive report of the discovered vulnerabilities and the possible solution to enhance security. This allowed for greater levels of clarity within the relationship with the client and the prospective risks were clearly communicated.
The Problem
Our client, being a recognized brand, has come up with an IoT based mobile application for their passenger car. However, since they work in online mode, connected cars can be hacked. Our client was in the process of looking for a reliable security partner to protect the identity of drivers. They require a number of security reviews and vulnerability tests on the connected car application.
Our Role
- Requirements Gathering
- Threat Modeling
- Penetration Testing
- Comprehensive Modeling
Project Challenges
1. IoT Security Complexity
The issues of security related to IoT, and the connected car applications presented some factors that made the effort a bit difficult. The idea therefore is to come up with a sundry approach to consider all the factors that may pose threats.
2. IoT Security Complexity
Most companies fail at the time of handling online operation vulnerabilities. Communicating through the connected cars in the online mode lead to vulnerability to cyber-attacks. Solving this challenge required more work in terms of the analysis of operational channels, as well as in the context of the exchange of data.
Results
Outlined significant safety risks or threats, such as how two-factor authentication can be bypassed and many others that made connected cars vulnerable to cyber threats. Identify several medium risk vulnerabilities, among them; leakage of data in the customer portal and poorly stored credentials. Were fully protected at various levels regarding their connected car ecosystem. To provide fun and innovative aspects to their clients while at the same time keeping them secure.
Critical Safety Issue Recognition
They aimed at iteratively examining vulnerabilities. DevOps Experts India found two-factor authentication bypasses and threats that make connected cars susceptible to cyberattacks.
Complete Ecosystem Protection
All implemented security measures provided full protection for the client’s connected car ecosystem as well as eliminated possible risks and improved the cybersecurity profile.
Customer-Centric Innovation
With a secure and protected connected car ecosystem, our client could confidently offer more innovative and enjoyable features to their customers while prioritizing their safety.
