pca_logo

Automotive Penetration Testing

Offensive security services from one of the world’s leading teams in automotive penetration testing.

THE CHALLENGES: COMPLIANCE AND SECURITY

Navigating compliance in automotive cybersecurity presents complex challenges. The inherent complexity of modern vehicles, with their advanced electronic systems and software, demands thorough attention to every security detail to cover the extensive attack surface. The involvement of numerous suppliers in the supply chain further complicates this, as the security of each component is vital for the overall security of the vehicle. This issue is intensified by the constantly evolving threat landscape, which necessitates a dynamic and proactive approach to security, continually adapting to new cyber threats to maintain compliance and safeguard vehicles.

Request info

HOW PCAUTOMOTIVE CAN HELP YOU?

PCAutomotive provides comprehensive automotive penetration testing services designed to meet cybersecurity regulations and significantly enhance the security of tested systems. Our team possesses world-leading expertise and extensive experience in penetration testing for a wide range of automotive and embedded systems. Additionally, PCAutomotive offers a unique combination of penetration testing, threat intelligence, and cybersecurity monitoring services, ensuring substantial improvements in both compliance and overall security.

001

THE SERVICE

OUR TARGETS

• The whole vehicle
• Any Electronic Control Units (ECUs) in passenger and commercial vehicles, including trucks and buses
• Motorcycles
• Applications

CRITICAL FACTOR: AUTOMOTIVE CYBERSECURITY REGULATION

UNECE R155 and ISO/SAE 21434 explicitly mandate penetration testing, fuzzing, and vulnerability analysis during validation and verification activities. Upon completion of these tests, we provide a comprehensive advisory for your work products, serving as concrete evidence of the implemented measures. We offer full support with remediation and retesting activities.

PENETRATION TESTING IN YOUR VULNERABILITY MANAGEMENT POLICY

Integrating penetration testing into your vulnerability management policy is essential. PCAutomotive provides a flexible approach to seamlessly incorporate penetration testing into your Software Development Life Cycle (SDLC), minimizing the cost and time needed for effective vulnerability remediation.

FROM ON-BOARD TO BACK-END: WE'VE GOT IT ALL COVERED

PCAutomotive offers a complete range of automotive penetration testing services. We provide thorough penetration testing for any hardware or software component, as well as for the entire vehicle.

OBJECTIVE OF THE SERVICE

Penetration testing of all vehicle components to ensure that unidentified weaknesses and vulnerabilities are minimized. This testing aims to demonstrate the adequacy and achievement of cybersecurity goals in accordance with ISO/SAE 21434.

DESCRIPTION OF THE SERVICE

During the penetration testing, the cybersecurity team at PCAutomotive performs real-world attacks to identify ways to compromise the cybersecurity goals of the whole vehicle and it components. The scope of the service includes all components of the car, including connected applications, all interfaces, backend systems, and communications.

Request a sample report

002

OUR REFERENCES

OUR CUSTOMERS

Elli Logo

"We can recommend PCAutomotive for their professional penetration testing service."

Adyen Logo

"As a financial service provider, security is a top priority at Adyen. Partners like PCAutomotive help us test the robustness of our payments platform."


CASE STUDIES

Full vehicle penetration testing of the Škoda Superb III 2022

In 2023, the security assessment team at PCAutomotive completed a full vehicle penetration test of the 2022 Škoda Superb III. The team identified and disclosed seven critical vulnerabilities in the automotive sector, ranging from CVE-2023-28895 to CVE-2023-28901. These vulnerabilities include hard-coded passwords in power controller chip memory and UDS services, weak password encoding in UDS services, a Denial-of-Service vulnerability in the MIB3 Head Unit via Apple CarPlay, and in other ECUs via OBD, as well as data disclosure issues on backend automotive servers.

Read the Security Advisory for more details

Penetration testing of three different models of EV chargers

In 2023 and early 2024, PCAutomotive tested three vendors of residential EV chargers. The team found 29 security problems, among which were 12 vulnerabilities with a CVSS of 9.00 and above.

Request the case study

OUR METHODOLOGY

We rely on the PTES (Penetration Testing Execution Standard) methodology to perform penetration testing. The PTES methodology includes several phases to ensure comprehensive testing:

1. Pre-engagement Interactions: Planning and defining the scope of the test.
2. Intelligence Gathering: Collecting information about the target.
3. Threat Modeling: Identifying potential threats to the system.
4. Vulnerability Analysis: Finding and prioritizing vulnerabilities.
5. Exploitation: Attempting to exploit vulnerabilities to gain access.
6. Post-exploitation: Assessing the impact and maintaining access.
7. Reporting: Documenting findings and providing recommendations.

TESTING TECHNIQUES

• Fuzzing
• Discovery of vulnerabilities
• In-depth hardware analysis: hardware component enumeration and search for unintended debug interfaces
• Analysis of external interfaces
• Analysis of firmware update security
• Bypassing traffic filtering rules
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)

SERVICE DELIVERABLES

Depending on the project scope, we provide the following deliverables:
1. The list of identified security vulnerabilities in the form of a security advisory

For each vulnerability, the following information will be provided:

• CVSS score and vector
• Corresponding CWE (Common Weakness Enumeration) number
• Detailed description
• Steps to reproduce the vulnerability
• Exploitation scenario and impact
• Proposed mitigation
2. Full penetration test report
Component enumeration, description of performed tests, summary of identified vulnerabilities, and achieved security impact
3. Post-remediation verification report

OUR BUSINESS MODELS

• Fixed-priced contracts
• Time and material (T&M) contracts

WHY PCAUTOMOTIVE?

Team certifications

• Offensive Security OSCP, OSCE
• Advanced Security Training: Hardware Hacking with FPGAs
• ISO 21434

Expertise

• Our team has deep expertise with proven records of penetration testing of vehicles, automotive components and road infrastructure.

Proven record of success

• 100+ security evaluations conducted.
• 50+ automotive vulnerabilities found in 2023.
• Found critical vulnerabilities in the top automotive brands.
• Our experts belong to the hall of fame of industry leaders such as BMW and Siemens.

Conference Talks and Competitions:

• BlackHat USA 2018
• Recon Brussels 2018
• DefCon 28
• BlackHat Europe 2020
• Standoff 2020
• Secure Our Streets 2023
• Hacktivity Budapest 2023
• Escar 2023
• Pwn2Own Automotive Tokyo 2024

On-site center of expertise

PCAutomotive possesses a CyberGarage for conducting full vehicle penetration testing and a CyberLab for advanced hardware analysis. Our CyberLab and CyberGarage offer top-tier execution and privacy. Built by our in-house experts, PCAutomotive’s Security Garage is equipped with advanced research tools, enabling comprehensive security assessments for any industry at the highest standards.

PCAutomotive at Pwn2Own Automotive 2024 in Tokyo

PCAutomotive team was awarded a significant $46,000 prize at the prestigious Pwn2Own Automotive competition, held in Tokyo on January 23-25, 2024. The team demonstrated proof-of-concept attacks against Alpine Halo ILX-F509 infotainment unit via Bluetooth channel, and against Enel Juicebox 40 EV charger via Wi-Fi de-authentication and exploitation of the vulnerability in the charger’s web management interface. The team promptly reported the discovered vulnerability to the vendors, ensuring a responsible approach to cybersecurity enhancements.

Contact us today

003

Industries

Cybersecurity services for the automotive and other industries

Automotive

See more

Fleet Management Businesses

See more