Securing in-vehicle infotainment and connected car systems

Connected vehicles are recognized to be vulnerable to car hacking. This poses a threat to road safety and may ultimately lead to crashes and deaths. The need to address cybersecurity of vehicles is clearly expressed by the industry, road authorities, and also end users.

Today’s cars have an increasing amount of software and connectivity, to provide additional functionality and services, and the amount of code in in-vehicle systems has grown significantly as a result. This provides a challenge to test and harden these systems for security.

Combined with an ever-evolving threat landscape and growing sophistication of cyber attacks, this increases levels of risks associated with in-vehicle software, as demonstrated by recent vehicle hacks, more frequent recalls, and increasing attention and concern by the press and from regulators.

UL aims to be a partner for the automotive industry, to ensure that in-vehicle systems and communication from and to the car are protected. UL combines different security testing techniques to determine the security posture of in-vehicle systems’ software, and associated risk levels.

Among the key challenges for automotive security, specifically vehicle telematics, is the rise of infotainment. Every-day electronic devices can now access and integrate with your car and provide drivers with all types of fucnctions, such as hands-free caling, navigation and audio streaming. UL performs a wide range of infotainment security testing, using both black and white box techniques:

  • Fuzz testing on infotainment protocols / interfaces
  • Threat modeling using industry standards such as STRIDE / DREAD / OCTAVE
  • Black box / grey box penetration testing to detect and exploit vulnerabilities
  • Code review to seek for security flaws in infotainment components
  • Mobile app (proxy) security / SDK security review

Additional UL services:

  • Functional software testing on infotainment modules / mobile apps
  • Bluetooth/BLE IOP testing with mobile handsets

In-vehicle networks, including the CAN bus, form another important attack vector. An increasing number of components connect to the CAN bus (a typical car contains over 100 ECUs). Through hacking the CAN bus, and related internal network protocols, and accessing these ECUs, wider automotive systems are in reach.

UL’s security testing establishes Proof of Concepts how vulnerabilities could be exploited, so that proper mitigation measures can be taken.

Security testing on remote entry points:

    • Bluetooth / WiFi connections
    • OBD II / USB ports
    • Apps

Fuzz and penetration testing on in-vehicle network protocols:

    • CAN
    • FlexRay
    • Ethernet
    • MOST
    • Other

Security reviews of individual components, including:

    • ECUs
    • Sensors

OTA / OTI security, checking for security of communications / SW updates

Additional UL services:

EMC, Wireless and V2X testing, including interoperability testing

UL also performs wider automotive ecosystem security testing, for example focused on communication to the cloud and backend services. UL can also perform checks on organizational security processes, such as patch management and access control procedures.