Automotive Cybersecurity Part - 6: Reporting
๐ Reporting in Automotive Penetration Testing
Reporting is the most critical step in penetration testing and risk assessments. Your ability to articulate findings effectively to stakeholders is just as important as discovering those vulnerabilities. High quality, professional reports distinguish boutique security firms from consulting giants.
๐ Summary Page
Create a summary infographic displaying
- Number of vulnerabilities by severity
- Vulnerabilities exploited
- Accounts compromised
- Time and effort required to remediate
- Files containing sensitive data
Note: There's no CVSS equivalent for automotive. Use your own consistent scoring method.
๐ง Executive Summary
Outline your credentials, the engagement type (white/gray/black box), and a high level overview of the results.
Example
- Tester: Jane Doe, Head of Connected Car Division
- Engagement: White box test of OEM Head Unit (HU)
- Findings: MITM and DoS vulnerabilities, reverse shell via ELF binary
๐ฏ Scope
Define boundaries of testing
- Interfaces (Bluetooth, WiFi, USB, GSM)
- Application/network layers
- OS level access (ADB)
- Excluded elements clearly labeled (e.g. TCU)
โ๏ธ Methodology
Use frameworks like
- PTES
- OSSTMM
- ISSAF
PTES Steps
- Pre-Engagement interactions
- Intelligence gathering
- Threat modeling
- Reconnaissance
- Vulnerability analysis
- Exploitation
- Post exploitation
- Reporting
๐ง Limitations
Mention limitations such as
- No source code
- Time constraints
- Shell access limits
- Missed interface testing
๐ Narrative
Describe what happened during the test
- Recon and scanning
- Evil twin MITM attack
- Reverse shell via
wgetand Metasploit ELF payload - Traffic analysis from TCU to HU on TCP/8888
๐ง Tools Used
| Category | Tool | Description |
|---|---|---|
| Wireless | HostAP, Pineapple, Aircrack-ng | Rogue AP, WPA2 cracking |
| Bluetooth | Bluelog, BlueMaho | Bluetooth enumeration and attacks |
| OS | Metasploit | Exploitation and reverse shells |
๐ Risk Rating
Example
- Likelihood: 2
- Impact: 3
- Overall Risk: Moderate
Denial of Service required a vehicle reboot to restore connectivity between TCU and HU.
๐ Findings
๐จ Evil Twin + MITM
- Tools: WiFi Pineapple, hostAP
- Result: TCU connects to rogue AP โ WPA2 handshake captured
โ DoS via ARP Spoofing
- Impact: Permanent HU/TCU disconnect
- Recovery: Requires car reboot
๐ Reverse Shell via wget
- Command:
wgetELF payload executed on HU - Backdoor: Connected back to attacker
๐ฅ Firewall Bypass via IP Spoofing
- Exploit: Access TCP/8888
- Remedy: Enforce MAC filtering with
iptables
๐ Segmentation
- All segmentation tests passed
- Clients could not access cross network resources
๐ ๏ธ Remediation Recommendations
- Enforce MAC filtering on HU:
iptables -A INPUT -p tcp --destination-port 8888 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT - Strengthen WPA2 key handling
- Harden HU file transfer paths
- Block TCP/4444 and restrict outbound connections
- Disable shell access unless required
๐ก๏ธ Risk Assessment Report
๐ฏ Objectives
- Assess threats, assets, vulnerabilities
- Recommend countermeasures
- Present risk mitigation plans
๐๏ธ Functional Description
HU Functions
- Navigation
- Remote UI
- Internet
- Bluetooth, USB, WLAN
- OTA Updates
๐งฉ Asset Catalogue
| Component | Description |
|---|---|
| MMB/NVIDIA SoC | Implements TrustZone |
| V CPU | Secure coprocessor |
| Applications | Navigation, Messaging, Browser |
๐ Interfaces
- Internal: CAN, Ethernet, SPI2
- External: USB, SD, WLAN, GPS, DSRC, CI+
๐ฅ Threat Model
| Motivation | Objective | Target |
|---|---|---|
| Criminal activity | Identity theft, unauthorized access | HU/TCU |
| Espionage | Extract firmware, IP | OEM backend, HU |
| Terrorism | Mass vehicle disruption | Vehicles, roads |
๐ Threat Analysis
- Harm driver
- Gain IP or data
- Tamper warnings
- Prevent emergency services (e call)
- Reputation damage to OEM
๐ฅ Impact Assessment
| Function | Safety | Privacy | Operational |
|---|---|---|---|
| Navigation | 2 | 3 | 3 |
| Driving | 2 | 2 | 3 |
| Config/Maint | 4 | 4 | 4 |
๐งพ Risk Assessment Results
| Asset | Attack Method | Risk Level |
|---|---|---|
| MMB | USB/WLAN attack | High |
| V CPU | SPI2 + JTAG | Moderate |
| CSB | TV signal tamper | Low |
๐ก๏ธ Security Controls (Examples)
- SMH2 Secure Boot
- SMS5 App Sandboxing
- SMS13 IP Firewall
- SMS17 TLS Encryption to Backend
๐ Summary
Effective reporting is essential. Automotive cybersecurity demands clarity, risk prioritization, and thorough documentation. The real value lies in turning technical findings into business relevant action.
Remember, a modern car is a networked computer treat it as such.