embedded world | Automotive Security Assessment

Hall 5 / Booth Number 5-372

Automotive Security Assessment

Logo SCHUTZWERK GmbH

by SCHUTZWERK GmbH

Key Facts

  • Holistic and in-depth security analyses at all levels of the automotive stack (e.g. of firmware, update processes, diagnostic and debug functions, hardware, specific security mechanisms, etc.).
  • The scope can be individually defined and ranges from complete vehicle or end-to-end tests to tests of control units and individual components through to detailed analyses of systems on chip (SoC) or other microcontrollers. If required, passive and active side-channel attacks can also be carried out (e.g. through power analysis or fault injection).
  • Many years of expertise and a highly specialized, state-of-the-art laboratory environment certified to ISO 27001 and TISAX L3

Categories

  • Certification and Approval
  • Testing Services
  • Other Services
  • Consulting
Product Picture Automotive Security Assessment
Product Picture Automotive Security Assessment

Key Facts

  • Holistic and in-depth security analyses at all levels of the automotive stack (e.g. of firmware, update processes, diagnostic and debug functions, hardware, specific security mechanisms, etc.).
  • The scope can be individually defined and ranges from complete vehicle or end-to-end tests to tests of control units and individual components through to detailed analyses of systems on chip (SoC) or other microcontrollers. If required, passive and active side-channel attacks can also be carried out (e.g. through power analysis or fault injection).
  • Many years of expertise and a highly specialized, state-of-the-art laboratory environment certified to ISO 27001 and TISAX L3

Categories

  • Certification and Approval
  • Testing Services
  • Other Services
  • Consulting
Show More

Product information

In an Automotive Security Assessment, both, hardware and software of electronic control units are examined and analyzed for existing vulnerabilities. The auditor takes the perspective of an external attacker as well as of privileged users. Examples of attacks range from dumping flash memory, over man-in-the-middle attacks to infiltrating systems by exploiting vulnerabilities in exposed interfaces (e.g. CAN, Ethernet, Bluetooth or USB).

In general, the assessment is based on the approach of an examination that is as comprehensive as possible. However, depending on the type of application or system and the relevant threats, a risk-based approach is also possible (comparable to a penetration test ). In this case, the focus is on particularly security-critical or endangered areas, whereby the scope of the test is determined by the time budget agreed upon in advance.

Automotive Security Assessments usually include the following points:

  • analysis of operating system and firmware checks (e.g. hardening measures, running services, AUTOSAR configuration or hex file analysis)
  • analysis of update processes (e.g. signature validation and authentication)
  • diagnostic access checks (e.g. certificate-based authentication or XCP access)
  • analysis of special security measures (e.g. Secure Boot or HSM integration)
  • analysis of hardware components (e.g. flash memory dumping or access via debug interfaces)
  • analysis of ECU-internal communication (e.g. data transfer between different chips or processors)
  • analysis of vehicle-internal communication (e.g. via CAN, FlexRay, Ethernet or LIN)
  • analysis of communication with external components and backend services (e.g. via Bluetooth, NFC, wireless LAN or cellular radio)
  • application-level checks (e.g. user input or backup capabilities of head units)
  • Documentation including risk assessment and description of measures.

Within the scope of testing, we implement corresponding regulatory requirements, for example ISO/SAE 21434, UNECE R 155 or from homologation.

If required, the assessment can be extended with a source code analysis and concept analysis. This also takes into account security aspects of suppliers' production processes, e.g. key management and integration during production.

 ... read more

Product Expert

Heiko

Heiko Ehret

Senior Security Consultant

hehret@schutzwerk.com