Luxoft’s automotive cybersecurity testing lab

We live in an era of increasing cybersecurity threats. Cyberattacks become ever more sophisticated and pervasive. This is also true for the automotive industry, especially as vehicles become more and more technologically advanced — to the point where they’re called “computers on wheels.” With this increased technology, vehicles also become more susceptible to cyberthreats. Recognizing the critical importance of cybersecurity in the automotive sector, we have expanded our connected vehicle testing services by establishing a state-of-the-art cybersecurity testing lab, helping customers comply with regulations and ensure vehicle security and safety (e.g., UNECE R155/R156/ISO_SAE21434).

 

How the cybersecurity lab helps OEMs and automakers

 

Our automotive cybersecurity testing service is designed to provide comprehensive testing and an assessment of the security posture of vehicles on all levels (hardware, software and communication networks), ensuring that they are protected against cyberattacks. We use state-of-the-art methodologies and tools. Together with our expertise in verifying and validating security measure implementations, this helps us to identify vulnerabilities across various vehicle components and systems. Additionally, our lab services directly enhance the following:

• Proof of product security: Comprehensive cybersecurity testing covering all SEC.3/SEC.4 automotive ASPICE domains
• Proactive threat mitigation: Using penetration testing as a proactive approach to identifying and mitigating cyber threats, reducing the risk of successful attacks
• Vehicle safety: Validate the security measures that safeguard vehicle systems from potential cyberattacks
• Compliance and certification support: We assist our clients in meeting regulatory requirements and industry standards for automotive cybersecurity. Our team helps navigate through frameworks such as ISO/SAE 21434 and UN Regulation No. 155, providing guidance and support to achieve compliance and obtain necessary certifications
• Data integrity and authenticity: Testing ensures protection of sensitive vehicle data from unauthorized access or tampering, preserving the integrity and authenticity of critical automotive systems and communication
• Expertise in automotive industry: Leverage deep industry knowledge to navigate the specific challenges and regulatory landscape of the automotive sector
• Enhanced reputation and trust: Hacking incidents can cause a lot of reputation damage. Comprehensive testing minimizes the risk of potential threats by eliminating weaknesses and flows in product design. Moreover, it demonstrates a commitment to cybersecurity, enhancing trust with customers, partners and stakeholders

 

Comprehensive services offered by the lab

 

The cybersecurity testing lab offers a number of services that cater to every aspect of automotive cybersecurity. Let’s take a look at some of them in more detail.

 

Cybersecurity testing verification and validation

 

Nowadays, cybersecurity testing verification and validation is crucial. We meticulously perform cybersecurity tests to verify the correctness of all security-related requirements and validate whether they fulfill their intended cybersecurity objectives. Our approach incorporates a high level of automation and seamless integration with continuous integration/continuous delivery (CI/CD) systems. This enables us to deliver rapid, efficient and comprehensive security assessments.

 

Fuzzing software modules and communication networks

 

Our lab has specialized capabilities in fuzzing techniques — an advanced testing methodology used to discover coding errors and security loopholes; this technique uses deliberately malformed or specially crafted inputs to stress code. We test software components, modules and communication networks (like Ethernet or CAN) with these techniques to increase security coverage and to uncover unknown vulnerabilities, thereby enhancing the overall security resilience of automotive systems.

 

Penetration testing

 

Our team adopts a proactive approach to cybersecurity by identifying vulnerabilities before they can be exploited. Through advanced penetration testing, we simulate real-world attack scenarios to uncover potential weak points. This service extends to hardware security, firmware security, wireless security and vehicle network security, covering every aspect of modern vehicle control systems.

 

Hardware security

 

We conduct rigorous testing through analysis and reverse engineering of hardware security, covering the hardware layer in electronic control units (ECUs). Our experts apply state-of-the-art fault injection techniques (such as voltage glitching attacks, electromagnetic fault injections and clock faults), memory attacks, data sniffing, reverse engineering and much more. All to ensure in-depth hardware security as the first foundation layer.

 

Firmware security

 

Our lab also tests security hardening mechanisms in all software layers, including the operating system, middleware and applications. Covering both simple and sophisticated firmware (classic as well as adaptive AUTOSAR). We employ dynamic code analysis to identify software vulnerabilities, build exploiting proof-of-concept exploits (exploit POC) and devise a mitigation plan.

 

Wireless security

 

Our services cover telematics and wireless attack vectors execution and validation, ranging from simple Bluetooth Low Energy (BLE) or Wi-Fi to advanced key fobs, cellular telematics and vehicle-to-everything (V2X) attacks — ensuring comprehensive wireless security.

 

Vehicle network security

 

The lab offers penetration testing and security validation for modern wired vehicle networks. We cover Ethernet-based and CAN attacks from simple replay attacks to complex validation of intrusion detection systems/intrusion prevention systems (IDS/IPS), thereby fortifying vehicle network security.

 

Luxoft’s approach to penetration testing

 

To ensure that our penetration testing yields the most relevant and actionable results, we incorporate threat analysis and risk assessment (TARA) into our methodology to drive risk-based penetration testing. This helps us to understand the potential threats and vulnerabilities specific to the automotive systems we're testing by ensuring that our tests are focused and relevant.

Our risk-based approach to penetration testing extends to how we report our findings. We don't just provide a list of issues identified during the testing; instead, we offer a tailored and prioritized list of findings based on impact categories.

Impact categories might include factors such as potential safety risks, privacy concerns, business continuity implications and regulatory compliance issues. For instance, vulnerabilities that could potentially lead to safety hazards or severe privacy breaches for users are given the highest priority, followed by those that could disrupt business operations or result in regulatory non-compliance.

By categorizing and prioritizing our findings, we help stakeholders understand the severity and implications of each identified vulnerability. This approach allows for targeted remediation efforts, ensuring that the most critical vulnerabilities are addressed first, and that resources are used efficiently.

 

A more secure future

 

Luxoft’s automotive cybersecurity testing lab is a cornerstone for a more secure future in the realm of the automotive industry. By offering a wide array of comprehensive services, we aim to safeguard every aspect of a vehicle's digital ecosystem, while protecting the integrity, safety and privacy of users. Contact our expert team to see how you could benefit from the work of our lab.