Areas
 

Ever since we started putting computers in vehicles and connecting them to outside systems, consultants at Assured have been involved in securing those systems and networks.

Be it an electric hypercar, a hybrid car-sharing platform, a self-driving truck, a connected bus for local transport or any type of vehicle in between: Assured Security Consultants have the tools and qualified experience to assess the security of such vehicles.

Brochure

Securing connected vehicles is our specialty

Brochure (pdf) on our automotive security services

Being situated in Gothenburg, we have had the forefront of the automotive industry, research and development right by our doorstep since we started. Since then our expertise has been employed on the local as well as the international scene.

Securing connected vehicles

As vehicles become more and more dependent on being online with a plethora of connected services, our expertise in penetration testing, embedded security and network infrastructure is highly appreciated by manufacturers and developers of connected vehicles.

Infotainment and telematics systems are core components in modern vehicles. Their connectivity features contribute to the attack vector for external threats. At Assured we specialize in finding vulnerabilities in these systems and proposing mitigations to improve security and making the vehicle compliant with UN Cybersecurity Regulation No. 155 and the ISO/SAE 21434 standard.

Assured, UN Regulation No. 155 and ISO/SAE 21434

Our long experience in secure design, embedded security, application security, penetration testing and general security advisory makes us an excellent partner for ensuring your design, specification, component testing and system testing are carried out according to security industry best practice. We also provide seasoned advisory for defining system security requirements.

Our penetration test reports for automotive security testing are constructed in a way that the issues reported:

  • are easy to understand, reproduce and verify;
  • are risk assessed according to the recipients needs;
  • have a clear mitigation strategy; and
  • are linked to relevant threats in UN Regulation No. 155 Annex 5.

Please get in touch if you are interested in how Assured can assist in making your vehicles cybersecurity resilient and regulations compliant.

References

We've worked with several prominent parties in the automotive industry as penetration testers, long-term contractors and as research partners. Most recently we have been engaged with Group Lotus, Volvo Group, CEVT, WirelessCar and Einride. Among our customers and partners you will also find RI.SE, Autocom, Zacco and Combitech.

Research

Assured enthusiastically participates in research projects into how vehicles and the automotive industry can be secured.

The research project HoliSec aimed to take a holistic approach to improve cyber and information security in the automotive industry. During this project we conducted a penetration test of an electric bus for local transport. Assured also designed and developed the BusGoat, a deliberately vulnerable Electronic Control Unit (ECU) for challenging and educating developers and security enthusiasts.

One of the sub projects in HoliSec focused on CAN bus security and handling malicious devices attached to the CAN based communication within a vehicle. The specific issue related to AdBlue emulators, devices that disrupt the system responsible for reducing NOx emissions.

In the sub project, Assured provided security analysis and threat modeling. Using this analysis in combination of analysis of requirements such as real-time response, cost, supply-chain and lifecycle of a vehicle, Assured proposed a set of mechanisms and processes that would make the AdBlue emulators much less feasible, and economically less interesting. The proposed solution included things like in-vehicle network discovery and monitoring, ECU authentication and securing CAN communication with very low overhead and effect on latency.

The BusGoat was also part of the SUFFI project in which we created a training course for automotive security (continued development under the name "CAN Hack!", see below).

Lately we have been involved in the CyReV project where cyber resilience in autonomous and connected vehicles is studied and developed. Machine learning and other novel techniques are to be used in vehicular intrusion detection systems and more.

Automotive Security Education

CAN Hack! A hands-on automotive security workshop

CAN Hack! is a workshop aimed at anyone interested in the security of connected vehicles. The workshop combines theoretical lectures with hands-on challenges on a physical (or virtual) simulated car.

Participants will learn how a modern vehicle communicates internally (between components) as well as externally with the driver, passengers and remote services and how to exploit vulnerable or weak implementations of security concepts.

The workshop is designed to be delivered as a one-day training with theoretical and practical parts in an interactive fashion. The day is ended with a hands-on, CTF-style series of challenges and a race for the win!

Participants will be given a virtual machine with all the necessary tools and configuration needed to connect to the challenge platform, named "CyCar". This device tries to simulate a vehicle infotainment and telematics system, often available in modern vehicles.

This workshop mainly targets developers, architects and students working with automotive solutions but fits anyone with an interest in automotive security, hacking and embedded system security.

Let us know if you are interested in this workshop!

The CyCar hardware platform