Table of Links

Abstract and 1 Introduction

2. Current Security Testing Platforms

2.1. Recent progress

3. A New Testing Platform and 3.1. Testing platform roles

3.2. Web-based remote access

3.3. Testbed setup

4. Enabled Testing Methodologies

4.1. Secure Development Lifecycle (SDL) testing and 4.2. Penetration testing

4.3. Research testing

5. Conclusion & Outlook, and References

5. Conclusion & Outlook

With vehicles becoming more software-defined, the need for higher quality and more automated security testing is evident. A flexible, easy-to-use, and remote-capable test platform not only improves the current industry testing capabilities, but it can also potentially provide easier access to logistically challenging and costly hardware. This allows the industry access a larger pool of talent for testing and allows more people to learn about automotive components. Furthermore, we see potential in leveraging this type of cloud-based platform to reduce costs and increase participation for global hacking competitions and Bug Bounty programs.

That being said, the ideal testing platform is one that the community will actually use and implement in their research, development, and production. In this work, we propose several well-defined methodologies to build a useful and configurable remote testing platform. However, as the needs of the automotive security industry changes, this testing platform should be able to adapt and be as flexible as possible. Once other testing platforms mature, future work should investigate the different underlying technologies and features used to build these platforms and explore relevant trade-offs and limitations.

References

[1] CanBusHack. Cloudcar. Available at https://cloudcar.canbushack. com/. Accessed on 2024-03-15.

[2] Sam Curry. Web hackers vs. the auto industry: Critical vulnerabilities in ferrari, bmw, rolls royce, porsche, and more. Available at https://samcurry.net/web-hackers-vs-the-auto-industry/. Accessed on 2024-03-15.

[3] International Organization for Standardization. ISO/SAE 21434: 2021: Road Vehicles: Cybersecurity Engineering. ISO, 2021.

[4] Eclipse Foundation. Eclipse opendut. Available at https://projects. eclipse.org/projects/automotive.opendut. Accessed on 2024-03-15.

[5] Stefan Gehrer, Jorge Guajardo Merchan, and Shalabh Jain. System and method for intrusion detection on a physical level using an internal analog to digital converter, March 31 2022. US Patent App. 17/032,624.

[6] Block Harbor. Block harbor vsec. Available at https://blockharbor. io/vsec-platform/. Accessed on 2024-03-15.

[7] Jake Jepson, Subhojeet Mukherjee, Martin Span, and Jeremy Daily. Canlay: A network virtualized testbed for vehicle systems– improving system integration and verification efforts. In INCOSE International Symposium, volume 33, pages 1–16. Wiley Online Library, 2023.

[8] Keysight. Sa8710a automotive cybersecurity test platform. Available at https://www.keysight.com/us/en/product/SA8710A/ automotive-cybersecurity-penetration-test-platform.html. Accessed on 2024-03-15.

[9] Sekar Kulandaivel. Revisiting remote attack kill-chains on modern in-vehicle networks. PhD thesis, Carnegie Mellon University, 2021.

[10] Sekar Kulandaivel, Tushar Goyal, Arnav Kumar Agrawal, and Vyas Sekar. {CANvas}: Fast and inexpensive automotive network mapping. In 28th USENIX Security Symposium (USENIX Security 19), pages 389–405, 2019.

[11] Sekar Kulandaivel, Shalabh Jain, Jorge Guajardo, and Vyas Sekar. Cannon: Reliable and stealthy remote shutdown attacks via unaltered automotive microcontrollers. In 2021 IEEE Symposium on Security and Privacy (SP), pages 195–210. IEEE, 2021.

[12] Shahid Mahmood, Hoang Nga Nguyen, and Siraj A Shaikh. Automotive cybersecurity testing: Survey of testbeds and methods. Digital Transformation, Cyber Security and Resilience of Modern Societies, pages 219–243, 2021.

[13] BG Networks. Bg networks crate. Available at https://bgnetworks. com/crate/. Accessed on 2024-03-15.

[14] Mert D Pese, Troy Stacer, C Andr ´ es Campos, Eric Newberry, ´ Dongyao Chen, and Kang G Shin. Librecan: Automated can message translator. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 2283–2300, 2019.

[15] CARLA Team. Carla open-source simulator for autonomous driving research. Available at https://carla.org/. Accessed on 2024-03- 15.

[16] GRVA WP29 UNECE. Un regulation no. 155—cyber security and cyber security management system. Technical report, Technical Report. United Nations, 2021.

[17] VDA. Automotive spice. Available at https://vda-qmc.de/en/ automotive-spice/. Accessed on 2024-03-15.

[18] Vector. Vector vt system. Available at https://www.vector.com/int/ en/products/products-a-z/hardware/vt-system/#c174985. Accessed on 2024-03-15.

[19] VicOne. Vicone automotive cyberthreat landscape report 2023. Available at https://documents.vicone.com/reports/ automotive-cyberthreat-landscape-report-2023.pdf. Accessed on 2024-03-15.

[20] Anthony Kee Teck Yeo, Matheus E. Garbelini, Sudipta Chattopadhyay, and Jianying Zhou. Vitrobench: Manipulating in-vehicle networks and cots ecus on your bench: A comprehensive test platform for automotive cybersecurity research. Vehicular Communications, 43, 2023.