Vehicle, System, and Component Level Penetration Testing.

Validating the target is meeting ISO/SAE 21434 Cybersecurity Goals.

The automotive industry is undergoing cybersecurity standardization and regulation that enforces consistent analysis to provide work products to auditors. Requests for penetration tests to showcase the cybersecurity of products are being asked throughout the automotive supply chain.

What is Penetration Testing

Penetration testing is the act of identifying vulnerabilities and attempting to exploit a target using creative means within a defined scope. Often provided by a third party with a fresh set of eyes.

Penetration testing goes farther than standard validation and quality testing. Testing from the perspective of an adversary with malicious intent, penesting explores unique pathways to discover vulnerabilities which cannot be found through other types of testing.

Penetration testing engagements end with a report of any discovered vulnerabilities which might need to be mitigated and document all attempts and testing methods used.

Why conduct penetration testing?

After vehicle, system, or component cybersecurity design is complete, implemented, and functionally tested. Penetration testing will confirm the cybersecurity goals were actually achieved. Does the product have the security posture expected from the design phase. Is that security posture enough to prevent attackers from causing unacceptable damages?

Penetration tests offer insight into which channels your product is most at risk and thus what types of security controls you need to focus on in current and future products.

Many automotive companies and vehicles products have already been victims of cyber-attacks or security research publications causing harm. 

Penetration testing has the potential to discover critical vulnerabilities, that if left uncheck, can cause loss of life, recalls, and severe financial and brand damages. Providing the penetration test reports to auditors will prove your due diligence and achieve compliance with regulations.


Why us?

Our firm has years of experience working alongside OEM’s and Tier 1 suppliers in multiple industries. With deep expertise and specialty focus automotive in web application, cloud, industrial control systems and embedded systems you can trust our expertise can meet any engagements meeds. As winners of the 2019 Defcon Car Hacking Village CTF event you can trust in our experience.


Want to learn more about our process?
Download a sample penetration test report!

Our Process.

Block Harbor follows a standard process to ensure consistency and quality of our penetration testing. Our focus is on holistic assessments that ensure every basic security control is in place for interfaces in scope before we advance to more complex testing. 

We Follow a 6 step process:

1: Threat Modeling

In order to test the right areas, it’s important to understand who and what the possible threats might be. That’s why the assessment begins by working with your team to develop a wholistic picture of your environment to determine what possible threats you might face and what the actors motivations would be.

2: Attack Surface Enumeration and Passive Reconnaissance

Understanding what’s available for the attacker to target and what information that they can leverage is critical to building a practical attack narrative. In this phase of the assessment we canvass the attack surface of the application or software. The goal of passive reconnaissance is to use publicly available tools to gather information so we can build a picture of what areas are exposed to attack and determine what information exists in the wild that the attacker may leverage against you.

3: Active Scanning & Vulnerability Research

Our security experts will then run the vulnerabilities through test cases to canvas the internal attack surface laterally. As the internal attack surface expands during testing, the client and stakeholders are informed on a cyclic basis.

Security Defense/Protection Check & Vulnerability Detection

It’s important to not only test the weak spots but ensure the security defense’s you put in place are working. That’s why in this phase test to verify the defense mechanisms you currently have in place are working and detect any vulnerabilities that they may have. 

4: Deep Testing and Attempt to Exploit

Using automated tools and vulnerability scanners can only get you so far. This is is where we take the gloves off and leverage our previous findings, extensive knowledge, experience, and expertise in order to attempt to exploit the vulnerabilities we found as well as craft creative attacks that may be used against your product or environment.

Assessment Reporting

The findings of the engagement will be encapsulated in a document in order to help visualize the attack surfaces that need to be hardened or refactored. The report will consist of exploitation point of concepts, processes, remediation plans, and assessment of risk.

at every step.

Penetration testing is complex. Establishing proper point of contacts and a communicative structure is important to the success of the project. We keep customers up to date with the progress and finding in the penetration testing through regular meetings. At the end of testing we streamline the data in a drawn out report to help you visualize where and how to fix the vulnerabilities that were found.

Create a gauge of completion

To stay consistent with your development cycle, a roadmap will be established to meet the scope and requirements of the engagement.

Identify Point(s) of contact

Decide on who within the organization will coordinate efforts during and after testing.

Creation & Dissemination of Deliverables

Deliverables that are generated during the engagement will be communicated to the client and shareholders.