CHALLENGE For one major manufacturer, the system security of a new electric vehicle was a top priority. The vehicle’s web and mobile platforms were designed to provide drivers with a convenient and easy-to-use interface to monitor and manage the eco-friendly car. While the development team knew the vehicle’s platforms worked perfectly from a performance standpoint, they paused the development program to ensure the systems were not exposed to outside interference. They wanted to uncover any unknown vulnerabilities that might put the driver or the vehicle at risk. “As vehicles become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code, and more avenues through which a driver’s basic right to privacy can be compromised...” SENATOR EDWARD MARKEY APPROACH Coalfire was retained to run a series of penetration testing scenarios, including specific tests focused on the mobile application programming interface (API) and the telematics control unit. Using the credentials from a test account, Coalfire pivoted outside of an assigned environment and was able to take control of other vehicles using only the VIN. By exploiting vulnerabilities discovered in hidden and undocumented interfaces, Coalfire was able to harness GPS functions to locate cars, lock and unlock vehicles, and perform other malicious tasks. “Our focus, and that of the entire automotive industry, is to prevent hacking into a vehicle’s by-wire control system from a remote/wireless device outside of the vehicle.” TOYOTA SPOKESPERSON RESULTS Coalfire provided specific technical recommendations to mitigate the risks identified during testing. Several third-party components were found to have critical issues. Coalfire and the manufacturer collaborated with the third-party firm to patch the API, protect GPS coordinates, and enforce appropriate permissions across the solution. The software was updated and deployed, protecting the automobile manufacturer and millions of drivers worldwide.