Horror Stories from the Automotive Industry
2023-08-17 , Milliways
Language: English

In this talk, we will revisit some of the scariest stories we faced during more than 50 penetration testing and security research projects, with a twist. In the ever-emerging industry of automotive, with old and new OEMs trying to get a share of the pie, many things are at stake, with many things getting overlooked, forgotten, or even deliberately covered.
We will go through a journey of critical findings in different targets and the constant battle between penetration testers, developers, and mid to upper management. This will help the audience get an understanding of how the industry behaves right now, what they (and what we) are doing wrong, and how the future of automotive security should be shaped, not only for the sake of security, but also for the sake of safety and reliability.

This talk will try to raise awareness on the current state of automotive security, how does the industry behave in the whole spectrum of it (100-year-old OEMs to 2-year-old OEMs and Tier 1 suppliers) and ultimately try to propose a way forward for both the automotive and security industries, with the goal being a safer and more reliable future for everyone, in and out of the streets.


Working with some of the biggest OEMs and Tier 1 suppliers on pre-production vehicles gave us an understanding and experience of the whole spectrum of developing a vehicle, from architectural design to homologation and sales. This led us in many realizations and pitfals that the automotive industry falls into, and in order to avoid another Miller/Valasek we have to educate the people of the industry. While most of the people/companies in this industry try to keep the gates closed for apparent reasons, we try to share as much as possible, with the hope of making a change to the industry that will have an impact on how and where it progresses in the future.


Content Notes

This is a "lessons learned" and "awareness" talk. Main target is to raise awareness about specific issues in the security aspect of the automitve industry, so we strongly believe there is no warnings needed for the audience.

Thomas Sermpinis (a.k.a. Cr0wTom) is an Automotive Penetration Testing Lead and independent security researcher with main topics of interest the automotive, industrial control, embedded device sectors and cryptography. During his research, he published several academic papers, 0days and tools with ultimate goal to make the world a safer place.