Uncover critical cyber vulnerabilities
and validate the final release before SOP
Karamba Security's Penetration Testing services enable OEMs and Tier 1 suppliers to uncover critical cyber vulnerabilities and validate the final release before SOP. We pentest images and interfaces of the vehicle, subsystems, and component software levels, identifying and prioritizing weaknesses according to the ISO/SAE 21434 standard.
With a track record of dozens of pentesting projects, our team of experts identifies vulnerabilities and explains cyber-attack scenarios. After weaknesses are identified, our team prioritizes their fixes according to possible exploit impact and likelihood and then updates the TARA as needed.
To develop the required ISO/SAE 21434 Work Products (WP-10-05, WP-10-06, WP 10-07, WP-11-01) Karamba performs Verification and Validation tests:
- Verify that cybersecurity mitigations are in place as planned, and are actually effective against hacking!
- Confirm a minimized level of weaknesses and vulnerabilities in the release candidate, including design-level weaknesses (whether identified or not in the TARA).
Examples of the pentest scope that usually delivers the most value to the OEM and Tier 1 in addressing the standards expectations and reducing risk levels:
- Test in-vehicle connectivity (CAN, Lin, Ethernet)
- Firmware upgrade process
- HSM + Key management
- Secure Boot
- OS/BSW, VM, and external libraries
Karamba Security's Pentesting is just one of our End-to-End Product Security Portfolio elements that enable our customers to discover, mitigate and manage security vulnerabilities in their ECUs and vehicle types. Enabling customers to expedite their compliance with cybersecurity standards without slowing down innovation, Karamba leverages automated tools and a cost-effective pragmatic approach.
To date, we've successfully completed two penetration testing projects with Karamba. In both cases, the researched systems contained several components (RTOS, Linux, Windows) and various communication protocols (Wi-Fi, Bluetooth, LAN). Overall, we were highly satisfied with Karamba's pen-testing process and delivered results. Karamba's process was delivered on time, and thorough, yielding significant security findings. Consequently, they allowed us to harden the cybersecurity of those products, improving the overall safety, quality, and value of our products to our customers.
Iftach Recht, System Engineering and Cybersecurity Manager (Stanley Healthcare Services, Stanley Black & Decker)
Karamba’s Secured Development training program provided a strong cybersecurity foundation for Aptiv’s engineering community worldwide. It provided technical best practices, threat and risk modeling, all within the current automotive regulatory framework of WP.29 and the ISO/SAE 21434 standard. Great work!
Kristie Pfosi, Director Cybersecurity, Aptiv
Our Tier 1 customer was developing a new automotive ECU in response to an OEM RFQ. The product needed to support Ethernet communication, and the timeline was very tight. With no set-up time, Karamba Research & Consulting was able to analyze the product capabilities and identify the possible security issues. Most importantly, the Karamba Research team determined how to mitigate the security risks in the ECU. They provided the customer with a comprehensive report, detailing threat scenarios and their security recommendations. The Karamba team also worked with the customer throughout the RFQ process to support interactions with the OEM.
Threat Assessment Use Case
Contact us to discuss your Pen Testing plans!
24 HaNagar Street
Tel: +972 9 88 66 113
41000 Woodward Ave
Building East, Suite 350
Bloomfield Hills, MI 48304
Tel: +1 833 4KARAMBA
Landstr. 264, Munich
Tel: +49 892 1547 7583