Automotive security vulnerabilities
June 20, 2019

Automotive Security Vulnerabilities to Watch for in 2019

Security & Compliance
Static Analysis

If you’re trying to build connected automotive software that’s both bulletproof and secure, you’ve got a big task ahead of you. As knowing where to focus your time and energy can be half the challenge. Virtually all detected securityholes can be traced back to automotive software vulnerabilities.  

Here are two key automotive securityvulnerabilities and what changes you can make to your coding style or processes to avoid them. 

The Impact of Memory Buffer Problems  

Our number one automotive cybersecurityvulnerability might not be that big of a surprise if you are a C/C++ programmer. Memory buffer problems are very common and occur when software can read or write to locations outside of the boundaries of the memory buffer. 

This includes: 

  • Not checking size of input on copy.
  • Bug allowing writing to arbitrary locations.
  • Out-of-bounds read.
  • Pointers outside expected range.
  • Untrusted pointer dereference.
  • Uninitialized pointers.
  • Expired pointer references.
  • Access of memory beyond buffer end.

While memory buffer problems may already be (a little too) well-known among programmers, it might be surprising to learn that this type of exploit is responsible for a large volume of vulnerabilities. 

Secure coding practices require diligent analysis. Automated static analysis toolsare very effective at finding memory buffer problems such as the one above. 

How Code Injection is Dangerous and Harmful

Code injections are something that affect interpreted environments such as PHP, so this is a large vulnerability among the website development community. Despite this vulnerability being largely seen in website development, it is still very much present when it comes to infotainment systems and other complicated in-vehicle systems. 

Even though something may be proprietary, it doesn’t mean that it isn’t open to vulnerabilities. This is important to know when doing integration of these technologies into your code. Something as innocent-seeming as being able to display fonts could be the reason why your code has become vulnerable. 

How to Fix Security Vulnerabilities in Proprietary Code

  • Design review, manual analysis, and automated static analysis are the best tools for remediation.  
  • From a design standpoint, make sure that you’re aware of all your black box components and that all of them are up-to-date.  
  • Don’t assume that everything is within your own system. Pay special attention to items that may be pulling from a website. 

Static code analysis can help in this realm by identifying the use of unsafe data as it flows through the system. This is where you’ll likely catch an injection-based attacks. Follow up by manually cleaning any externally acquired information. 

It’s important to keep in mind all of the code that is coming into your ecosystem, and to assume that there are vulnerabilities in multiple stages of your software development lifecycle. 

Stay Current with Automotive Security Vulnerabilities  

Staying aware and secure of automotive securitystandards and vulnerabilities will put your code in a much safer place. Since new issues and vulnerabilities are being found everyday, it’s important to always keep your software updated with the latest versions and patches available. 

To learn more about how Klocwork helps detect automotive securityissues and thousands of other vulnerabilities in your code, sign up for a free trial.

Defend Against Injection Attacks