CN112887945B - Penetration testing method for Internet of vehicles network - Google Patents
Penetration testing method for Internet of vehicles network Download PDFInfo
- Publication number
- CN112887945B CN112887945B CN202110031794.8A CN202110031794A CN112887945B CN 112887945 B CN112887945 B CN 112887945B CN 202110031794 A CN202110031794 A CN 202110031794A CN 112887945 B CN112887945 B CN 112887945B
- Authority
- CN
- China
- Prior art keywords
- test
- vehicle
- app
- code
- internet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/80—Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/009—Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a penetration test method of an Internet of vehicles network, which comprises a safe SDK, an APP terminal and a vehicle terminal, and the penetration test method of the Internet of vehicles network comprises the following steps: step one, identity authentication: after the user logs in through the first binding use, the mobile terminal equipment is operated to match with the unique vehicle identification code of the vehicle terminal to pair, the security SDK completes the generation of the unique identification code, and the vehicle operation completes the confirmation of the relationship between a person and a vehicle; and the mobile terminal equipment exchanges the unique user identification code with the vehicle-terminal safety environment. The penetration test method of the car networking network has the advantages of being comprehensive in test and capable of carrying out detailed detection on possible faults in the car networking network in the actual use process.
Description
Technical Field
The invention relates to the technical field of Internet of vehicles, in particular to a penetration testing method of the Internet of vehicles.
Background
The connotation of the Internet of vehicles mainly refers to: the vehicle-mounted equipment on the vehicle effectively utilizes all vehicle dynamic information in the information network platform through a wireless communication technology, provides different functional services in the running process of the vehicle, and can find that the internet of vehicles shows the following characteristics: the Internet of vehicles can provide guarantee for the distance between the vehicles, and the probability of collision accidents of the vehicles is reduced; the Internet of vehicles can help the vehicle owner to navigate in real time, and the efficiency of traffic operation is improved through communication with other vehicles and a network system.
Whether the car networking network is safe and reliable to be related to the driving safety and comfort level of a car owner, in case the car networking network breaks down, very easily cause the navigation of the car owner to break down unable normal operating, and can't cooperate the operation between each sensor and the communication centre, lead to the unable timely transmission of vehicle and road conditions information, for example the interval between car and the car just can't be transmitted, the probability that the vehicle collided just can great promotion, the driving safety of the car owner receives huge influence, the efficiency of traffic operation has been reduced, in order to solve the above-mentioned problem, a penetration test method of car networking network, need to be developed urgently.
Disclosure of Invention
The invention aims to provide a penetration test method of an Internet of vehicles network, which has the advantage of comprehensive test, and solves the problems that whether the Internet of vehicles network is safe and reliable relates to the driving safety and the comfort level of a vehicle owner, once the Internet of vehicles network breaks down, the navigation of the vehicle owner fails to operate normally, and each sensor and a communication center cannot operate cooperatively, so that the vehicle and road condition information cannot be transmitted in time, for example, the distance between the vehicles cannot be transmitted, the probability of vehicle collision is greatly improved, the driving safety of the vehicle owner is greatly influenced, and the efficiency of traffic operation is reduced.
In order to achieve the purpose, the invention provides the following technical scheme: the penetration testing method of the Internet of vehicles comprises the following steps:
step one, identity authentication: after the user logs in through the first binding use, operating the mobile terminal equipment to match with the unique vehicle-side identification code for vehicle pairing, generating the unique user identification code by the safety SDK, and confirming the man-vehicle relationship after the vehicle operation is completed; the mobile terminal equipment exchanges the unique user identification code with the vehicle-terminal safety environment;
step two, vehicle end communication safety test: the vehicle end and the mobile end are detected when being connected by Bluetooth, and the detection mode comprises the following steps:
1. the BLE Bluetooth service is traversed, and all SSID information is traversed;
2. the BLE Bluetooth compulsory connection attack is carried out, illegal compulsory connection is violently tried to be established with a vehicle end, and the illegal connection rejection capability is tested;
3. detecting BLECVE, and detecting the BLE known CVE loophole;
4. performing BLE message fuzz test, and trying to construct a legal message fuzz test;
5. the BLE replay detection is performed, a BLE vehicle control data packet is captured, and the message safety is checked through the replay test;
step three, APP code analysis and test: the method for analyzing the code of the APP of the user mobile terminal comprises the following steps:
1. code obfuscating, obfuscating the JAVA code and the NATIVE code using an obfuscation tool;
2. the APP code protection breakthrough attempts to perform shelling processing on the reinforced and protected APP to obtain a source code;
3. analyzing an APP Bluetooth encryption algorithm, and analyzing an APP end data communication encryption algorithm;
4. finding out APP code logic defects, finding out logic defects related to Bluetooth authentication and a test communication process;
5. the APP Bluetooth connection algorithm is reproduced, a Bluetooth encryption flow is analyzed, the connection algorithm is tried to be rewritten, and vehicle control is achieved or partially achieved;
and step four, SO logic test, analysis of the SO file authentication process of the BLE service vehicle end, reversing the SO code and searching the authentication process.
Preferably, the penetration testing method of the internet of vehicles network further comprises a testing method of a vehicle end system:
1. and (3) testing the ROOT of the system: using a USB test interface ROOT to attack ROOT or using an APP ROOT mode to carry out ROOT;
2. and (3) system firmware security testing: the test method for the system firmware security test comprises the following steps:
1. firmware is tested by flashing;
2. reverse analysis of firmware;
3. firmware rollback flash test;
3. and (3) upgrading package cracking test: trying to crack a local USB upgrade package;
4. and (3) testing system vulnerabilities: an unsafe service test is tried, redundant service tests are tried, and a security vulnerability test with a known system version is tried;
5. and (3) system upgrading safety test: verifying the validity and integrity of the system upgrade package, and performing fault tolerance test;
6. and (3) testing the safety of the application software: whether the application software adopts confusion or not is detected, the encryption means is prevented from being decompiled, and whether redundant authority exists in the application software or not is detected.
Preferably, in the second vehicle-end communication safety test, all end-to-end communications adopt an HTTPS communication mode.
Preferably, in the second vehicle-end communication security test, a Certificate screening or bidirectional authentication mechanism is adopted to place MRRY attacks.
Preferably, the vehicle end includes two encryption modes of white box encryption and hardware encryption when storing information.
Compared with the prior art, the invention has the following beneficial effects:
the invention detects possible faults of the Internet of vehicles by carrying out detailed and comprehensive tests on the safety SDK, the APP terminal and the vehicle terminal, and modifies the test result to ensure the stability and the reliability of the Internet of vehicles network.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a technical scheme that: the utility model provides a penetration test method of car networking, includes safe SDK, APP end and car end, its characterized in that: the penetration testing method of the Internet of vehicles network comprises the following steps:
step one, identity authentication: after the user logs in through the first binding use, operating the mobile terminal equipment to match with the unique vehicle-side identification code for vehicle pairing, generating the unique user identification code by the safety SDK, and confirming the man-vehicle relationship after the vehicle operation is completed; the mobile terminal equipment exchanges the unique user identification code with the vehicle-terminal safety environment;
step two, vehicle end communication safety test: detect it when car end and removal end carry out the bluetooth and connect, the detection mode includes following step:
1. the BLE Bluetooth service is traversed, and all SSID information is traversed;
2. the BLE Bluetooth compulsory connection attack is carried out, illegal compulsory connection is violently tried to be established with a vehicle end, and the illegal connection rejection capability is tested;
3. detecting BLEC (Block error rate and virtual error rate), namely detecting the leakage of the BLE known CVE;
4. performing BLE message fuzz test, and trying to construct a legal message fuzz test;
5. the BLE replay detection is performed, a BLE vehicle control data packet is captured, and the message safety is checked through the replay test;
step three, APP code analysis and test: the method for analyzing the code of the APP of the user mobile terminal comprises the following steps:
1. code obfuscation, obfuscating the JAVA code and the NATIVE code using an obfuscation tool;
2. the APP code protection breakthrough attempts to perform shelling processing on the reinforced and protected APP to obtain a source code;
3. analyzing an APP Bluetooth encryption algorithm, and analyzing an APP end data communication encryption algorithm;
4. finding out the logic defects of the APP code, finding out the logic defects related to Bluetooth authentication and testing the communication process;
5. the APP Bluetooth connection algorithm is reproduced, a Bluetooth encryption flow is analyzed, the connection algorithm is tried to be rewritten, and vehicle control is achieved or partially achieved;
and step four, SO logic test, analysis of the SO file authentication process of the BLE service vehicle end, reversing the SO code and searching the authentication process.
In the invention: the penetration test method of the Internet of vehicles network also comprises a test method of the vehicle end system:
1. and (3) testing the ROOT of the system: using a USB test interface ROOT to attack ROOT or using an APP ROOT mode to carry out ROOT;
2. and (3) system firmware security testing: the test method for the system firmware security test comprises the following steps:
1. firmware is tested by flashing;
2. reverse analysis of firmware;
3. firmware rollback flash test;
3. and (3) upgrading package cracking test: trying to crack a local USB upgrade package;
4. and (3) testing system vulnerabilities: the method comprises the following steps of trying unsafe service tests, trying redundant service tests, and trying security vulnerability tests with known system versions;
5. and (3) system upgrading safety test: verifying the validity and integrity of the system upgrade package, and performing fault tolerance test;
6. and (3) testing the safety of the application software: whether the application software adopts confusion or not is detected, the encryption means is prevented from being decompiled, and whether redundant authority exists in the application software or not is detected.
In the invention: and in the second vehicle end communication safety test, all end-to-end communication adopts an HTTPS communication mode, and all communication contents with the background and the vehicle end are ensured to be encrypted and transmitted.
In the invention: in the second vehicle-end communication safety test, a Certificate screening or bidirectional authentication mechanism is adopted to place MRRY attacks, so that the encryption is ensured, and meanwhile, man-in-the-middle attacks can be prevented.
In the invention: the vehicle end comprises two encryption modes of white box encryption and hardware encryption when storing information, wherein the hardware encryption is an encryption mode of software plus hardware level.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (5)
1. The utility model provides a penetration test method of car networking, includes safe SDK, APP end and car end, its characterized in that: the penetration testing method of the Internet of vehicles network comprises the following steps:
step one, identity authentication: after the user logs in through the first binding use, operating the mobile terminal equipment to match with the unique vehicle-side identification code for vehicle pairing, generating the unique user identification code by the safety SDK, and confirming the man-vehicle relationship after the vehicle operation is completed; the mobile terminal equipment exchanges the unique user identification code with the vehicle-terminal safety environment;
step two, vehicle end communication safety test: detect it when car end and removal end carry out the bluetooth and connect, the detection mode includes following step:
1. the BLE Bluetooth service is traversed, and all SSID information is traversed;
2. the BLE Bluetooth compulsory connection attack is carried out, illegal compulsory connection is violently tried to be established with a vehicle end, and the illegal connection rejection capability is tested;
3. detecting BLECVE, and detecting the BLE known CVE loophole;
4. performing BLE message fuzz test, and trying to construct a legal message fuzz test;
5. the BLE replay detection is performed, a BLE vehicle control data packet is captured, and the message safety is checked through the replay test;
step three, APP code analysis and test: the method for analyzing the code of the APP of the user mobile terminal comprises the following steps:
1. code obfuscating, obfuscating the JAVA code and the NATIVE code using an obfuscation tool;
2. the APP code protection breakthrough attempts to perform shelling processing on the reinforced and protected APP to obtain a source code;
3. analyzing an APP Bluetooth encryption algorithm, and analyzing an APP end data communication encryption algorithm;
4. finding out APP code logic defects, finding out logic defects related to Bluetooth authentication and a test communication process;
5. the APP Bluetooth connection algorithm is reproduced, a Bluetooth encryption flow is analyzed, the connection algorithm is tried to be rewritten, and vehicle control is achieved or partially achieved;
and step four, SO logic test, analysis of the SO file authentication process of the BLE service vehicle end, reversing the SO code and searching the authentication process.
2. The penetration testing method of the internet of vehicles network according to claim 1, characterized in that: the method also comprises a test method of the vehicle end system:
1. and (3) testing the ROOT of the system: using a USB test interface ROOT to attack ROOT or using an APP ROOT mode to carry out ROOT;
2. and (3) system firmware security testing: the test method for the system firmware security test comprises the following steps:
1. firmware is tested by flashing;
2. reverse analysis of firmware;
3. firmware rollback flash test;
3. and (3) upgrading package cracking test: trying to crack a local USB upgrade package;
4. and (3) testing system vulnerabilities: the method comprises the following steps of trying unsafe service tests, trying redundant service tests, and trying security vulnerability tests with known system versions;
5. and (3) system upgrading safety test: verifying the validity and integrity of the system upgrade package, and performing fault tolerance test;
6. and (3) testing the safety of the application software: whether the application software adopts confusion or not is detected, the encryption means prevents the application software from being decompiled, and whether the application software has redundant authority or not is detected.
3. The penetration testing method of the internet of vehicles network according to claim 1, characterized in that: in the second vehicle-end communication safety test, all end-to-end communication adopts an HTTPS communication mode.
4. The penetration testing method of the internet of vehicles network according to claim 1, characterized in that: in the second vehicle end communication safety test, a Certificate screening or bidirectional authentication mechanism is adopted to place MRRY attacks.
5. The penetration testing method of the internet of vehicles network according to claim 1, characterized in that: the vehicle end comprises two encryption modes of white box encryption and hardware encryption when information storage is carried out.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110031794.8A CN112887945B (en) | 2021-01-11 | 2021-01-11 | Penetration testing method for Internet of vehicles network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110031794.8A CN112887945B (en) | 2021-01-11 | 2021-01-11 | Penetration testing method for Internet of vehicles network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112887945A CN112887945A (en) | 2021-06-01 |
| CN112887945B true CN112887945B (en) | 2022-12-09 |
Family
ID=76044065
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110031794.8A Active CN112887945B (en) | 2021-01-11 | 2021-01-11 | Penetration testing method for Internet of vehicles network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112887945B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116502238B (en) * | 2023-06-26 | 2023-10-10 | 中汽智联技术有限公司 | Protection method based on car networking product security vulnerability professional library CAVD |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104410569A (en) * | 2014-11-26 | 2015-03-11 | 公安部第三研究所 | Perception communication interconnecting gateway and method for processing data |
| CN104484607A (en) * | 2014-12-16 | 2015-04-01 | 上海交通大学 | Universal method and universal system for performing safety testing on Android application programs |
| KR101781135B1 (en) * | 2017-03-28 | 2017-09-22 | 자동차부품연구원 | Apparatus for estimating and monitoring communication security of vehicle-network |
| CN107392033A (en) * | 2017-08-30 | 2017-11-24 | 杭州安恒信息技术有限公司 | A kind of Android device Permeation Test System and its automation penetration testing method |
| CN108430069A (en) * | 2018-02-11 | 2018-08-21 | 重庆邮电大学 | A kind of V2X applied in network performance test and comprehensive evaluation analysis method |
| CN109145579A (en) * | 2018-08-18 | 2019-01-04 | 北京航空航天大学 | Intelligent network joins automobile information secure authentication testing method and system |
| CN110162977A (en) * | 2019-04-24 | 2019-08-23 | 北京邮电大学 | A kind of Android vehicle-mounted terminal system leakage location and method |
| CN111901349A (en) * | 2020-07-29 | 2020-11-06 | 北京天融信网络安全技术有限公司 | Penetration testing method, device and system based on in-vehicle CAN bus |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102541729A (en) * | 2010-12-31 | 2012-07-04 | 航空工业信息中心 | Detection device and method for security vulnerability of software |
| US20140089202A1 (en) * | 2012-09-27 | 2014-03-27 | Michael K. Bond | CRM Security Core |
| US10037689B2 (en) * | 2015-03-24 | 2018-07-31 | Donald Warren Taylor | Apparatus and system to manage monitored vehicular flow rate |
| CN106708012A (en) * | 2016-12-05 | 2017-05-24 | 深圳市元征科技股份有限公司 | Secondary development method and device for diagnostic device |
| US10616259B2 (en) * | 2017-01-17 | 2020-04-07 | Nio Usa, Inc. | Real-time network vulnerability analysis and patching |
| CN107241716A (en) * | 2017-06-01 | 2017-10-10 | 国家计算机网络与信息安全管理中心 | The network service detection means and detection method of car networking |
-
2021
- 2021-01-11 CN CN202110031794.8A patent/CN112887945B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104410569A (en) * | 2014-11-26 | 2015-03-11 | 公安部第三研究所 | Perception communication interconnecting gateway and method for processing data |
| CN104484607A (en) * | 2014-12-16 | 2015-04-01 | 上海交通大学 | Universal method and universal system for performing safety testing on Android application programs |
| KR101781135B1 (en) * | 2017-03-28 | 2017-09-22 | 자동차부품연구원 | Apparatus for estimating and monitoring communication security of vehicle-network |
| CN107392033A (en) * | 2017-08-30 | 2017-11-24 | 杭州安恒信息技术有限公司 | A kind of Android device Permeation Test System and its automation penetration testing method |
| CN108430069A (en) * | 2018-02-11 | 2018-08-21 | 重庆邮电大学 | A kind of V2X applied in network performance test and comprehensive evaluation analysis method |
| CN109145579A (en) * | 2018-08-18 | 2019-01-04 | 北京航空航天大学 | Intelligent network joins automobile information secure authentication testing method and system |
| CN110162977A (en) * | 2019-04-24 | 2019-08-23 | 北京邮电大学 | A kind of Android vehicle-mounted terminal system leakage location and method |
| CN111901349A (en) * | 2020-07-29 | 2020-11-06 | 北京天融信网络安全技术有限公司 | Penetration testing method, device and system based on in-vehicle CAN bus |
Non-Patent Citations (4)
| Title |
|---|
| Research on Detection and Evaluation Technology of Cybersecurity in Intelligent and Connected Vehicle;Xuebin Shao;《2019 International Conference on Artificial Intelligence and Advanced Manufacturing (AIAM)》;20200109;全文 * |
| 基于渗透测试的车联网通信安全与防范措施;李霞等;《现代制造技术与装备》;20190630;全文 * |
| 复杂网络环境下智能网联汽车安全威胁分析与远程入侵研究;李岩松;《工程科技Ⅱ辑》;20200215;全文 * |
| 车联网信息安全测试技术分析及应用;周媛媛;《北京汽车》;20200425(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112887945A (en) | 2021-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112822630B (en) | Data processing method of device and computer-readable storage medium | |
| CN108923933A (en) | The working method of server, the upgrade method of car-mounted terminal and system | |
| CN113325825B (en) | Intelligent networking automobile data and information safety evaluation system | |
| CN111901782B (en) | Method, computing device, and medium for managing vehicles | |
| CN114143034A (en) | Network access security detection method and device | |
| CN102264050B (en) | Network access method, system and authentication server | |
| CN112887945B (en) | Penetration testing method for Internet of vehicles network | |
| CN106445804A (en) | Source code cloud detection system and method based on serialization intermediate representation | |
| CN112396735A (en) | Internet automobile digital key safety authentication method and device | |
| CN106897606A (en) | A kind of brush machine means of defence and device | |
| CN111314921A (en) | Test system, method, device and storage medium based on wireless communication | |
| Shao et al. | Research on detection and evaluation technology of cybersecurity in intelligent and connected vehicle | |
| CN113094687A (en) | Digital certificate filling method, filling equipment and vehicle-mounted terminal | |
| CN115829572A (en) | Cross-chain data interaction method, device, equipment, medium and product | |
| CN111835765B (en) | Verification method and device | |
| CN114338073A (en) | Protection method, system, storage medium and equipment for vehicle-mounted network | |
| CN111722943B (en) | Big data processing method based on edge computing and central cloud server | |
| Ma et al. | Research on cyber security risk of telematics box in intelligent connected vehicle | |
| CN115146284A (en) | Data processing method and device, electronic equipment and storage medium | |
| Zachos et al. | Test method for the sae j3138 automotive cyber security standard | |
| CN110830465A (en) | Security protection method for accessing UKey, server and client | |
| CN110941820A (en) | Vehicle safety detection method and device, automobile and readable storage medium | |
| CN116489086B (en) | Node credibility verification method and system based on Handle system | |
| CN115314229B (en) | Data access method, device, equipment and storage medium | |
| CN115118509B (en) | Method for detecting authority of debugging files of secondary equipment of transformer substation and safety control device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |