About the Author vAcknowledgments viiForeword xvIntroduction xixPart I Tactics, Techniques, and Procedures 1Chapter 1 Pre-Engagement 3Penetration Testing Execution Standard 4Scope Definition 6Architecture 7Full Disclosure 7Release Cycles 7IP Addresses 7Source Code 8Wireless Networks 8Start and End Dates 8Hardware Unique Serial Numbers 8Rules of Engagement 9Timeline 10Testing Location 10Work Breakdown Structure 10Documentation Collection and Review 11Example Documents 11Project Management 13Conception and Initiation 15Definition and Planning 16Launch or Execution 22Performance/Monitoring 23Project Close 24Lab Setup 24Required Hardware and Software 25Laptop Setup 28Rogue BTS Option 1: OsmocomBB 28Rogue BTS Option 2: BladeRF + YateBTS 32Setting Up Your WiFi Pineapple Tetra 35Summary 36Chapter 2 Intelligence Gathering 39Asset Register 40Reconnaissance 41Passive Reconnaissance 42Active Reconnaissance 56Summary 59Chapter 3 Threat Modeling 61STRIDE Model 63Threat Modeling Using STRIDE 65VAST 74PASTA 76Stage 1: Define the Business and Security Objectives 77Stage 2: Define the Technical Scope 78Stage 3: Decompose the Application 79Stage 4: Identify Threat Agents 80Stage 5: Identify the Vulnerabilities 82Stage 6: Enumerate the Exploits 82Stage 7: Perform Risk and Impact Analysis 83Summary 85Chapter 4 Vulnerability Analysis 87Passive and Active Analysis 88WiFi 91Bluetooth 100Summary 105Chapter 5 Exploitation 107Creating Your Rogue BTS 108Configuring NetworkinaPC 109Bringing Your Rogue BTS Online 112Hunting for the TCU 113When You Know the MSISDN of the TCU 113When You Know the IMSI of the TCU 114When You Don't Know the IMSI or MSISDN of the TCU 114Cryptanalysis 117Encryption Keys 118Impersonation Attacks 123Summary 132Chapter 6 Post Exploitation 133Persistent Access 133Creating a Reverse Shell 134Linux Systems 136Placing the Backdoor on the System 137Network Sniffing 137Infrastructure Analysis 138Examining the Network Interfaces 139Examining the ARP Cache 139Examining DNS 141Examining the Routing Table 142Identifying Services 143Fuzzing 143Filesystem Analysis 148Command-Line History 148Core Dump Files 148Debug Log Files 149Credentials and Certificates 149Over-the-Air Updates 149Summary 150Part II Risk Management 153Chapter 7 Risk Management 155Frameworks 156Establishing the Risk Management Program 158SAE J3061 159ISO/SAE AWI 21434 163HEAVENS 164Threat Modeling 166STRIDE 168PASTA 171TRIKE 175Summary 176Chapter 8 Risk-Assessment Frameworks 179HEAVENS 180Determining the Threat Level 180Determining the Impact Level 183Determining the Security Level 186EVITA 187Calculating Attack Potential 189Summary 192Chapter 9 PKI in Automotive 193VANET 194On-board Units 196Roadside Unit 196PKI in a VANET 196Applications in a VANET 196VANET Attack Vectors 197802.11p Rising 197Frequencies and Channels 197Cryptography 198Public Key Infrastructure 199V2X PKI 200IEEE US Standard 201Certificate Security 201Hardware Security Modules 201Trusted Platform Modules 202Certificate Pinning 202PKI Implementation Failures 203Summary 203Chapter 10 Reporting 205Penetration Test Report 206Summary Page 206Executive Summary 207Scope 208Methodology 209Limitations 211Narrative 211Tools Used 213Risk Rating 214Findings 215Remediation 217Report Outline 217Risk Assessment Report 218Introduction 219References 220Functional Description 220Head Unit 220System Interface 221Threat Model 222Threat Analysis 223Impact Assessment 224Risk Assessment 224Security Control Assessment 226Example Risk Assessment Table 229Summary 230Index 233

Alissa Knight has worked in cybersecurity for more than 20 years. For the past ten years, she has focused her vulnerability research into hacking connected cars, embedded systems, and IoT devices for clients in the United States, Middle East, Europe, and Asia. She continues to work with some of the world's largest automobile manufacturers and OEMs on building more secure connected cars.Alissa is the Group CEO of Brier & Thorn and is also the managing partner at Knight Ink, where she blends hacking with content creation of written and visual content for challenger brands and market leaders in cybersecurity. As a serial entrepreneur, Alissa was the CEO of Applied Watch and Netstream, companies she sold in M&A transactions to publicly traded companies in international markets.Her passion professionally is meeting and learning from extraordinary leaders around the world and sharing her views on the disruptive forces reshaping global markets. Alissa's long-term goal is to help as many organizations as possible develop and execute on their strategic plans and focus on their areas of increased risk, bridging silos to effectively manage risk across organizational boundaries, and enable them to pursue intelligent risk taking as a means to long-term value creation. You can learn more about Alissa on her homepage at http://www.alissaknight.com, connect with her on LinkedIn, or follow her on Twitter @alissaknight.