Penetration testing to improve the security position of a scale-up software company

Sammanfattning: Micro-mobility companies have in recent years introduced electric vehicles such as bikes, scooters and mopeds as a sustainable alternative to traditional combustion engine cars in inner cities. Having electric vehicles available in the cities comes with corporate responsibilities, such as making sure the electric vehicles follow national laws regarding speed and parking. Furthermore, a prerequisite for offering the service is that the electric vehicles should be connected at all times, and that the company has means to make certain that the service is used only by authorized users. This functionality is provided by having an IoT device mounted on the electric vehicle. One problem that arises is that it introduces new attack vectors that put both the company and its users at risk. White hat hackers working together with corporations is the right way to find vulnerabilities. This thesis evaluates the Company’s offered service through the method of threat modeling, by answering the question "Is the Company’s system secure against cyber attacks?". This has been made possible through an active collaboration with the Company, which have prioritized resolving vulnerabilities that have arisen during the project. The results show that there are security flaws present in the current system, hence making room for security improvements. Critical vulnerabilities discovered include adversaries being able to use the offered service for free, hijacking the vehicle, and the Company relying on ’front-end’ security in one payment context.