By Reuel Magistrado, Automotive Threat Researcher
Modern vehicles have evolved from mere modes of transportation into sophisticated, internet-connected platforms. However, with this connectivity comes an expanded set of attack vectors, including external channels such as Wi-Fi, Bluetooth, cellular connections, and sensors, all of which link to the vehicle’s internal network. From there, data and commands pass through the Controller Area Network (CAN) bus, electronic control unit (ECU) controllers, and telematics module to core systems, such as the navigation console – creating a broad attack surface that spans on-board networks to the cloud.
Figure 1. Simplified connected vehicle architecture
Yet, security researchers still face challenges in mapping these complex ecosystems using generic Open Source Intelligence (OSINT) techniques. Attackers, on the other hand, have demonstrated the ability to leverage OSINT to identify and exploit automotive APIs, telematics endpoints, and fleet management systems.
Mapping OSINT Activities to the ATM
To address these gaps, we propose a systematic OSINT methodology tailored for automotive threat intelligence, designed to discover exposed over-the-air (OTA) update servers, telematics application programming interfaces (APIs), and fleet management backends using only publicly available data.
Our methodology is guided by the Auto-ISAC Automotive Threat Matrix (ATM), a standardized taxonomy of automotive-specific adversary tactics and techniques. Modeled after the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), the ATM defines tactics such as Initial Access, Discovery, and Affect Vehicle Function, along with techniques tailored for automotive environments. For example, scanning an automotive manufacturer’s internet-facing assets aligns with Discovery, while exploiting an exposed API falls under Initial Access.
Building on this, we adopt an attack-path strategy. Instead of treating each component in isolation, we envision a complete compromise chain throughout the vehicle architecture and verify each segment via OSINT. In this view, multiple vulnerabilities across different systems could be chained. For instance, a vulnerability in an in-vehicle infotainment (IVI) system in one model and a telematics API flaw in another could form parts of a hypothetical exploit.
This Attack Path Approach provides a systematic, phased framework for automotive OSINT reconnaissance, beginning with high-level organizational views and progressing to specific attack vectors.
Phase 1: Organizational Infrastructure Mapping
The first phase focuses on mapping a target organization’s external infrastructure, establishing the foundation for deeper OSINT activities in later phases. Corporate-level reconnaissance begins with Autonomous System Number (ASN) discovery using WHOIS databases, IP range identification through Réseaux IP Européens Network Coordination Centre (RIPE NCC) and the American Registry for Internet Numbers (ARIN), and cloud asset enumeration across Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
Shodan, a search engine for internet-connected devices and services, can reveal exposed automotive infrastructure through targeted searches such as:
- “telematics” port:443
- “OTA update” port:80,443
- “fleet management” port:8080
- org:“manufacturer name” automotive
Certificate Transparency (CT) monitoring further identifies internal automotive domains, OTA update endpoints, and API gateways through patterns such as *.ota.manufacturer.com and *.telematics.brand.com. These passive techniques can provide extensive infrastructure visibility, often without direct interaction with the target.
Phase 2: Supply Chain Relationship Discovery
This phase focuses on uncovering relationships within the target’s supply chain. LinkedIn intelligence gathering can identify supplier relationships and key personnel, providing insights for social engineering preparation and analysis of supply chain attack vectors. Patent database searches may reveal technical relationships between car manufacturers (OEMs) and suppliers, while public procurement databases can offer a comprehensive view of supplier networks.
Analyzing GitHub repositories can also expose automotive software configurations, API keys, infrastructure details, and other sensitive information. Targeted searches for automotive-specific frameworks such as Automotive Open System Architecture (AUTOSAR) or implementations related to ISO 26262 can further highlight development practices and potential security gaps.
Phase 3: Attack Surface Enumeration
The final phase focuses on identifying and mapping specific technical assets that make up the target’s exposed attack surface. API endpoint discovery looks for such as /api/v1/updates, /ota/check, and /firmware/download. Enumerating supported HTTP methods can reveal available operations such as GET, POST, and PUT endpoints, while analyzing authentication mechanisms may expose potential bypass opportunities.
Telematics Control Unit (TCU) discovery targets the gateway between vehicles and cloud services through cellular network scanning and certificate analysis. Common endpoints often follow predictable patterns such as fleet-api.company.com and vehicle-data.manufacturer.com.
To illustrate this systematic approach, we examine a real-world example: Subaru’s IVI system admin panel vulnerability, an exploit that could have allowed remote access to the vehicle’s data and controls.
Figure 2. Attack chain summarizing how security researchers achieved full admin access to Subaru’s IVI system
| ATM Technique | ATM ID | OSINT Activity |
|---|---|---|
| Gather Target Information | ATM-T0076 |
|
| File and Directory Discovery | ATM-T0042 |
|
| Unsecured Credentials | ATM-T0040 |
|
| ECU Credential Dumping | ATM-T0039 |
|
| Data from the Local System | ATM-T0059 |
|
| Location Tracking | ATM-T0043 |
|
| Exploit ECU for Lateral Movement | ATM-T0052 |
|
| Internet Communication | ATM-T0063 |
|
Figure 3. How the Subaru IVI attack path maps across the Automotive Threat Matrix. ATM background adapted from the Auto-ISAC Automotive Threat Matrix
This mapping exercise illustrates how the ATM framework can be used to identify and prioritize the most critical weak links within a connected vehicle ecosystem, concretizing attack methods so that industry stakeholders, including researchers and decision makers, can share a common language for communication and defense planning.
VicOne’s xAurient automotive threat intelligence (TI) platform shows how such mappings can be operationalized into actionable intelligence, translating reconnaissance and OSINT findings into practical insights for detection, monitoring, and mitigation strategies.
Figure 4. Visualization of the Subaru attack chain in xAurient, VicOne’s action-ready automotive threat intelligence platform
Applying the ATM to Automotive Threat Intelligence
We also apply the ATM framework to automotive threat intelligence, examining both campaigns by advanced persistent threat (APT) groups and weaknesses in the automotive supply chain. The correlation between OSINT findings and threat behaviors helps pinpoint which ATM techniques are in active use and where defensive measures should be prioritized.
APT Activities
Advanced persistent threat (APT) groups continue to target the automotive sector for intellectual property theft, supply chain infiltration, and disruption of connected vehicle services. Mapping these activities to the ATM reveals how different actors target the industry, the tools they use, and the specific techniques they employ. Here are a few examples:
- APT 32, also known as Ocean Lotus, targeted various car OEM networks using sophisticated macOS backdoors and Cobalt Strike beacon deployment. Their operations align with ATM-T0059 (Data from Local System) for intellectual property theft and ATM-T0063 (Internet Communication) for systematic data extraction.
- The attack structure of APT41 included ANTSWORD and BLUEBEAM web shells, DUSTPAN droppers, and DUSTTRAP multi-stage plugin frameworks designed to minimize forensic traces. These correlate to ATM-T0031 (Bypass Code Integrity) and ATM-T0066 (Standard Cryptographic Protocol).
- FIN7, also known as Carbon Spider, targeted large US automotive manufacturers through spear-phishing campaigns aimed at IT employees with high administrative privileges. The emails contained URLs disguised as IP scanning tools. These operations demonstrate ATM-T0015 (Phishing) and ATM-T0040 (Unsecured Credentials) techniques, with credential harvesting activities aligning with ATM-T0039 (ECU Credential Dumping).
Supply Chain Weaknesses
Supply chain compromises often act as force multipliers in automotive cyberattacks. Mapping these incidents to the ATM helps identify which supplier-facing techniques are actively exploited, allowing both car OEMs and suppliers to strengthen indirect attack surfaces that adversaries frequently target. Here are a few examples:
- Infrastructure discovery via Shodan. Queries such as org:“supplier name” have been used to locate exposed supplier systems and services ATM mapping: ATM-T0044 (Network Service Scanning)
- Supplier relationship reconnaissance. LinkedIn intelligence gathering can reveal key supplier relationships and personnel, potentially enabling targeted spear-phishing or social engineering.
ATM mapping: ATM-T0076 (Gather Target Information - from Other) - Exposed development assets on GitHub. Public repositories can contain sensitive automotive software configurations, including framework code, hardcoded credentials, and API keys.
ATM mapping: ATM-T0059 (Data from Local System) - Certificate intelligence for infrastructure discovery. Analysis of digital certificates can reveal internal domains and services associated with suppliers.
ATM mapping: ATM-T0044 (Network Service Scanning) - Coordinated supplier targeting. Attack pattern analysis shows sequential targeting of Toyota suppliers, suggesting potentially coordinated campaigns. OSINT was used to map supply chain dependencies and exploit just-in-time manufacturing system connectivity.
ATM mapping: ATM-T0017 (Supply Chain Compromise), and ATM-T0010 (Aftermarket, Customer, or Dealer Equipment)
A Practical ATM Mapping: The 6-Step OSINT Methodology
This 6-step process outlines how to systematically gather, analyze, and correlate OSINT data on automotive targets. Each step is designed to align with the ATM, ensuring that findings can be mapped to specific tactics and techniques for more actionable automotive threat intelligence.
- Domain & Subdomain Enumeration. Use certificate-transparency tools (e.g., crt.sh) and DNS brute force to gather subdomains of the target (e.g., api.carmaker.com, starlink.carmaker.com). Incorporate historical domain fuzzing, such as in the Subaru case, for broader coverage. Validate live hosts through DNS lookups.
- Shodan/Censys Scanning. Input discovered domains or the OEM’s name into Shodan and Censys. Apply filters by organization or SSL fields to locate exposed servers and IoT modules. Record any web services (HTTP/HTTPS), open ports, or banners referencing automotive platforms.
- Web Crawling & Fuzzing: On each web host, run gau to collect archived URLs, then run ffuf to brute-force common paths (e.g.,/api/, /admin/, /ota/). This may reveal hidden JSON endpoints, admin panels, or firmware-update interfaces. Examine error messages and directory listings for clues about underlying technologies.
- Documentation and Code Search. Use Google dorks such as site:carmaker.com filetype:pdf “update” or search GitHub and Stack Overflow for references to the OEM’s name. Look for leaked credentials or technical manuals that reveal API endpoints, port numbers, or certificate fingerprints.
- Social OSINT. Search LinkedIn for employees (e.g., “Carmaker Software Engineer” or “Starlink administrator”). Infer corporate email formats from profiles (e.g., john.doe@maker.com, etc.) and verify with tools like Hunter.io. Use confirmed email addresses to test login or password-reset flows on discovered admin sites that may be vulnerable.
- Asset Mapping and Analysis. Correlate all findings into an architecture diagram, labeling discovered services (e.g., “IVI OTA server,” “fleet management API”). Align each to ATM tactics (e.g., Reconnaissance, Initial Access, Discovery). From this map, identify plausible multi-step attack paths (e.g., smartphone app to a cloud API to the in-vehicle network) that could be exploited.
Conclusion
This work presents a cohesive framework for connected car reconnaissance, integrating conventional OSINT with automotive-specific tactics from the Auto-ISAC ATM. By applying the attack-path approach and the recommended methodology, automotive cybersecurity researchers can systematically identify OTA update servers, telematics APIs, administrative portals, and other high-value assets that are often targeted by attackers.
Ultimately, this methodology enables stakeholders in the automotive industry to build comprehensive, ATM-annotated attack surface maps of vehicle ecosystems. These maps provide actionable intelligence that can guide red teams in simulating realistic threats and car OEMs in prioritizing defensive measures where they matter most.
