Connected Car Attack Surface Mapping: OSINT Techniques for Automotive Threat Intelligence
Date: September 25, 2025 (GMT +8)
Time: 15:05
Car Hacking Village
TRACK 4
VILLAGE TALK
Modern vehicles have evolved into sophisticated, internet-connected computing platforms with attack surfaces spanning cloud infrastructure, telematics systems, and over-the-air update mechanisms. With the automotive industry generating over $11 billion in cyberattack losses in 2023 alone, security researchers struggle to comprehensively map connected vehicle ecosystems using traditional OSINT methodologies that lack automotive-specific knowledge. This presentation introduces a systematic OSINT methodology designed for automotive threat intelligence, combining conventional reconnaissance techniques with automotive-focused discovery methods to identify exposed automotive APIs, misconfigured cloud infrastructure, vulnerable telematics endpoints, and supply chain weaknesses that standard assessments typically miss. Through live demonstrations using real automotive manufacturer targets, attendees will learn to adapt existing OSINT tools like Shodan, Censys, and certificate transparency logs with automotive-focused data sources to build complete attack surface maps of connected vehicle ecosystems. Participants will gain practical skills for discovering OTA update infrastructure, fleet management systems, and connected vehicle APIs while learning to transform raw reconnaissance data into actionable automotive threat intelligence that can be immediately applied, whether entering the automotive security space or expanding traditional pentesting expertise into the rapidly growing connected vehicle market.
Speaker
Reuel MagistradoReuel Magistrado is an Auto Threat Researcher at VicOne, specializing in web application, web services, and mobile application penetration testing for automotive clients. He is also involved in creating CTF challenges for automotive security. With extensive experience conducting manual security assessments that go beyond automated tools, Reuel has authored technical reports and delivered security solutions to various clients in previous roles at NCC Group and iZOOlogic. Reuel holds multiple industry certifications, including Burp Suite Certified Practitioner (BSCP), APIsec Certified Practitioner (ACP), Practical Mobile Pentest Associate (PMPA), and several specialized penetration testing certifications from The SecOps Group. He also shared his expertise through technical presentations, including his recent talk at NCC Group Philippines’ “Pwning Hall of Fame,” where he demonstrated a race condition exploit leading to price manipulation.
« Back