Each year, Smartcar undergoes annual Penetration Testing (pen test), designed to expose flaws in our security system and check for potential vulnerabilities that may be exploited during a cyberattack. As we advance toward our third year of testing, we’re looking forward to further strengthening our security protocols.
Today, the most popular cars on the market use some form of connected services. As 18 of the top 25 best-selling models in the US are compatible with Smartcar, we take developers using our API in conjunction with additional third-party vehicle apps and services very seriously.
Together, with our partner, Cobalt.io, we’ve made it a priority to safeguard our services against potential cybersecurity threats. Our platform adheres to the most stringent criteria to guarantee this. When any company chooses to partner with Smartcar, they’re also committing to maintaining our industry-leading levels of data protection, privacy, and security.
What Smartcar’s annual Penetration Testing means for you
The completion of our annual Penetration Testing means that Smartcar has met Cobalt.io’s extensive requirements for data security and consumer protection. As a defining part of our SOC 2 Type 2 Compliance, the pen test represents adept readiness in case of a cyber attack. The assessment invites accomplished security engineers (pen testers) to test our systems and identify issues, rated on a five-point scale, so that we may address them.
Our penetration test was done according to best practices, beginning with exhaustively scoping the Smartcar services with the testing team, documenting the surface area for testing, conducting the assessment, and remediating any findings. During the assessment, Cobalt.io put our services through a number of tests, from validating our Transport Layer Security (TLS) protocol versions, to attempting to execute security exploits such as Cross-Site Scripting (XSS), SQL Injection, and missing access control issues. In order to ensure a thorough test, Cobalt.io uses the vulnerabilities cataloged in the Open Web Application Security Project (OWASP) Top 10 as a starting point for their team.
After the analysis, Cobalt.io found that Smartcar’s application was well-built, with a mature security posture and strong controls in place.
Other methods of consumer privacy
Apart from our pen testing compliance, we’ve enacted a range of other crucial assessments to uphold the reliability of our platform, while granting vehicle owners full authority over their shared data.
Smartcar Connect is our user onboarding flow where user consent is collected in compliance with the OAuth2 authorization protocol and is SSL encrypted. Vehicle owners can review specific permissions requested by an app before providing consent for sharing access to those specific data points or actions. Smartcar’s End User Privacy Policy is embedded within the flow to ensure users know how their information is handled. Additionally, Smartcar allows customers to hyperlink their privacy policy into the flow as well.
Smartcar runs on industry-standard cloud infrastructure that establishes security best practices to prevent unauthorized access to our platform. All requests to Smartcar services must be encrypted using HTTPS, and all data stored on our platform is protected with Advanced Encryption Standard (AES) 256-bit encryption.
Smartcar is also compliant with the General Data Protection Regulation (GDPR), maintains a Vulnerability Disclosure Policy (VDP), and annually re-attests to SOC 2 Type 2 compliance. Our platform processes only the necessary data to serve our customers. With Smartcar, vehicle owners can revoke their consent at any time.
Learn how Smartcar can help you
Visit our data security page to learn about the measures we take to ensure the safety of the Smartcar platform. Smartcar customers can also reach out to their Customer Success Manager to see the full results of our annual pen test.
If you’re evaluating Smartcar, you can contact our Sales team to request a copy of the report as part of your vendor security and compliance process as well.