This year has been a remarkable journey for AUTOCRYPT, filled with innovation, meaningful collaborations, and impactful achievements. We are incredibly grateful to our investors, partners, clients, readers, and visitors for your unwavering support in 2024!
As we prepare to step into 2025, we’re excited about the opportunities and challenges that lie ahead. Here’s to another year of growth, innovation, and success—together!
Merry Christmas and Happy New Year!
Below is a recap of AUTOCRYPT’s key milestones and accomplishments in 2024.
2024 has been the year of innovation and growth for AUTOCRYPT. We introduced 4 new groundbreaking solutions designed to address critical challenges in the automotive cybersecurity sector.
AutoCryptⓇ CSTP – Automotive cybersecurity testing platform for regulatory compliance
AutoCryptⓇ CLS – C-ITS local station for V2I communication
AutoCryptⓇ ASL – Adaptive security library for AUTOSAR platforms
AutoCryptⓇ RODAS – Remote driving assistance system for autonomous vehicles
Awards and certifications
This year, our efforts were recognized with several prestigious certifications and awards:
Brussels, December 4th, 2024 – AUTOCRYPT proudly announces its recognition as a top innovator at the 2024 CLEPA Innovation Awards for its groundbreaking Cybersecurity Testing Platform (CSTP).
The award-winning AutoCrypt® Cybersecurity Testing Platform (CSTP) revolutionizes automotive cybersecurity by offering a comprehensive suite of security tests and validations within a unified platform. The CSTP enables manufacturers and developers to meet critical compliance requirements, including UN R155/156 and GB (GB/T) standards, with its proprietary test cases designed to address diverse regulatory demands.
As AUTOCRYPT continues to drive innovation, the recognition at the CLEPA Innovation Awards underscores the company’s commitment to advancing secure and efficient automotive cybersecurity solutions.
“I am extremely pleased that our platform’s remarkable contribution to streamlining automotive cybersecurity testing was highlighted at the CLEPA Innovation Awards,” CEO of Autocrypt, Duksoo Kim remarked. “Safeguarding vehicles for the future of transportation has always been our priority. We are committed to ensuring that compliance is optimized, and is not a hindrance for manufacturers and suppliers.”
About the CLEPA Innovation Awards
The ninth CLEPA Innovation Awards showcased ground-breaking ideas in green and digital technology across the automotive supply industry. The event awarded 12 Top Innovators and included talks with high-level EU policy makers on the future of transport.
Since 1959, CLEPA has been a key voice for automotive suppliers in Europe, and this 65th anniversary milestone brought together key policy makers Signe Ratso, Deputy Director-General, DG for Research and Innovation (European Commission), MEPs Andrea Wechsler (EPP) and Danuše Nerudová (EPP). They joined CLEPA President, Matthias Zink and Deloitte’s Elmar Pritsch on stage for a panel discussion on the key drivers for this industry to stay competitive and continue leading innovation.
AUTOCRYPT is the industry leader in automotive cybersecurity and connected mobility technologies. The company specializes in the development and integration of security software and solutions for in-vehicle systems, V2X communications, Plug&Charge, and mobility platforms, paving the way towards a secure and reliable C-ITS ecosystem in the age of software-defined vehicles. AUTOCRYPT also provides consulting and testing services along with custom solutions for UN R155/156 and ISO/SAE 21434 compliance.
As vehicles continue to evolve into sophisticated, software-driven machines, automotive cybersecurity has become as critical as a car’s physical safety. Modern vehicles rely on millions of lines of code that must not only work seamlessly but also remain resilient to potential cyberattacks. Regulations and industry standards mandate manufacturers to safeguard their systems against these threats. Two fundamental processes in achieving this are security validation and vulnerability testing. While both aim to ensure software security, they take distinct approaches to achieve it. Let’s dive into their roles, differences, and why they’re indispensable for automotive cybersecurity.
Security Validation
At its core, security validation is about ensuring that a system meets predefined security requirements and functions as expected under normal conditions. Think of it as a quality assurance process that confirms security measures are implemented correctly and comply with industry standards like UN R155/156 or ISO/SAE 21434.
For instance, security validation could involve verifying that Over-the-Air (OTA) update mechanisms comply with UN R156 requirements or ensuring that each ECU component is secure under different real-world conditions.
Manufacturers employ various testing methods to perform security validation, including but not limited to:
Functional Testing, which ensures key features like encryption and authentication work correctly under normal use cases.
Fuzz Testing, which introduces random or unexpected inputs to assess system stability and expose hidden vulnerabilities.
Penetration Testing, which simulates attack scenarios to test the system’s ability to defend against real-world threats.
The primary goal of security validation is to provide confidence and documented proof that all cybersecurity measures are not only in place but also operating effectively according to regulatory standards.
Vulnerability Testing
While security validation checks compliance, vulnerability testing takes a broader approach, exploring potential weaknesses or flaws that attackers might exploit. This process identifies vulnerabilities—both known and unforeseen—through rigorous probing and stress testing. Given that vehicle software is constantly evolving, vulnerability testing must be an ongoing process to mitigate risks proactively.
Common techniques include:
Fuzz Testing for Vulnerability Detection, which detects weaknesses by feeding unexpected or malformed data into the system.
Network and Protocol Testing, which analyzes communication protocols such as CAN, LIN, and Ethernet for exploitable flaws like injection vulnerabilities.
Hardware Security Testing, which examines hardware-software interactions, such as the extraction of firmware from electronic control units (ECUs), for potential vulnerabilities.
Unlike security validation, which confirms what is known, vulnerability testing ventures into the unknown, uncovering potential attack vectors that may not have been anticipated during the development process.
Key Differences Between Security Validation and Vulnerability Testing
By combining these two processes, manufacturers can build automotive systems that are not only compliant but also resilient to cyber threats.
As the automotive industry moves toward greater connectivity, the stakes for cybersecurity are higher than ever. Security validation ensures that systems meet regulatory standards, while vulnerability testing helps uncover hidden risks before malicious actors can exploit them. Together, they form a comprehensive approach to protecting vehicle systems from cyber threats.
For instance, validating the proper encryption of V2X communication provides compliance, but only through vulnerability testing can potential flaws in cryptographic implementation be identified. By integrating both practices into the development lifecycle, manufacturers can ensure their systems are secure and future-ready.
Cybersecurity in modern vehicles is no longer an optional feature—it’s a foundational requirement. Security validation and vulnerability testing are two sides of the same coin, each addressing distinct yet complementary aspects of the security landscape. When combined, they provide the robust framework needed to protect vehicles from both known and emerging cyber threats.
For manufacturers, embracing these processes is not just about meeting regulatory requirements—it’s about staying ahead in an industry where safety, innovation, and trust go hand in hand.
In this age of autonomous driving technology, whenever there is an accident, heads turn to utilizing data from vehicle data recorders like the Event Data Recorder (EDR) or Data Storage System for Automated Driving (DSSAD) to uncover the accident cause. In today’s blog, we’ll take a closer look at the functions of the EDR and DSSAD, their differences, and their significance for accident analysis in the new era of autonomous driving.
It has become easier than ever to obtain recordings of vehicle accidents. With the combination of vehicle dashcams and nearby CCTV footage, determining the cause or perpetrator of an accident has become much more manageable than before. However, it can still be challenging to ascertain the root cause of an accident solely through video footage.
One particular type of accident that is difficult to analyze is the case of a sudden unintended acceleration (SUA). While the number of reported incidents has been decreasing this past decade, SUA accidents remain a frequent and often controversial topic of discussion. These types of accidents can be challenging to evaluate solely through video footage analysis, and this is where additional devices and data become necessary.
EDR
The Event Data Recorder or EDR is a type of data recording device that is embedded into a vehicle’s Airbag Control Unit (ACU) or the engine’s Electronic Control Unit (ECU). When a collision or a sudden incident occurs while the vehicle is in motion, the EDR records data related to vehicle operations for a specific period of time.
In many countries, there are stringent regulations on what the EDR is required to record. For example, in the United States, the National Highway Traffic Safety Administration (NHTSA) specifies requirements for EDRs under 49 CFR (Code of Federal Regulations) Part 563.
Source: 49 CFR Part 563: Event Data Recorders, published by the National Highway Traffic Safety Administration (NHTSA)
The EDR records critical vehicle data as listed above. In the case of an incident, vehicle owners can provide this information to authorities for accident analysis. The EDR plays a vital role in understanding accident dynamics and improving vehicle safety standards as a whole. The EDR is so vital, in fact, that in 2022 the NHTSA proposed to extend the EDR recording period from five seconds to 20 seconds.
This realization of the importance of EDRs is not limited to the United States. In 2021, the UNECE’s WP.29 (The World Forum for Harmonization of Vehicle Regulations) put into force UN R160, a regulation establishing provisions concerning vehicles and EDRs. R160 defines certain data collection and implementation requirements for EDRs. Following this, in 2022, the European Union approved a new act that requires the installation of an EDR in all motor vehicles in M and N categories (passenger vehicles and trucks). The regulation went into force in July of 2024 for all new vehicles.
DSSAD
The Data Storage System for Automated Driving (DSSAD) is a device designed to record and store data during autonomous driving sequences. It records and stores data on significant events related to autonomous driving, such as system activation, partial autonomous system failure, or minimal risk maneuvers. This data can then be used to address accidents and regulatory issues related to autonomous vehicles.
While DSSADs are only mandated in a handful of countries, their implementation is subject to certain regulatory measures for compliance. For instance, UNECE’s UN R157, which covers automated lane-keeping systems (ALKS), mandates DSSAD for vehicles equipped with ALKS in order to monitor status changes in the autonomous driving system (ADS).
Comparison of EDR and DSSAD
While there are similarities between EDR and DSSAD, there are core differences between the two.
The EDR is primarily designed for investigation of conventional vehicles, while the DSSAD is specifically developed for autonomous and semi-autonomous vehicles.
The EDR stores and provides data related to accidents just before they occur, while the DSSAD will store autonomous driving-related data for a relatively long period.
EDR data is only stored temporarily, and is not typically retained unless a crash occurs, while the DSSAD data is retained for a longer timeframe (typically around six months), or up to a certain number of recorded events to ensure comprehensive documentation.
Despite the differences, the two complement each other in analyzing accidents and clarifying liabilities regarding an incident. A vehicle’s dashcam has limitations, so the EDR can be crucial for accident analysis. Regulations regarding DSSAD in autonomous vehicles can also clarify responsibility between driver(s) and the vehicle.
In today’s era of autonomous driving technology, both the Event Data Recorder (EDR) and the Data Storage System for Automated Driving (DSSAD) are gaining significant attention due to growing concerns about liability in the event of accidents. However, this also brings forth the issue of cybersecurity. Maintaining data integrity is essential, as both the EDR and DSSAD store and retrieve data that could influence accident investigations. Tampering with this data could not only hinder accurate accident analysis but also allow parties to misplace liability. Security measures such as data anonymization and encryption are vital for protecting sensitive information stored by the EDR and DSSAD, as well as safeguarding personal data, location information, and driving records.
EDR and DSSAD are vital tools for transparency and accountability in autonomous vehicles, but their effectiveness hinges on comprehensive cybersecurity. By implementing robust protections against data tampering and unauthorized access, these recording technologies can serve their intended purpose: helping investigators understand complex accidents, advancing autonomous driving technology, and building public trust. The path to widespread adoption requires both sophisticated data collection and unwavering security measures.
Navigating the evolving mobility landscape is complex, but cybersecurity will play a key role in building trust among manufacturers, consumers, and legislators, ultimately paving the way for a secure future.
To stay informed about the latest news on mobility tech and software-defined vehicles, subscribe to AUTOCRYPT’s monthly newsletter.
Securing complex automotive systems from cybersecurity threats has become essential as connected and autonomous vehicles proliferate. The shift in the industry is mirrored by regulatory bodies enforcing cybersecurity measures across the board. As the standards for cybersecurity grow, fuzz testing has emerged as a powerful tool that helps manufacturers meet cybersecurity demands.
Traditional fuzz testing methods are often labor-intensive and struggle to keep pace with modern vehicles’ intricate software structures. Fortunately, cybersecurity testing technology has evolved in the past years. Advanced fuzzing techniques, like smart and automated fuzzing, are transforming automotive cybersecurity testing—reducing time-to-market, enhancing system resilience and overall vehicle safety, all while helping achieve regulatory compliance. This article will discuss the latest tools and technologies enabling smart automotive fuzz testing.
Overview of Fuzzing in Automotive Systems
As vehicles become more software-driven, their internal structures consisting of millions of lines of code are turning exponentially complex. That is why fuzz testing is essential for cybersecurity evaluation of automotive systems.
Fuzz testing, or fuzzing, is a cybersecurity technique where random or unexpected data is injected into a program to discover bugs, code discrepancies, and hidden vulnerabilities. Fuzzing helps uncover zero-day vulnerabilities that traditional testing methods may miss.
Challenges of Traditional Automotive Fuzz Testing
Despite its importance, traditional fuzz testing faces several challenges in the automotive sector.
Modern software-defined vehicles contain numerous interconnected systems, such as CAN, LIN, and Ethernet networks, that communicate with various sensors and external devices. This complexity makes it difficult to comprehensively assess the resilience of all vehicle components using a traditional fuzz test, resulting in incomplete coverage of potential vulnerabilities.
In addition, traditional fuzz testing often requires a manual process of inputting random data and observing system responses. This time-intensive approach requires round-the-clock labor and can delay development timelines, especially when testing complex systems where the number of test cases increases exponentially.
Smart Automotive Fuzzing: A Game Changer
Fortunately, vehicle cyber security testing tools have progressed with time and now incorporate advanced features like smart fuzzing. Smart automotive fuzzing is an innovative approach that leverages artificial intelligence (AI) and machine learning (ML) to make fuzz testing more efficient. This type of advanced testing uses data-driven methods to generate more targeted inputs, mixing and inputting test cases generated by multiple algorithms. This significantly improves test coverage while reducing the time required for testing.
AI-driven fuzzing tools use feedback mechanisms to learn from previous test iterations, adapting them to focus on high-risk areas of the system. For example, smart fuzzers record the outputs from previously conducted fuzz tests and use these results for subsequent rounds of test case generation. This ensures a more comprehensive assessment of critical vulnerabilities.
For instance, AutoCrypt Security Fuzzer uses a logical test case modeler to generate logic-based semi-random inputs tailored to the system being tested. The tool automates the creation of test cases based on the protocols and specifications of the target system. This ensures that only relevant test cases are generated, drastically reducing the need for manual intervention and saving valuable time. Employing an advanced judgment logic, the testing tool continuously monitors the vehicle system to detect failed cases.
Automatic ECU Status Recovery
One of the most time-consuming aspects of traditional fuzz testing is the need for manual system recovery after a failure or crash. Smart automotive fuzzing tools address this with automatic ECU status recovery, which allows for continuous system fuzzing.
Besides saving time, this feature helps minimize manual work during vulnerability testing, which consequently reduces operating expenses for manufacturers. Once a test target is selected, there is no need for manual input until fuzzing is complete. If a vulnerability or bug is detected, the system automatically records the issue and resets back to the original ECU status, continuing the fuzz testing process. For instance, the AutoCrypt Security Fuzzer automatically issues commands like “ECU reset” or “DTC clear” to restore the system to its original state.
Impact on Cybersecurity Testing and Regulatory Compliance
Employing smart automotive fuzzing tools accelerates and automates vehicle testing while maintaining thorough coverage of all components and ensuring comprehensive cyber security testing for regulatory compliance.
The ISO/SAE 21434 standard, for example, emphasizes the need for OEMs to integrate fuzz testing into their DevOps processes to ensure vehicle software security integrity. By automating fuzz testing, manufacturers can cover a wider range of potential vulnerabilities and comprehensively test the system against threats with minimum down time.
While UN R155 regulation does not specifically mandate vehicle fuzz testing, it emphasizes the importance of ensuring robust cybersecurity measures across vehicle software and embedded systems by requiring an automotive cybersecurity management system (CSMS).
To meet these requirements, OEMs and their suppliers must show that they have implemented rigorous risk assessment methods for uncovering vulnerabilities, which often includes fuzz testing as a practical approach. By using fuzz testing to stress-test vehicle components and communication protocols, manufacturers can better demonstrate that they have mitigated potential security risks in line with UN R155 guidelines.
Automated fuzzing provides a robust feedback mechanism that allows engineers to detect and address security gaps early in the development cycle. By doing so, manufacturers can improve vehicle safety while reducing the overall cost and complexity of software development.
Smart and automated fuzzing tools are revolutionizing the way manufacturers test and secure vehicle systems, making the process faster and more efficient. With innovations like AI-driven fuzzing and automatic ECU recovery, smart fuzz testing helps close security gaps while speeding up time-to-market.
Incorporating smart automotive fuzz testing into the development pipeline not only improves security but also ensures compliance with emerging regulations, making it a critical tool for the future of automotive cybersecurity. By embracing these advanced techniques, manufacturers can protect their vehicles—and their customers—against evolving cyber threats.
To learn more about AUTOCRYPT’s vehicle cybersecurity testing measures and cybersecurity regulation compliance consulting services, contact global@autocrypt.io.
The Vehicle-to-Everything (V2X) ecosystem runs on a secure, decentralized certification system utilizing public key infrastructure (PKI) technology. Standardized as the Security Credential Management System (SCMS), the system ensures that every V2X end entity is given a unique set of digital certificates, generated and distributed by multiple layers of independent certification authorities (CA). These V2X end entities, including the onboard units (OBU) installed in vehicles and the roadside units (RSU) connected to points of road infrastructure, use their private key to sign off messages sealed with their certificates.
Such a PKI framework ensures trust in V2X communication by validating messages’ authenticity and integrity. “Authenticity” implies that the message’s sender is truly who they claim to be, while “integrity” signifies that the message has not been altered during transmission.
Message accuracy: the limitation of PKI
Although the PKI guarantees end-to-end security for all V2X communications, it does not exert control beyond the communication endpoints. Due to this limitation, the PKI is not capable of validating the content of messages, such as, whether the message contains accurate information about the vehicle and its environment. For instance, if a car is broadcasting a V2X message stating that it is traveling at 60 km/h while it is in fact traveling at 80 km/h, detecting this discrepancy is beyond the PKI’s capability. Given that vehicles rely on these V2X messages to make decisions on the road, it is crucial to ensure that all information is accurate.
There are a couple of potential reasons behind an inaccurate V2X message. The first involves a hacked vehicle. A malicious road user might hack into their vehicle to purposefully create false or misleading messages in order to cause changes in traffic in their favor. An external hacker could also do so to manipulate traffic. Although hacking into a vehicle is extremely difficult to accomplish given the sophisticated security measures, it does pose a potential risk to the V2X ecosystem.
Another factor there could lead to an inaccurate message is that a vehicle’s internal systems might be experiencing a malfunction that results in incorrect signals given to its OBU. Although no malicious actions are involved, it is still considered misbehavior and poses a threat to its surrounding environment.
The need for misbehavior detection for V2X
To minimize the risk of false messages, a misbehavior detection mechanism needs to be implemented in the SCMS ecosystem so that potentially malicious users can be removed from the V2X ecosystem immediately.
How is this done? AUTOCRYPT’s misbehavior detection solution, AutoCrypt® MBD, is deployed in both the end entity and the PKI server. The LMBD (local MBD) is embedded in the OBUs, screening all incoming messages for anomalies. The GMBD (global MBD), situated in the SCMS server, receives the list of flagged certificates from the LMBD, allowing the misbehavior authority (MA) to review and revoke the respective certificates. Once a certificate is revoked, it is added to the certificate revocation list (CRL) and distributed back to the LMBD so that the certificate is no longer recognized in the V2X ecosystem.
Although there has been no universal standard or agreement on what constitutes misbehavior, some common signs of misbehavior include:
Attempting to use expired or invalid certificates
Mismatched signature (private key)
Unintelligible data (time, location, speed, et cetera)
AutoCrypt® MBD periodically updates its list of misbehaviors to address the latest threats, adding a final layer of security for the V2X ecosystem.
To learn more about AUTOCRYPT’s secure V2X solutions and services for C-ITS, check out Secure V2X Communications.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
