AUTOCRYPT, Author at AUTOCRYPT

7 December, 2023 . 3 mins read

AUTOCRYPT Partners With Hitachi Solutions on V2X and In-Vehicle Systems Security Solutions

SEOUL, KOREA, December 7, 2023 — AUTOCRYPT, an industry-leading automotive cybersecurity and mobility solutions company, announced its partnership with Hitachi Solutions, Ltd., a global IT service provider and system integrator. The two companies have agreed to provide joint offerings and consulting services covering V2X and in-vehicle systems security to Japanese automotive OEMs and tier suppliers.

The two companies already have a history of collaboration; AUTOCRYPT has been offering its V2X security solution with the option of integrating its security library with Hitachi Solution’s V2X Middleware Platform. The formalization of the partnership signifies the continued success of past projects, and seeks to further expand the scope of collaboration beyond V2X to embedded vehicular systems.

As vehicles become increasingly software-defined, cybersecurity for in-vehicle systems has become an integral part of automotive production and regulatory compliance. AUTOCRYPT’s in-vehicle systems security solution helps OEMs exceed cybersecurity requirements with open-source license management, fuzzing, penetration testing, and threat mitigation, while Hitachi Solutions, Ltd. offers a range of compliance consulting that covers all facets of vehicle production. The partnership will provide an optimized range of solutions for both companies’ clients to meet production requirements.

“The Japanese automotive industry is one of the largest in the world and is currently undergoing a major transition to a more electrified and software-defined future,” said AUTOCRYPT’s CEO, Daniel ES Kim. “Through this partnership with Hitachi Solutions, we are excited to offer a more comprehensive V2X and in-vehicle systems security solution with an enhanced support network for our existing and potential clients in Japan.”

As a global leader in automotive cybersecurity, AUTOCRYPT’s goal is not confined to helping clients stay secure and compliant, but to also maximize efficiency by streamlining cybersecurity engineering into the production process. Its newly developed AutoCrypt Security Fuzzer for HIL enables fuzz testing in hardware-in-the-loop (HIL) simulations, greatly reducing vehicle development costs.

To learn more about AUTOCRYPT’s in-vehicle systems security solutions, contact global@autocrypt.io.

About AUTOCRYPT

AUTOCRYPT is the leading player in automotive cybersecurity and smart mobility technologies. It specializes in the development and integration of security software and solutions for in-vehicle systems, V2X communications, Plug&Charge, and fleet management, paving the way towards a secure and reliable C-ITS ecosystem in the age of software-defined vehicles. AUTOCRYPT also provides management and service platforms for the operators and end users of MaaS, contributing to sustainable and universal mobility.

About Hitachi Solutions, Ltd.

Hitachi Solutions is a core IT company of the Hitachi Group. We deliver products and services of superior value to customers worldwide through key subsidiaries in Asia, the United States and Europe. We have also been providing a variety of solutions globally using cutting-edge digital technologies based on collaborative creation with customers. Together with our partners around the world, we are accelerating Sustainability Transformation (SX) to solve the challenges facing society and business, and contribute to the realisation of a happy society where no one is left behind.

20 November, 2023 . 6 mins read

5 Futuristic In-Vehicle Infotainment Features in the Age of Software-Defined Vehicles

The automotive landscape is in the midst of a profound transformation. Cars have now entered the realm of digitization, where the competition isn’t solely about design and horsepower, but also the ingenuity of digital features. To keep up, original equipment manufacturers (OEMs) are diversifying their offerings, introducing features that offer a more futuristic and personalized driving experience.

At the heart of this revolution lies in-vehicle infotainment (IVI), an integrated vehicle system merging entertainment and information delivery for drivers and passengers. Its overarching objective is to amplify the driving experience, keeping occupants informed, entertained, and safe. This blog will unveil five of the most cutting-edge vehicle infotainment features flourishing in the automotive sector today.

AI and Voice Assistants

The buzz surrounding artificial intelligence has seeped into the automotive domain, with OEMs dedicating colossal R&D investments to create the most advanced automotive AI. While primarily utilized for autonomous driving, AI’s applications extend far beyond. Recent car models feature AI assistants integrated into the vehicle’s infotainment system. These assistants boast advanced language processing, biometrics, and deep learning abilities, enabling them to do an array of different tasks that make the driver’s life easier. These tasks include, but are not limited to, ordering groceries en route, planning trip routes with charging stops, and even orchestrating various vehicle functions.

Integrating GPTs into AI assistants takes the technology a step further. Unlike conventional voice assistants tethered to predefined tasks, GPTs leverage a vast language model, enhancing its natural language understanding and expanding its abilities as a smart-car assistant. The likes of Mercedes-Benz are utilizing the technology to create AI assistants that act like smart, conversational companions, curating an engaging driving ecosystem.

NIO in-vehicle infotainment AI voice assistant

Facial Recognition

While cameras within car structures aren’t novel, their application has undergone a significant expansion. Coupled with advanced processing capabilities, new in-vehicle cameras facilitate facial recognition features that multiply infotainment system capabilities. Vehicle cameras now monitor driver behavior, detecting blinking rates and yawning to signal potential fatigue. With the rapid development of driving assistance, features like this are employed as safety measures to make sure the driver does not lose concentration or doze off behind the wheel.

On top of safety, facial recognition enables seamless vehicle unlocking and authorization for payments through the infotainment system. We can see that common smartphone features are making their way into vehicles as customers expect more convenience and digitization from their cars. Pioneering Chinese car models delve deeper, employing facial recognition for experience personalization. For instance, the futuristic XPENG G3 allows users to select their preferred seat positioning and lighting settings, and uses face recognition to then adjust to personalized settings based on who is at the driver’s seat.

Gesture Control

Gesture recognition technology, available in select premium vehicles, has transformed the way drivers interact with their cars. This innovation extends beyond the conventional realm of in-vehicle infotainment, introducing an intuitive interface that responds to simple hand gestures. Gesture recognition lets you use a subtle swipe to adjust volume, a flick of the wrist to change music tracks, or a pinch in the air to zoom in on navigation maps. The integration of gesture control not only enhances convenience but also represents a significant leap in fostering a safer driving environment. By minimizing manual distractions, drivers can effortlessly navigate the car’s interface without diverting their gaze from the road, enjoying both convenience and safety.

Moreover, the ongoing evolution of gesture control technology envisions a future where these intuitive motions go beyond the entertainment realm. Soon, drivers might be able to execute more complex commands with a wave of the hand, accessing vehicle diagnostics, or even initiating communication functions. This paradigm shift in interaction within the vehicle is reshaping the traditional dashboard layout, signaling an era where physical buttons and knobs might gradually become obsolete.

Unique Entertainment Options

Automakers are revolutionizing the automotive landscape by crafting distinctive entertainment features to captivate the attention of younger audiences. The range of entertainment offerings is expanding rapidly with some models offering in-car gaming tools, built-in karaoke systems with wireless microphones, augmented reality (AR) and voice tech utilizing interactive user manuals. These pioneering features not only set these vehicles apart from competitors but also redefine the very purpose of a vehicle beyond mere transportation. And as self-driving becomes more widespread, consumers will make purchasing decisions based on the in-car experience, so these entertainment options will become increasingly important.

AIWAYS in-vehicle infotainment interactive car manual

Dashboard App Diversification

The digital transformation of vehicles has created an urgent demand for personalization, prompting manufacturers to reimagine the dashboard as a customizable canvas. Thanks to over-the-air systems, vehicle users can now curate their dashboard by downloading applications right into their infotainment systems.

Seamlessly integrating social media feeds, news updates, or productivity tools directly into the vehicle’s dashboard, modern cars not only cater to individual preferences but also pave the way for an ever-evolving ecosystem within the vehicle, where the driving experience transcends transportation, becoming an extension of one’s lifestyle and interests. This synergy between technology and personalization is revolutionizing the way users interact with their vehicles, morphing cars into smart devices tailored to customer needs.

Securing the Future of Automotive Innovation

The evolution of in-vehicle infotainment into a realm of advanced AI integration, facial recognition, gesture control, and diversified dashboard apps marks a seismic shift in automotive technology.

As cars become digital hubs of connectivity and convenience, the significance of safeguarding these systems against potential cyber threats cannot be overstated. Each innovative feature, while enhancing personalization and convenience, also presents entry points for malicious exploitation. The industry’s focus on robust cybersecurity measures—encryption protocols, intrusion detection, and collaborative standards—are crucial in fortifying these high-tech infotainment features against unauthorized access and exploitation.

The future of driving isn’t solely about technological sensation, it’s about responsible innovation. Protecting the integrity, privacy, and safety of these advanced infotainment systems is a shared responsibility of all industry participants.

AUTOCRYPT’s in-vehicle cybersecurity solutions provide complete protection for the vehicle-embedded systems minimizing cybersecurity risks, while facilitating safe and responsible innovation in the industry.

To stay informed about the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.

6 November, 2023 . 4 mins read

Trends in Vehicle Vulnerabilities: A 2023 Report

In recent years, the automotive sector has undergone a profound transformation driven by innovation. The past decade witnessed a rapid digitization of vehicles, the ascent of electric powertrains, the advent of software-defined systems, and the ongoing development of autonomous vehicles. These technological advancements have elevated automobiles beyond mere modes of transportation. However, they also made vehicles increasingly susceptible to cyberattacks. Unfortunately, the pace of implementing in-vehicle cybersecurity measures has lagged behind the speed of innovation, leaving modern vehicles at an alarming risk.

A comprehensive study conducted by IOActive has meticulously analyzed the trends in vehicle vulnerabilities, pooling data from 2016 to 2022. This study sheds light on the evolving threat landscape within the automotive industry, classifying data according to various attack vectors, namely local, physical, network, and peripheral RF.

Key Findings:

Networked Connection Attacks: The most striking revelation from the study is the surge in attacks exploiting networked connections, accounting for nearly half of all attacks in 2022. This signifies a prominent shift towards remote cyberattacks targeting vehicles.

Local Attacks: Local vehicle software, including operating systems, Electronic Control Units (ECUs), and Software Bill of Materials (SBOMs), accounted for 40% of disclosed vulnerabilities. This highlights the growing risk of exploiting vulnerabilities within a vehicle’s software ecosystem.

Physical Hardware Attacks: Physical hardware-associated vulnerabilities witnessed a significant decline, plummeting by 15%. This decline can be attributed to the automotive industry’s increasing focus on remote attack vectors.

Peripheral RF Attacks: Intriguingly, a novel category of attack vectors, peripheral RF attacks, emerged, representing 1% of the total vulnerabilities. This indicates the shifting landscape of vehicle cybersecurity needs and the expanding spectrum of threats.

Now, let’s delve into a closer examination of each attack vector:

Local Attacks

Local attacks primarily exploit vulnerabilities within the vehicle’s software ecosystem. Examples include attacks on operating systems, ECUs, and SBOMs. A common local attack is spoofing, where malicious actors send synthetic signals to deceive the vehicle’s systems. Spoofing can lead to incorrect data interpretation, posing substantial risks to vehicle operation and passenger safety.

Over the past decade, local attacks have seen a 6% increase, reflecting the industry’s struggle to defend against software-based attacks, exacerbated by the increasing complexity of software in modern vehicles. Robust in-vehicle security systems are essential to mitigating the risks of local software attacks. Manufacturers must employ effective testing measures to identify and rectify software vulnerabilities.

Physical Hardware Attacks

While physical hardware attacks have experienced a notable decline, they continue to pose a tangible threat. These attacks necessitate the physical presence of a threat agent. An attack on vehicle hardware could provide unauthorized access to critical vehicle components, potentially allowing a takeover of the vehicle.

For instance, a USB attack targeting a vehicle’s infotainment system could compromise the Controller Area Network (CAN). To address these vulnerabilities, vehicle security systems must incorporate robust gateway security measures to protect against hardware-based intrusions.

Networked Connection Attacks

Emerging as a recent development, networked connection attacks exploit far-field RF spectrum, including wireless and cellular connections, backend networks, and vehicle-to-everything communications. Securing messages exchanged through vehicle-to-everything (V2X) communication channels is of paramount importance, particularly as the industry is gearing up for autonomous driving. Ensuring the authenticity of V2X messages is crucial to prevent masquerading attacks, which can disrupt traffic and compromise vehicle systems.

Original equipment manufacturers (OEMs) must implement cybersecurity practices that authenticate information and signals exchanged through V2X communications to mitigate the risks associated with networked connection attacks.

Peripheral RF Attacks

Peripheral RF attacks originate in the near-field RF spectrum, encompassing technologies like NFC, RFID, remote key entry, and on-board telematics. The 1% growth in peripheral RF attacks, as identified by IOActive’s analysis, is largely attributed to vulnerabilities related to Remote Key Entry (RKE) and Bluetooth.

One common manifestation of a peripheral RF attack is a relay attack, notably compromising key fob technology. Such attacks can allow unauthorized access to vehicles and even the ability to remotely start them. These attacks have become one of the most common causes of vehicle theft. In 2022, AUTOCRYPT’s Vehicle Threat Research Lab discovered a high severity (CVSS 8.1) relay attack vulnerability (CVE-2022-38766) in a popular electric vehicle in Europe. To counter these threats, vehicle owners can employ signal-blocking devices, while manufacturers should implement comprehensive cybersecurity measures to monitor and filter traffic at the gateway.

In light of these evolving trends and vulnerabilities, it is imperative that advancements in the automotive sector go hand in hand with the development of robust cybersecurity measures.

AUTOCRYPT offers end-to-end vehicle cybersecurity solutions that safeguard vehicles from both internal and external threats, ensuring the continued safety and security of modern automobiles.

26 October, 2023 . 6 mins read

Spotlight: Fostering Government-Industry Cooperation at the International Transport Forum

As a leading player in automotive cybersecurity and mobility solutions, AUTOCRYPT has been an advocate for government-industry cooperation in improving transport safety, efficiency, sustainability, and accessibility. For nearly a decade, the company has been actively involved in discussions at the International Transport Forum, helping policymakers shape global transport policies that cultivate collaboration between the public and private sectors.

The International Transport Forum (ITF) is a sub-organization within the OECD, joined by 66 member states with the goal of making effective transport policies around the world. As the only international regulatory body with a mandate for all modes of transport, the ITF also serves as a think tank that tackles the world’s transport challenges.

AUTOCRYPT has been a long-standing member of the ITF’s Corporate Partnership Board (CPB), a platform that enables private companies to contribute to transport policymaking by engaging in discussions with policymakers. Every year, CPB members gather in Paris for an annual meeting with transport ministries known as the CPB Week. In the past September, AUTOCRYPT’s Chairman and Co-Founder Seokwoo Lee returned to Paris for the 10th anniversary of the CPB Week, where he received a certificate of appreciation from ITF Secretary-General Young Tae Kim in recognition of AUTOCRYPT’s support for shaping transport policies.

*AUTOCRYPT’s Chairman Seokwoo Lee at the 10th anniversary of the ITF CPB Week*

As an automotive cybersecurity and mobility solutions company, AUTOCRYPT has been sharing its experience and insights at the ITF, offering a different perspective on a wide range of transport challenges. Throughout the years, AUTOCRYPT introduced its unique business model for operating mobility-as-a-service (MaaS) for people with reduced mobility (PRM), emphasized the importance of adopting vehicle-to-everything (V2X) connectivity for safer roads, and stressed how secure Plug&Charge (PnC) technology will improve the electric vehicle (EV) charging experience and the reliability of public charging and payment.

Below are some of the main perspectives AUTOCRYPT has brought to the ITF.

Overcoming transport challenges for people with reduced mobility

Addressing the transport challenges faced by PRM hasn’t been easy. For many decades, transport accessibility has been seen as a responsibility of the welfare system. The public sector has been directly funding and operating paratransit services for residents and passing laws that enforce commercial transport operators to accommodate accessibility needs. Still, a large proportion of PRM travel significantly less than the average person. The problem is a lack of private initiatives. Transport accessibility shouldn’t be treated as an add-on component and should instead be built into the design of the service in the first place.

As a private company, AUTOCRYPT approached this challenge with a new perspective. By forming partnerships with local government bodies and non-profit organizations, AUTOCRYPT has built a range of MaaS platforms that are designed for and dedicated to PRM. Take 2U Access for example, a demand-responsive transport (DRT) service developed, operated, and optimized by AUTOCRYPT for Busan, Korea. Using service fleets provided by local partners, AUTOCRYPT was able to utilize its secure fleet management solution to automatically analyze demand and adjust its supply to ensure maximized efficiency and minimized operational cost. This enabled much faster response and higher satisfaction compared to conventional paratransit services.

To set an example and encourage more government-industry collaborations on accessible transport, AUTOCRYPT demonstrated this solution at the ITF 2023 Summit this year to policymakers.

*AUTOCRYPT demonstrating its MaaS platform for PRM at the ITF 2023 Summit*

Achieving zero road fatality with vehicle-to-everything connectivity

Fatalities and injuries due to road accidents are another major concern for transport policymakers. With an estimated 1.3 million fatalities and between 20 to 50 million injuries on the road each year, reducing road accidents have become one of the primary objectives of every transport ministry. Currently, most of the publicly led countermeasures involve a reduction of speed limits or banning vehicles from urban centers. However, these measures do not address to root cause of traffic accidents and risk the adverse effect of putting more pressure on the already strained public transport and causing even greater road congestion.

AUTOCRYPT has been an advocate for V2X deployment. By enabling vehicles to seamlessly communicate with surrounding vehicles, road infrastructure, and the handheld devices of vulnerable road users (VRU), every participant on the road can receive real-time warnings and seamlessly cooperate with one another. So far, AUTOCRYPT has been the sole V2X security provider for all South Korean smart roads and has also implemented embedded V2X security for some of the world’s largest OEMs.

*AUTOCRYPT explaining its portable V2X solution for vulnerable road users at the ITF 2022 Summit*

Improving the EV charging experience through secure Plug&Charge

Many governments around the world have established progressive goals to achieve zero emissions in the transport sector. Many have offered subsidies and incentives on EV production and purchases. Thanks to these efforts, most EVs today are just as reliable as ICE vehicles. However, the reliability of the charging stations is lagging. A J.D. Power report published in May 2023 revealed that 20.8% of consumers have recently visited a public charging station that does not work, and that the overall satisfaction with Level 2 public charging has been declining. Although range anxiety is becoming irrelevant, charging anxiety is growing.

AUTOCRYPT believes that charging should be as easy as fueling, and that drivers shouldn’t have to carry multiple charging membership cards and spend time looking for charging stations that are compatible with their car. Its PnC security solution is built on the vehicle-to-grid (V2G) communication protocol, enabling secure one-step charging without the need for membership and credit cards. Furthermore, it has been operating charger information platforms across South Korea to help drivers identify the nearest available charger that has the compatible plug type for their car.

Government-industry cooperation: the determinant for future transport

Transport affects every aspect of our lives and hence requires very thoughtful planning and development. This makes government-industry cooperation a crucial step to solving the world’s transport challenges. When making transport policies, the public and private sector must share the same vision and focus on establishing qualitative goals.

AUTOCRYPT will continue to work closely with the public sector on shaping a safe, efficient, sustainable, and inclusive transport ecosystem.

10 October, 2023 . 6 mins read

Exploring the Future of Mobility: What is a Software-Defined Vehicle?

In recent years, the automotive industry has been abuzz with the term “software-defined vehicle” (SDV). With an increasing number of original equipment manufacturers (OEMs) claiming to be at the forefront of SDV development, it’s essential to understand what truly makes a vehicle software-defined. In this blog post, we will delve into the concept of SDVs, their current state of development, and the industry trajectory for the future.

The Ultimate SDV: What Does It Entail?

Before we dive into the ultimate vision for SDVs, it’s crucial to recognize that modern vehicles already incorporate various software-defined features like in-vehicle infotainment, driver assistance systems, and cellular connectivity technologies. These features are adding advanced capabilities to our vehicles, digitizing the way we interact with our cars and improving the driving experience. However, they do not represent the final destination of SDV technology.

The ultimate SDV is a vehicle that has undergone a profound transformation in its design and functionality. It is not just about adding software-enabled features, it’s about making software the central nervous system of the vehicle.

An SDV’s value lies primarily in the software that enables advanced capabilities like cloud connectivity and autonomous driving. And while the hardware is still important, software will be the differentiating factor in new generation SDVs. Software maintenance and upgrading will be the most economical, convenient, and efficient way for future OEMs to provide a differentiated product and improve customer satisfaction. OEMs are spending countless resources on R&D to make this possible.

The ultimate software-defined vehicle is a supercomputer vehicle that supports increased flexibility, customization, and remote upgradeability of functionalities.

A crucial element that enables this level of flexibility in SDVs is cloud connectivity which powers over-the-air (OTA) software downloads and updates. Vehicle-cloud connectivity has the potential to significantly cut back costs for new software rollouts, as new functionalities can be introduced over-the-air without the need to alter underlying hardware.

Besides development cost savings, OTA software implementation can create monetary value in the face of software subscription models for OEMs. We have already seen this phenomenon rise in the industry with the likes of Tesla offering subscription-based functionalities, like full self-driving, to its customers.

The goal of the industry is to reach a point where vehicle software and hardware development can be done independently from each other. This will require the entire industry to embrace innovation and shift away from the traditional vehicle manufacturing process.

Necessary Technology for SDVs

Emphasizing the role of software in a vehicle will require separating vehicle software from its hardware. Achieving complete software and hardware decoupling requires a fundamental shift in vehicle architecture and supply chain operations.

Traditionally, Tier 2 electronic control unit (ECU) manufacturers embed software within the hardware. This limits OEMs from implementing software changes down the road. The decoupling of software from hardware would allow the vehicle software to operate independently, similar to a smartphone. Applications can be downloaded from the app store and updated OTA.

In addition, complete software-hardware decoupling has the potential to significantly accelerate software development times. This enables scaled and continuous software improvement across a vehicle’s serviceable life, all while incurring lower development costs.

Reaching decoupling will take a complete reshuffling of the current distributed electrical/electronic (E/E) vehicle architecture into a centralized system defined by a central computing unit. This cardinal change is needed due to the fact that a distributed vehicle architecture cannot keep up with the increasingly higher computing power needed for SDVs. On the other hand, if a car has 100 ECUs, all of these ECUs would have different embedded software that could be based on completely different platforms. This makes software implementation very difficult, if not impossible.

Centralizing vehicle electronics simplifies management and allows for more efficient software integration. The development of a centralized architecture would allow OEMs to implement software updates directly to the central processing unit, which is exponentially more time and cost-efficient. It will also encourage OEMs to utilize standardized or open-source software platforms for SDVs. This shift will allow for higher system integration within the vehicle and functions like high-speed connectivity to the cloud, other vehicles, and smart infrastructure.

Moreover, open-source software is gaining traction in the automotive sector. Open-source software platforms provide a collaborative environment for developers to contribute to SDV technology, accelerating innovation.

Current State and Future Trajectory

The entire automotive industry is currently in the midst of the transformation towards software-defined vehicles. Normally, Tier 2 component suppliers, who are in charge of embedding software within their chips, do not have direct contact with OEMs and have to go through Tier 1 suppliers. However, nowadays we are witnessing a seismic shift in supply chain operations signified by a demand for software suppliers. Tier 2 and pure-play software developers are gaining a stronger position within the supply chain, indicating a shift towards prioritizing software expertise. As the automotive industry is going through a technological shakeout, the supply chain is also turning more horizontal, allowing for less restricted relations between supply chain participants.

Furthermore, there is a rising trend of industry collaboration as automakers realize the complexity and scale of SDV development. We have seen some of the largest traditional OEMs welcome partnerships with technological companies. Stark examples are partnerships between Qualcomm and Mercedes-Benz, BMW and Amazon, BYD and Baidu, where automakers are turning to tech companies to spearhead SDV development.

Cross-industry partnership is showing that the automotive sector is ready to stir away from tradition in the name of innovation.

Regulations and Standards

As the SDV landscape evolves faster than ever, regulations and standards play a crucial role in ensuring vehicle safety and security. The United Nations UNECE WP.29 set out two regulations for vehicle type approval. UN R155 addresses vehicle type approval with a focus on cybersecurity and cybersecurity management systems, and UN R156 mandates secure software updates and implementation of software update management systems.

These regulations enforce software-defined vehicle development that is secure by design. UN R155 mandates that cybersecurity principles are implemented at the core of business processes, vehicle architecture design, risk assessment, and security control implementation. This means that cybersecurity regulations are implemented throughout the entire supply chain.

While these regulations are legally binding for the countries that have signed the agreement, ISO/SAE 21434 serves as an international standard for road vehicle cybersecurity engineering. Companies may choose to adhere to this standard voluntarily.

Enabling SDVs is more than just creating advanced software for vehicles. SDVs must be designed with cybersecurity as a core element. Regulations and standards ensure safe and standardized SDV development.

The concept of software-defined vehicles represents a transformative shift in the automotive industry. The ultimate SDV envisions complete software and hardware decoupling, cloud-based software, and a smart, connected driving experience. With the industry’s current trajectory towards SDV development, coupled with evolving regulations, we are witnessing the dawn of a new era in mobility where software takes the driver’s seat.

AUTOCRYPT secures the rapidly evolving mobility space with in-vehicle cybersecurity solutions developed according to WP29 and ISO standards. Backed by decades of expertise in automotive cybersecurity we ensure a safe transition to software-defined vehicles.

To learn more about our services and solutions contact global@autocrypt.io.

14 September, 2023 . 6 mins read

Risk Assessment for UN R155: A Closer Look at Vehicle Fuzzing

Have you ever wondered how vehicle manufacturers secure vehicles from cyber threats? The cybersecurity implementation process starts way before the vehicle hits the road and encounters any threats. During the manufacturing process, security experts hack the vehicle’s system to uncover any bugs and vulnerabilities that may be present in the embedded code. There are many different ways of doing that. One of them is called fuzzing. Fuzzing is a software risk assessment method that involves overflowing the system with random inputs to uncover bugs and vulnerabilities that are difficult to find through other testing methods. Fuzzing is done to test the vehicle’s software during the development process to make sure that the software is reliable and can be released to consumers.

Why do we need vehicle fuzzing?

In the automotive industry, original equipment manufacturers (OEMs) face regulatory obligations to address vehicle security risks. Compliance with UNECE WP.29 Regulation No. 155 (UN R155) requires vehicle manufacturers to implement an automotive cybersecurity management system (CSMS) to verify appropriate security measures in vehicle architecture. Here, the security measures signify comprehensive risk assessment, risk management, and mitigation procedures.

During the type approval process, manufacturers must verify the sufficiency of cybersecurity measures by demonstrating their risk identification and testing practices. Here is where fuzzing comes in.

Fuzzing is a technique for detecting software vulnerabilities by inputting intentionally invalid and unexpected data into the selected program with the intention to crash it. Doing this helps detect bugs and vulnerabilities in the software that may have not been found otherwise. Vehicle fuzzing can be viewed as an essential and comprehensive way to test if the system functions correctly, thereby verifying the sufficiency of security measures.

Functional testing and penetration testing, among others, can also be used to verify the sufficiency of cybersecurity measures for UN R155 approval. According to the regulation, OEMs not only have to disclose the results of these tests but also keep testing procedures up to date.

Who is responsible for fuzzing?

Even though vehicle manufacturers are responsible for the regulatory type approval, cybersecurity regulations are aimed at the entire automotive industry. So, fuzzing does not have to be done exclusively by the vehicle manufacturer. Tier 1 suppliers and software providers are often asked to provide fuzzing results for their software as well. Moreover, third-party white hat hackers conduct fuzzing along with penetration testing on vehicles and report any newly found vulnerabilities to the manufacturers to receive a bounty. This type of third-party fuzzing is becoming a common practice in the industry, allowing for a wider pool of cybersecurity experts to participate in strengthening vehicle cybersecurity.

Types of vehicle fuzzing

In fact, members of the AUTOCRYPT Red Team have won a major OEM’s bounty for discovering several vehicle vulnerabilities after independently conducting fuzz tests. This type of independent fuzz testing is called a black box test. In other words, a black box fuzz test defines a test where testers have no knowledge of the internal structure of the software, and perform tests by using only publicly available information. Led by award-winning ethical hacker Dr. Jonghyuk Song, AUTOCRYPT Red Team is known for its innovative approaches in black box fuzzing on CAN and IP protocols.

Other types of fuzz tests include gray box and white box fuzzing. During the gray box fuzz test hackers have no knowledge of the internal structure of the software, but some non-publicly available information is shared with them in advance. Gray box testing is one of the most commonly practiced fuzz tests in the industry. White box fuzzing is the most open type, where ethical hackers have access to the complete internal structure of the software.

The difference in the amount of information in each of the fuzzing types affects how the fuzzing test will be performed.

Performing vehicle fuzzing

The first step in the vehicle fuzzing process would be to choose the testing target device. Fuzzing is aimed at testing the software operations of a specific device in a vehicle and modern-day software-defined vehicles have no shortage of devices that need to be tested for potential bugs and vulnerabilities.

The next step is test case generation, which is when the intentional software overflow happens. The fuzzer generates random invalid inputs in the target device code to detect abnormalities. The intentional software “attack” happens during the test case delivery stage.

If the test is successful and the fuzzer detects an abnormality, the tool ceases operation. This happens because software overflow induces a system crash. Detected bugs are then reported and fuzzing has to be restarted to continue testing. The crash and restart process can make vehicle fuzzing a rather time-consuming endeavor. However, more advanced fuzzing solutions can automate operations to significantly reduce testing time.

For instance, AutoCrypt Security Fuzzer records the behaviors from the fuzzing target after a successful round of testing and automatically moves back to the second stage of test case generation. The results of the preceding tests are used to generate semi-random inputs using machine learning-based algorithms, greatly reducing fuzzing time while increasing the likelihood of bug detection. On top of that, if the Security Fuzzer causes a crash, it reproduces the same series of inputs based on the delivery history. Reproducing the test case allows for the replication of the test scenario, helping developers pinpoint the problems in the software. This algorithm-based smart fuzzing process allows for more precise and time-efficient testing.

Fuzzing is unique to its counterparts in that it can help uncover vulnerabilities that were previously unknown and help protect vehicle systems from zero-day attacks. Its special ability to detect unprecedented software issues makes it essential for vulnerability testing and risk assessment for UN R155. While complex and time-consuming, a fuzz test can be viewed as a health check-up that gives you an insight into how the systems are performing when there are no apparent symptoms present. When paired with other cybersecurity measures like penetration testing, a fuzz test can generate a holistic picture of in-vehicle systems operations and cybersecurity measure robustness.

To learn more about AUTOCRYPT’s vehicle cybersecurity testing measures and cybersecurity regulation compliance consulting services, contact global@autocrypt.io.