Author: AUTOCRYPT

22 February, 2024 . 4 mins read

The Role of Penetration Testing in the Automotive Industry

The esteemed hackathon Pwn2Own has had its first ever automotive-focused event in Tokyo, Japan this January. At the end of the three-day hackathon, hackers identified 49 unique zero-day exploits, accumulating over a million dollars in awarded bounties. Hackathons like this have been common practice in the tech industry for years, however, they are just getting popular in the automotive sector.

During these hackathons, white-hat hackers gather to uncover zero-day vulnerabilities in vehicles and their systems. While hacking may have its negative connotations, ethical hacking performed in these events is better defined by the term penetration testing.

As technology advances, vehicles become increasingly vulnerable to cyber threats. Securing vehicles from these cyber threats requires extensive and proactive cyber security practices that not only protect vehicles but also actively search for new vulnerabilities in constantly developing systems. In this blog, we delve into the realm of automotive penetration testing, a critical practice aimed at identifying weaknesses in vehicle security systems.

Understanding Automotive Penetration Testing

Automotive penetration testing, or pentesting, is a process designed to identify vehicle vulnerabilities by means of hacking into specific components of a vehicle. This proactive way of cybersecurity testing allows for the uncovering of security gaps in a controlled environment. 

Penetration tests can be conducted internally by cybersecurity experts employed by an OEM, as well as externally, by independent ethical hackers. Upon successful identification of a vehicle vulnerability, hackers share their findings with an OEM for further investigation and remediation.

Besides vulnerability assessment, penetration testing provides positive feedback that can be used for attack surface analysis and compliance assessment.

Attack surface analysis allows cybersecurity experts to evaluate potential entry points that malicious actors could exploit to breach a vehicle’s system. The adoption of connected features in vehicles, such as IoT devices, telematics systems, and infotainment units, has opened up new avenues for cyber attacks. The exponential growth in vehicle technology multiplies the avenues hackers can exploit to gain unauthorized access to vehicle systems, compromise safety features, or steal sensitive data. Hence, penetration testing can be used to uncover the vulnerabilities within the system and also the various entry points and attack vectors that can be used to exploit said vulnerability.

For instance, to identify security gaps in a vehicle’s external communications a hacker may conduct a penetration test on ECUs responsible for a vehicle’s connectivity functions like Wi-Fi or V2X. Hacking into these individual ECUs allows cybersecurity experts to generate a threat model that lays out the potential entryways, threats, and influences that may impact an ECU.

Why Automotive Penetration Testing Matters

By conducting thorough security assessments manufacturers can identify vulnerabilities in vehicle systems and address them proactively. This not only enhances the overall security of vehicles but also helps meet regulatory obligations effectively.

Vehicle security regulations have evolved to include robust cybersecurity measures as compliance requirements. UN Regulation No. 155 (UN R155), aimed at ensuring the cybersecurity of vehicles, mandates manufacturers to implement measures to protect against unauthorized access, manipulation, and theft of data.

To comply with the regulations manufacturers must conduct and document risk assessment tests, implement appropriate cybersecurity measures, detect, and respond to possible cyber attacks, as well as log data to support the detection of cyber attacks. Considering the extent of risk assessment required, it is clear that automotive penetration testing serves as a crucial tool in achieving and maintaining compliance with UN R155 requirements.

The Importance of Collaboration for Cybersecurity Testing

Compliance with regulations may be time-consuming and costly for vehicle manufacturers. Therefore, collaboration between automotive manufacturers, cybersecurity experts, and regulatory bodies is essential for effective security assessments. Comprehensive solutions that allow for continuous testing, threat intelligence gathering, and integrating security measures into the development process are crucial to ensure cybersecurity best practices.

AutoCrypt CSTP serves as a comprehensive cybersecurity testing platform that enables automotive OEMs to conduct cybersecurity testing for regulatory compliance and share integrated results for vehicle type approval. The newly launched platform runs a variety of vulnerability testing techniques, like penetration testing, engineering specification testing, and fuzz testing, using test cases mapped out for UN R155/156 and GB (GB/T).

As vehicles become increasingly connected, securing them against cyber threats is paramount. Automotive penetration testing emerges as a vital practice in safeguarding vehicles and ensuring the safety and security of drivers and passengers. By adhering to best practices, collaborating with industry stakeholders, and staying on top of regulatory requirements, automotive manufacturers can build resilient vehicles capable of withstanding the challenges of the digital age.

20 February, 2024 . 3 mins read

AUTOCRYPT Launches Cybersecurity Testing Platform for UN R155/156 and GB Compliance

New platform enables automotive OEMs to conduct regulatory compliant security testing and share integrated results for vehicle type approval

SEOUL, Feb. 20, 2024 — Automotive cybersecurity company AUTOCRYPT announced the launch of AutoCrypt CSTP, a comprehensive cybersecurity testing platform that enables integrated cybersecurity testing for vehicle type approval, in compliance with UNECE’s Regulations 155/156 and SAC’s GB and GB/T standards.

As UN R155 and R156 take full effect on all vehicles beginning July 2024, automotive OEMs and vehicle inspection centers will be obligated to conduct cybersecurity testing and validations based on the required criteria. AutoCrypt CSTP provides a comprehensive platform that runs a variety of vulnerability testing techniques using test cases mapped out for UN R155/156 and GB (GB/T).

With customizable hardware adaptable to PC and test bench environments, AutoCrypt CSTP offers test case licenses for three types of tests:

  1. Penetration testing: Users can select penetration testing scenarios crafted by AUTOCRYPT’s offensive security testing team.
  2. Engineering Specification Testing: AUTOCRYPT offers test cases based on a vehicle’s engineering specifications, enabling the accurate validation of vehicle functions.
  3. Fuzz Testing: Utilizing technology from AUTOCRYPT’s proprietary vehicle fuzzing tools, AutoCrypt CSTP provides compact test cases generated by AI-based algorithms.

From test case selection and configuration to real-time logging and report generation, the entire testing process can be managed on an intuitive GUI, which can be securely linked to all inspection centers and authorities in different countries, consequently empowering faster and more precise decision-making.

“We developed AutoCrypt CSTP to give automotive OEMs the freedom to customize their test cases and select only the licenses they need for their environment, while obtaining testing results ready for vehicle type approval,” AUTOCRYPT’s CEO, Daniel ES Kim remarked. “Furthermore, the platform enables multi-ECU testing grouped by projects, requiring less manual intervention. The goal of making this platform is to help manufacturers allocate their resources efficiently and reduce unnecessary spending.”

Besides the testing platform, AUTOCRYPT also offers fuzz testing and penetration testing services customized for the OEM’s environments and needs, along with CSMS and TARA consulting services for UN R155/156 compliance.

About Autocrypt Co., Ltd.

AUTOCRYPT is the industry leader in automotive cybersecurity and smart mobility technologies. The company specializes in the development and integration of security software and solutions for in-vehicle systems, V2X communications, Plug&Charge, and mobility platforms, paving the way towards a secure and reliable C-ITS ecosystem in the age of software-defined vehicles. AUTOCRYPT also provides consulting and testing services along with holistic solutions for UN R155/156 and ISO/SAE 21434 compliance.

24 January, 2024 . 6 mins read

Vehicle Tech at CES 2024: The Official Introduction of Software-Defined Vehicles

CES 2024 introduced the world to the new era of software-defined vehicles, signifying the beginning of a massive technology transition in the automotive field. At its CES debut, AUTOCRYPT emphasized the importance of automotive cybersecurity for software-defined vehicles, while demonstrating its security solutions and testing tools for in-vehicle systems and V2X communications.

On January 9, 2024, AUTOCRYPT made its first appearance at CES, the world’s most influential tech event. Taking place conveniently at the beginning of the year, CES is the biggest stage for tech companies across the globe to showcase their innovations of the year. This year, more than 4,000 exhibitors and over 130,000 industry attendees gathered in Las Vegas for the show.

Originally known as the Consumer Electronics Show, the scope of CES has expanded far beyond consumer electronic products and now encompasses all types of technologies used throughout all stages of the value chain. Starting in 2019, the automotive tech industry has been playing an increasingly dominant role at the show, showcasing advanced automotive technologies like electric vehicles and autonomous vehicles.

Vehicle Tech Trend at CES 2024: Software-Defined Vehicles

At CES 2024, vehicle and mobility-related technology accounted for nearly half of the entire exhibition. The automotive industry has now become the center of technology innovations, a phenomenon driven by two major transitions in the industry:

  1. The shift from internal combustion engines to electric motors
  2. The switch from hardware-centric to software-centric vehicular architecture

The first transition was shown in previous CES exhibitions, where manufacturers showcased their latest electric vehicle models and concepts. The share of electric vehicles on the roads has also increased significantly throughout the past few years. CES 2024 brought the focus to the second transition, which has been less apparent to the public. Automotive OEMs and suppliers are now showcasing the latest software-centric architecture, operating systems, platforms, and applications, all of which are based on the fundamental concept of software-defined vehicles.

Breaking Down the Software-Defined Vehicle

What is the SDV?

The term “software-defined vehicle”, or “SDV”, has been widely used within the automotive industry to describe cars whose functionality and features can be upgraded over time through software updates. These cars provide a user experience comparable to smartphones and computers, often equipped with a tablet-like central console that controls all features.

Standardized middleware

The transition to SDVs requires a complete overhaul of the automotive manufacturing process. The transition not only requires the decoupling of hardware and software, but also the ability to perform software updates to specific components without impacting the interoperability of these components with the rest of the vehicle. The AUTOSAR Adaptive Platform is a middleware built for this purpose, allowing different manufacturers to build and update software on a standardized platform. In the end, automotive OEMs will need to dedicate most of their resources to software consolidation rather than hardware assembly.

Growing range of communication protocols

The growing diversity of vehicular applications leads to a growing need for dedicated communication protocols. The fundamental CAN (CAN FD) and FlexRay buses are signal-based communication channels necessary for real-time safety-critical (ASIL-D) use cases, such as braking, steering, airbag activation, and engine control. Yet, these protocols do not carry enough bandwidth for multi-tasking and large-size data transfer. This led to the implementation of many new communication protocols. Ethernet, for instance, is becoming increasingly prevalent in cars as it offers extremely high bandwidth at a cheap cost, best suited for advanced applications. SOME/IP is used to connect ECUs with different sizes, such as the in-vehicle infotainment (IVI), head unit, telematics control unit, and cameras.

Centralized E/E architecture

With the growing number of advanced features, a high-end car can have up to 300 ECUs. This is overly complex to build on a conventional distributed E/E architecture—there is simply not enough room to fit all the cables and wires.

A conventional distributed E/E architecture

To reduce the number of cables and wires while accommodating all the advanced applications, advanced processors like zonal controllers and high-performance computers (HPC) must be adopted. Different from controller-based ECUs, these processor-based ECUs consolidate a wide range of software from different domains and process them on a single central computing unit. Since they can communicate via multiple protocols, functional domains like ADAS, IVI, and body control can all be executed on a single HPC.

A centralized (zonal) E/E architecture
CES 2024: Major chipmakers now making automotive processors for SDVs.

Automotive OS

The complete software stack of a software-defined vehicle is commonly referred to as the “automotive OS”. This contains the HPC, the hypervisor—which allows the HPC hardware to execute both backend applications and the frontend UX, the backend OS (OSEK OS, Linux, QNX), the user OS (Android Automotive – not to be confused with Android Auto), the AUTOSAR Adaptive stack, and the applications—often placed in containers for easy management and update.

CES 2024: Automotive OEMs and suppliers showcase their SDV OS, HPCs, and platforms.

Automotive cybersecurity

As automotive OEMs become software companies, cybersecurity becomes essential. In fact, cybersecurity is an integral component of SDVs, as standardized by ISO/SAE 21434 and regulated by UN Regulations 155/156. When implementing the automotive OS, end-to-end encryption, two-way authentication, and threat detection mechanisms must be incorporated to secure the in-vehicle network and monitor abnormal ECU activities.

Besides embedded security software, automotive cybersecurity must begin at the vehicle development stage, where vulnerability tests like software composition analysis and fuzzing have become legal requirements.

As an industry-leading automotive cybersecurity company, AUTOCRYPT offers a comprehensive cybersecurity solution for software-defined vehicles, covering vulnerability testing, TARA, and embedded security, all of which are custom-built to support all types of communication protocols and platforms. Its latest development – AutoCrypt Security Fuzzer for HIL – enables fuzz testing in hardware-in-the-loop (HIL) simulation environment.

CES 2024: AUTOCRYPT demonstrates its cybersecurity solutions for SDVs.

The Future of SDVs: Autonomous Driving, In-Car Shopping, Shared Mobility

The transition to SDVs is fundamental to autonomous driving, given that autonomous driving software needs continuous updates. Autonomous vehicles continue to be a major topic at CES 2024. What’s different from the past is that there is now a much wider array of use cases for autonomous mobility, from last-mile delivery vehicles to remote-driving tractors.

Other trends that accompany the SDV evolution include the growing number of in-vehicle infotainment features such as online shopping and media consumption, as well as the emergence of purpose-built vehicles made for specific use cases.

CES 2024: The IVI dashboard of an autonomous vehicle (left) and a last-mile delivery vehicle (right)

Ultimately, SDVs are creating a new ecosystem that is attracting all types of technological innovations and opportunities, an ecosystem that is more scalable and adaptable than smartphones. Therefore, SDV-related technologies are expected to dominate the tech industry for many years to come.

11 January, 2024 . 4 mins read

AUTOCRYPT and Cohda Wireless Sign MOU at CES 2024 to Collaborate on Security-Integrated V2X Solution

LAS VEGAS, Jan. 11, 2024 — AUTOCRYPT, a leading automotive cybersecurity and mobility solutions provider, and Cohda Wireless, a global connected vehicle solutions company, signed a Memorandum of Understanding on the opening day of CES 2024, kickstarting their collaborations on bringing a secure, full-stack solution for V2X communications.

Cohda Wireless is a global leader in V2X technology both in R&D and commercialization, with the world’s most advanced V2X software stacks supporting both 802.11p and C-V2X protocols. They are active in the European, US and Asian markets, with products compliant with the respective regional standards.  Cohda Wireless solutions have undergone extensive compliance and interoperability testing and have notched up over one million vehicle-days of field testing. 

As a pioneer in automotive cybersecurity, AUTOCRYPT has over a decade of experience and expertise in securing V2X connectivity. Its offerings encompass a security library for end entities, a V2X PKI platform with misbehaviour detection, and an integrated management dashboard for SCMS operations.

Both companies share a vision of a safe and seamless C-ITS ecosystem for all road users. As part of the collaboration, AUTOCRYPT’s V2X security library, AutoCrypt V2X-EE, will be integrated into the overall V2X software stacks of Cohda Wireless, shaping a full-stack, secure V2X solution for automotive OEMs and Tier-1 suppliers.

“AUTOCRYPT provides the world’s first and only V2X security solution adaptable to all major V2X PKI standards, including the US SCMS, EU CCMS, and Chinese C-SCMS. This enables us to offer customized solutions to clients across the globe.” said Daniel ES Kim, CEO of AUTOCRYPT. “We are excited to collaborate with Cohda Wireless on offering a complete V2X software stack to ensure the reliability of V2X communications.”

“We are delighted to be a part of another global first in our industry,” explained Cohda CEO Dr. Paul Gray. “As the implementation of connected intelligent transport systems rolls out across the globe, so will there be an ever-increasing need to safeguard sensitive data. Our partnership with AUTOCRYPT adds an additional layer of maturity to our product that we believe the market will recognize.”

About Autocrypt Co., Ltd.

AUTOCRYPT is the leading player in automotive cybersecurity and smart mobility technologies. It specializes in the development and integration of security software and solutions for in-vehicle systems, V2X communications, Plug&Charge, and fleet management, paving the way towards a secure and reliable C-ITS ecosystem in the age of software-defined vehicles. AUTOCRYPT also provides management and service platforms for the operators and end users of MaaS, contributing to sustainable and universal mobility.

Built to support both AUTOSAR and legacy vehicular platforms, AUTOCRYPT’s In-Vehicle Systems Security solution helps automotive OEMs and suppliers comply with both ISO/SAE 21434 and UN R155. The company is also the sole V2X security provider for all South Korea’s C-ITS projects, securing over 5,000 km of smart roads.

About Cohda Wireless Pty Ltd

Cohda Wireless is a global leader in the development of Connected Vehicles and Connected Autonomous Vehicle software with proven applications for Smart City, Mining and other environments. Cohda’s technology connects vehicles with infrastructure and pedestrians to make our streets, cities and working environments safer, smarter and greener.  Cohda is headquartered in Australia and has offices in Europe, China and the USA.  

Cohda Wireless’s innovative software solutions enable autonomous vehicles to connect with other vehicles and with Smart City infrastructure. These connections span Vehicle¬to¬Vehicle, Vehicle¬to¬Infrastructure, and Vehicle¬to-Pedestrian (collectively called V2X), and allow CAVs to ‘talk’ to each other, Smart Cities, and vulnerable road users in order to avoid accidents, reduce congestion and be more efficient. Cohda partners with Tier 1 Automotive Suppliers, ITS Equipment Vendors, and Mining Equipment Technology and Services (METS) vendors to provide complete hardware/software solutions to Car Makers, Smart Cities, and Mine Operators, respectively. Cohda’s products are used widely in locations including the USA, Europe, Australia, Japan, Africa, Middle East, China, Singapore and Korea.

11 January, 2024 . 2 mins read

AUTOCRYPT Gains Attention at CES 2024 with Vehicle Fuzzing Solution, CSRO Wins SDV Innovator Awards

LAS VEGAS, Jan. 11, 2024 — Automotive cybersecurity and mobility solutions company AUTOCRYPT showcased its embedded systems and V2X security solutions for software-defined vehicles (SDV) at CES 2024, gaining attention with its smart fuzzing solution dedicated to automotive protocols.

AUTOCRYPT’s capability in vehicle fuzzing is also recognized by industry professionals. On the evening of the event’s opening day, AUTOCRYPT’s Chief Security Research Officer (CSRO), Dr. Jonghyuk Song, was announced winner in the “Experts” category of the 2024 MotorTrend SDV Innovator Awards, recognized for his groundbreaking research and leadership at AUTOCRYPT.

As Director of AUTOCRYPT’s Vehicle Threat Research Lab, Dr. Song has led the lab into developing one of the world’s first fuzzing tools designed for vehicular protocols, including UDS, CAN, Wi-Fi, Bluetooth LE, and the Ethernet. This differentiates AutoCrypt Security Fuzzer from conventional fuzz testers, allowing it to detect vulnerabilities at exceptionally high accuracy with much lower time consumption.

Throughout 2023, the VTR Lab has also collaborated with RWTH Aachen University to develop AutoCrypt Security Fuzzer for HIL, enabling fuzzing in hardware-in-the-loop (HIL) simulations. The team also conducts regular offensive security testing on vehicle ECUs, and is recognized by major manufacturers as experts in ethical hacking.

“The goal of the VTR Lab is to improve the effectiveness and efficiency of vehicle testing within and beyond the established framework of UN R155 and ISO/SAE 21434,” said Dr. Song. “I’m honored to be recognized – it allows for more attention and focus on the need for cybersecurity for software-defined vehicles. Ultimately, we want to help OEMs and suppliers eliminate such risks and bring safe, secure mobility for all road users.”

About Autocrypt Co., Ltd.

AUTOCRYPT is the leading player in automotive cybersecurity and smart mobility technologies. It specializes in the development and integration of security software and solutions for in-vehicle systems, V2X communications, Plug&Charge, and fleet management, paving the way towards a secure and reliable C-ITS ecosystem in the age of software-defined vehicles. AUTOCRYPT also provides management and service platforms for the operators and end users of MaaS, contributing to sustainable and universal mobility.

28 December, 2023 . 3 mins read

Infographic: 2023 Year in Review

This year was full of innovation and exciting new partnerships. We want to thank our investors, partners, clients, readers, and visitors for your support in 2023. We are looking forward to what 2024 will bring!

Have a Happy New Year !

See below for a summary of AUTOCRYPT’s accomplishments in 2023.

Download PDF

(Accessibility version below)

New solutions:

AutoCrypt TEE – an ASPICE CL2-certified in-vehicle systems security solution that utilizes the trusted execution environment to secure advanced applications like ADAS, IVI, and CCU

AutoCrypt Security Fuzzer for HIL  – an add-on version to the existing Security Fuzzer, the “AutoCrypt Security Fuzzer for HIL” is fuzz test solution optimized for vehicle HIL simulations that helps OEMs detect and report vulnerabilities for safety validation

“TARA Template for Automotive” – a project management tool for conducting Threat Analysis and Risk Assessment (TARA), a process crucial to the development and maintenance of automotive software

EVIQ CSMS for Plug&Charge an add-on tool that will seamlessly guide the deployment and management of Plug&Charge operations, available for charge point operators and e-mobility service providers

AutoCrypt KEY – a tool that enables OEMs and suppliers to efficiently manage all types of cryptographic keys used for the components of connected and electric vehicles. AutoCrypt KEY provides all the key management features needed for automotive production

Major partnerships:

AUTOCRYPT and RWTH Aachen University jointly developed “AutoCrypt Security Fuzzer for HIL”, enabling smart fuzzing in HIL simulations.

AUTOCRYPT and V2ROADS entered a cooperation agreement to deliver a full-stack secure V2X solution to Europe, North America, and South Asia.

AUTOCRYPT joined forces with Hitachi Solutions, Ltd. to provide joint offerings and consulting services covering V2X and in-vehicle systems security to Japanese automotive OEMs and tier suppliers.

AUTOCRYPT partnered with a world-renowned Tier-1 telematics supplier, where AUTOCRYPT integrated its V2X security library into the supplier’s OBU.

AutoCrypt V2X-PKI, a tri-standard compliant SCMS platform, was adopted by a global automotive OEM to manage its SCMS operations under the EU CCMS standard.

Certificates:

ASPICE → AUTOCRYPT was recognized with an ASPICE Capability Level (CL) 2 certification for its AutoCrypt TEE software security platform and its well-established processes in securing in-vehicle systems and software.

Events:

This year we had the chance to connect with partners and clients, as well as showcase our solutions, at some of the most coveted global events in automotive industry.

  • UITP Global Public Transport Summit 2023
  • ITF 2023 Summit
  • ITS European Congress 2023
  • AutoTech Detroit 2023
  • Electric Vehicle Asia 2023
  • IAA Mobility 2023
  • Aachen Colloquium 2023
  • Expand North Star Dubai