Compliance with UN R156: Securing Vehicle Software Updates

In the past, vehicles were purchased with a fixed set of functionalities that remained unchanged until the owner acquired a new vehicle. However, modern cars have evolved into customizable platforms with software that can be continuously updated and enhanced.

To meet the growing demand for personalization and remain competitive, manufacturers now offer advanced features that can be subscribed to and downloaded onto vehicles at any time after purchase. These functionalities, such as entertainment applications, driver assistance systems, self-driving capabilities, and others, are constantly being improved and updated.

Maintaining this kind of flexible software structure requires vehicle manufacturers to implement periodic update procedures. However, since these updates essentially alter the vehicle’s software and carry a fair amount of potential risks, it is crucial that they are implemented in the most secure way possible. This is where the UNECE Regulation 156 (UN R156) comes into play, establishing a much-needed framework for secure vehicle software updates.

UN R156 Requirements

UNECE Regulation 156 establishes the minimum cybersecurity and Software Update Management System (SUMS) requirements for vehicle manufacturers. According to the regulation, manufacturers must implement the SUMS and demonstrate that they have the necessary processes in place to comply with all secure software update requirements. The requirements can be divided into two main categories:

  1. Software Update Management System Requirements: These include securing communication channels for updates, validating software integrity, implementing access control mechanisms, and maintaining update logs for auditing purposes.
  2. Vehicle Type Requirements: Specific rules and standards that vehicles must meet to ensure secure software updates.

As vehicles become increasingly software-defined, the ability to update their software securely and efficiently is paramount as unsecured software updates can leave vehicles vulnerable to cyber threats, such as malware infections, data breaches, or even remote control of vehicle systems. These risks can compromise vehicle safety, privacy, and security, making it essential to implement robust cybersecurity measures for software updates.

Securing Updates for UN R156 compliance

UNECE Regulation 156 requires manufacturers to implement appropriate cybersecurity measures to mitigate potential risks from software updates. These measures include:

  • Implementing a software update management system
  • Securing communication channels for update processes
  • Validating software integrity to prevent tampering
  • Implementing access control mechanisms to protect against unauthorized access
  • Maintaining update logs for auditing purposes

AUTOCRYPT offers a suite of in-vehicle cybersecurity products and solutions that implement the necessary security processes in line with UN R156 requirements for secure software updates. Apart from cybersecurity implementation, we also offer UN R155/156 compliance consulting services. Visit our UNECE WP.29 Consulting page to learn more and download the WP.29 regulation checklist outlining the steps for UNECE regulation compliance.

As the automotive industry continues to embrace software-defined vehicles, UN R156 plays a crucial role in ensuring the safe and secure updating of vehicle software. By establishing baseline requirements for cybersecurity and software update management systems, this regulation helps protect vehicles, their occupants, and the broader transportation ecosystem from potential cyber threats. Compliance with UNECE Regulation 156 is a critical step towards building a safer and more secure future for the automotive industry.

The Role of Penetration Testing in the Automotive Industry

The esteemed hackathon Pwn2Own has had its first ever automotive-focused event in Tokyo, Japan this January. At the end of the three-day hackathon, hackers identified 49 unique zero-day exploits, accumulating over a million dollars in awarded bounties. Hackathons like this have been common practice in the tech industry for years, however, they are just getting popular in the automotive sector.

During these hackathons, white-hat hackers gather to uncover zero-day vulnerabilities in vehicles and their systems. While hacking may have its negative connotations, ethical hacking performed in these events is better defined by the term penetration testing.

As technology advances, vehicles become increasingly vulnerable to cyber threats. Securing vehicles from these cyber threats requires extensive and proactive cyber security practices that not only protect vehicles but also actively search for new vulnerabilities in constantly developing systems. In this blog, we delve into the realm of automotive penetration testing, a critical practice aimed at identifying weaknesses in vehicle security systems.

Understanding Automotive Penetration Testing

Automotive penetration testing, or pentesting, is a process designed to identify vehicle vulnerabilities by means of hacking into specific components of a vehicle. This proactive way of cybersecurity testing allows for the uncovering of security gaps in a controlled environment. 

Penetration tests can be conducted internally by cybersecurity experts employed by an OEM, as well as externally, by independent ethical hackers. Upon successful identification of a vehicle vulnerability, hackers share their findings with an OEM for further investigation and remediation.

Besides vulnerability assessment, penetration testing provides positive feedback that can be used for attack surface analysis and compliance assessment.

Attack surface analysis allows cybersecurity experts to evaluate potential entry points that malicious actors could exploit to breach a vehicle’s system. The adoption of connected features in vehicles, such as IoT devices, telematics systems, and infotainment units, has opened up new avenues for cyber attacks. The exponential growth in vehicle technology multiplies the avenues hackers can exploit to gain unauthorized access to vehicle systems, compromise safety features, or steal sensitive data. Hence, penetration testing can be used to uncover the vulnerabilities within the system and also the various entry points and attack vectors that can be used to exploit said vulnerability.

For instance, to identify security gaps in a vehicle’s external communications a hacker may conduct a penetration test on ECUs responsible for a vehicle’s connectivity functions like Wi-Fi or V2X. Hacking into these individual ECUs allows cybersecurity experts to generate a threat model that lays out the potential entryways, threats, and influences that may impact an ECU.

Why Automotive Penetration Testing Matters

By conducting thorough security assessments manufacturers can identify vulnerabilities in vehicle systems and address them proactively. This not only enhances the overall security of vehicles but also helps meet regulatory obligations effectively.

Vehicle security regulations have evolved to include robust cybersecurity measures as compliance requirements. UN Regulation No. 155 (UN R155), aimed at ensuring the cybersecurity of vehicles, mandates manufacturers to implement measures to protect against unauthorized access, manipulation, and theft of data.

To comply with the regulations manufacturers must conduct and document risk assessment tests, implement appropriate cybersecurity measures, detect, and respond to possible cyber attacks, as well as log data to support the detection of cyber attacks. Considering the extent of risk assessment required, it is clear that automotive penetration testing serves as a crucial tool in achieving and maintaining compliance with UN R155 requirements.

The Importance of Collaboration for Cybersecurity Testing

Compliance with regulations may be time-consuming and costly for vehicle manufacturers. Therefore, collaboration between automotive manufacturers, cybersecurity experts, and regulatory bodies is essential for effective security assessments. Comprehensive solutions that allow for continuous testing, threat intelligence gathering, and integrating security measures into the development process are crucial to ensure cybersecurity best practices.

AutoCrypt CSTP serves as a comprehensive cybersecurity testing platform that enables automotive OEMs to conduct cybersecurity testing for regulatory compliance and share integrated results for vehicle type approval. The newly launched platform runs a variety of vulnerability testing techniques, like penetration testing, engineering specification testing, and fuzz testing, using test cases mapped out for UN R155/156 and GB (GB/T).

As vehicles become increasingly connected, securing them against cyber threats is paramount. Automotive penetration testing emerges as a vital practice in safeguarding vehicles and ensuring the safety and security of drivers and passengers. By adhering to best practices, collaborating with industry stakeholders, and staying on top of regulatory requirements, automotive manufacturers can build resilient vehicles capable of withstanding the challenges of the digital age.

Infographic: 2023 Year in Review

This year was full of innovation and exciting new partnerships. We want to thank our investors, partners, clients, readers, and visitors for your support in 2023. We are looking forward to what 2024 will bring!

Have a Happy New Year !

See below for a summary of AUTOCRYPT’s accomplishments in 2023.

Download PDF

(Accessibility version below)

New solutions:

AutoCrypt TEE – an ASPICE CL2-certified in-vehicle systems security solution that utilizes the trusted execution environment to secure advanced applications like ADAS, IVI, and CCU

AutoCrypt Security Fuzzer for HIL  – an add-on version to the existing Security Fuzzer, the “AutoCrypt Security Fuzzer for HIL” is fuzz test solution optimized for vehicle HIL simulations that helps OEMs detect and report vulnerabilities for safety validation

“TARA Template for Automotive” – a project management tool for conducting Threat Analysis and Risk Assessment (TARA), a process crucial to the development and maintenance of automotive software

EVIQ CSMS for Plug&Charge an add-on tool that will seamlessly guide the deployment and management of Plug&Charge operations, available for charge point operators and e-mobility service providers

AutoCrypt KEY – a tool that enables OEMs and suppliers to efficiently manage all types of cryptographic keys used for the components of connected and electric vehicles. AutoCrypt KEY provides all the key management features needed for automotive production

Major partnerships:

AUTOCRYPT and RWTH Aachen University jointly developed “AutoCrypt Security Fuzzer for HIL”, enabling smart fuzzing in HIL simulations.

AUTOCRYPT and V2ROADS entered a cooperation agreement to deliver a full-stack secure V2X solution to Europe, North America, and South Asia.

AUTOCRYPT joined forces with Hitachi Solutions, Ltd. to provide joint offerings and consulting services covering V2X and in-vehicle systems security to Japanese automotive OEMs and tier suppliers.

AUTOCRYPT partnered with a world-renowned Tier-1 telematics supplier, where AUTOCRYPT integrated its V2X security library into the supplier’s OBU.

AutoCrypt V2X-PKI, a tri-standard compliant SCMS platform, was adopted by a global automotive OEM to manage its SCMS operations under the EU CCMS standard.


ASPICE → AUTOCRYPT was recognized with an ASPICE Capability Level (CL) 2 certification for its AutoCrypt TEE software security platform and its well-established processes in securing in-vehicle systems and software.


This year we had the chance to connect with partners and clients, as well as showcase our solutions, at some of the most coveted global events in automotive industry.

  • UITP Global Public Transport Summit 2023
  • ITF 2023 Summit
  • ITS European Congress 2023
  • AutoTech Detroit 2023
  • Electric Vehicle Asia 2023
  • IAA Mobility 2023
  • Aachen Colloquium 2023
  • Expand North Star Dubai

Trends in Vehicle Vulnerabilities: A 2023 Report

In recent years, the automotive sector has undergone a profound transformation driven by innovation. The past decade witnessed a rapid digitization of vehicles, the ascent of electric powertrains, the advent of software-defined systems, and the ongoing development of autonomous vehicles. These technological advancements have elevated automobiles beyond mere modes of transportation. However, they also made vehicles increasingly susceptible to cyberattacks. Unfortunately, the pace of implementing in-vehicle cybersecurity measures has lagged behind the speed of innovation, leaving modern vehicles at an alarming risk.

A comprehensive study conducted by IOActive has meticulously analyzed the trends in vehicle vulnerabilities, pooling data from 2016 to 2022. This study sheds light on the evolving threat landscape within the automotive industry, classifying data according to various attack vectors, namely local, physical, network, and peripheral RF.

Key Findings:

Networked Connection Attacks: The most striking revelation from the study is the surge in attacks exploiting networked connections, accounting for nearly half of all attacks in 2022. This signifies a prominent shift towards remote cyberattacks targeting vehicles.

Local Attacks: Local vehicle software, including operating systems, Electronic Control Units (ECUs), and Software Bill of Materials (SBOMs), accounted for 40% of disclosed vulnerabilities. This highlights the growing risk of exploiting vulnerabilities within a vehicle’s software ecosystem.

Physical Hardware Attacks: Physical hardware-associated vulnerabilities witnessed a significant decline, plummeting by 15%. This decline can be attributed to the automotive industry’s increasing focus on remote attack vectors.

Peripheral RF Attacks: Intriguingly, a novel category of attack vectors, peripheral RF attacks, emerged, representing 1% of the total vulnerabilities. This indicates the shifting landscape of vehicle cybersecurity needs and the expanding spectrum of threats.

Now, let’s delve into a closer examination of each attack vector:

Local Attacks

Local attacks primarily exploit vulnerabilities within the vehicle’s software ecosystem. Examples include attacks on operating systems, ECUs, and SBOMs. A common local attack is spoofing, where malicious actors send synthetic signals to deceive the vehicle’s systems. Spoofing can lead to incorrect data interpretation, posing substantial risks to vehicle operation and passenger safety.

Over the past decade, local attacks have seen a 6% increase, reflecting the industry’s struggle to defend against software-based attacks, exacerbated by the increasing complexity of software in modern vehicles. Robust in-vehicle security systems are essential to mitigating the risks of local software attacks. Manufacturers must employ effective testing measures to identify and rectify software vulnerabilities.

Physical Hardware Attacks

While physical hardware attacks have experienced a notable decline, they continue to pose a tangible threat. These attacks necessitate the physical presence of a threat agent. An attack on vehicle hardware could provide unauthorized access to critical vehicle components, potentially allowing a takeover of the vehicle.

For instance, a USB attack targeting a vehicle’s infotainment system could compromise the Controller Area Network (CAN). To address these vulnerabilities, vehicle security systems must incorporate robust gateway security measures to protect against hardware-based intrusions.

Networked Connection Attacks

Emerging as a recent development, networked connection attacks exploit far-field RF spectrum, including wireless and cellular connections, backend networks, and vehicle-to-everything communications. Securing messages exchanged through vehicle-to-everything (V2X) communication channels is of paramount importance, particularly as the industry is gearing up for autonomous driving. Ensuring the authenticity of V2X messages is crucial to prevent masquerading attacks, which can disrupt traffic and compromise vehicle systems.

Original equipment manufacturers (OEMs) must implement cybersecurity practices that authenticate information and signals exchanged through V2X communications to mitigate the risks associated with networked connection attacks.

Peripheral RF Attacks

Peripheral RF attacks originate in the near-field RF spectrum, encompassing technologies like NFC, RFID, remote key entry, and on-board telematics. The 1% growth in peripheral RF attacks, as identified by IOActive’s analysis, is largely attributed to vulnerabilities related to Remote Key Entry (RKE) and Bluetooth.

One common manifestation of a peripheral RF attack is a relay attack, notably compromising key fob technology. Such attacks can allow unauthorized access to vehicles and even the ability to remotely start them. These attacks have become one of the most common causes of vehicle theft. In 2022, AUTOCRYPT’s Vehicle Threat Research Lab discovered a high severity (CVSS 8.1) relay attack vulnerability (CVE-2022-38766) in a popular electric vehicle in Europe. To counter these threats, vehicle owners can employ signal-blocking devices, while manufacturers should implement comprehensive cybersecurity measures to monitor and filter traffic at the gateway.

Vehicle attack vectors

In light of these evolving trends and vulnerabilities, it is imperative that advancements in the automotive sector go hand in hand with the development of robust cybersecurity measures.

AUTOCRYPT offers end-to-end vehicle cybersecurity solutions that safeguard vehicles from both internal and external threats, ensuring the continued safety and security of modern automobiles.

Risk Assessment for UN R155: A Closer Look at Vehicle Fuzzing

Have you ever wondered how vehicle manufacturers secure vehicles from cyber threats? The cybersecurity implementation process starts way before the vehicle hits the road and encounters any threats. During the manufacturing process, security experts hack the vehicle’s system to uncover any bugs and vulnerabilities that may be present in the embedded code. There are many different ways of doing that. One of them is called fuzzing. Fuzzing is a software risk assessment method that involves overflowing the system with random inputs to uncover bugs and vulnerabilities that are difficult to find through other testing methods. Fuzzing is done to test the vehicle’s software during the development process to make sure that the software is reliable and can be released to consumers.

Why do we need vehicle fuzzing?

In the automotive industry, original equipment manufacturers (OEMs) face regulatory obligations to address vehicle security risks. Compliance with UNECE WP.29 Regulation No. 155 (UN R155) requires vehicle manufacturers to implement an automotive cybersecurity management system (CSMS) to verify appropriate security measures in vehicle architecture. Here, the security measures signify comprehensive risk assessment, risk management, and mitigation procedures.

During the type approval process, manufacturers must verify the sufficiency of cybersecurity measures by demonstrating their risk identification and testing practices. Here is where fuzzing comes in.

Fuzzing is a technique for detecting software vulnerabilities by inputting intentionally invalid and unexpected data into the selected program with the intention to crash it. Doing this helps detect bugs and vulnerabilities in the software that may have not been found otherwise. Vehicle fuzzing can be viewed as an essential and comprehensive way to test if the system functions correctly, thereby verifying the sufficiency of security measures.

Functional testing and penetration testing, among others, can also be used to verify the sufficiency of cybersecurity measures for UN R155 approval. According to the regulation, OEMs not only have to disclose the results of these tests but also keep testing procedures up to date.

Who is responsible for fuzzing?

Even though vehicle manufacturers are responsible for the regulatory type approval, cybersecurity regulations are aimed at the entire automotive industry. So, fuzzing does not have to be done exclusively by the vehicle manufacturer. Tier 1 suppliers and software providers are often asked to provide fuzzing results for their software as well. Moreover, third-party white hat hackers conduct fuzzing along with penetration testing on vehicles and report any newly found vulnerabilities to the manufacturers to receive a bounty. This type of third-party fuzzing is becoming a common practice in the industry, allowing for a wider pool of cybersecurity experts to participate in strengthening vehicle cybersecurity.

Types of vehicle fuzzing

In fact, members of the AUTOCRYPT Red Team have won a major OEM’s bounty for discovering several vehicle vulnerabilities after independently conducting fuzz tests. This type of independent fuzz testing is called a black box test. In other words, a black box fuzz test defines a test where testers have no knowledge of the internal structure of the software, and perform tests by using only publicly available information. Led by award-winning ethical hacker Dr. Jonghyuk Song, AUTOCRYPT Red Team is known for its innovative approaches in black box fuzzing on CAN and IP protocols.

Other types of fuzz tests include gray box and white box fuzzing. During the gray box fuzz test hackers have no knowledge of the internal structure of the software, but some non-publicly available information is shared with them in advance. Gray box testing is one of the most commonly practiced fuzz tests in the industry. White box fuzzing is the most open type, where ethical hackers have access to the complete internal structure of the software.

The difference in the amount of information in each of the fuzzing types affects how the fuzzing test will be performed.

Performing vehicle fuzzing

The first step in the vehicle fuzzing process would be to choose the testing target device. Fuzzing is aimed at testing the software operations of a specific device in a vehicle and modern-day software-defined vehicles have no shortage of devices that need to be tested for potential bugs and vulnerabilities.

The next step is test case generation, which is when the intentional software overflow happens. The fuzzer generates random invalid inputs in the target device code to detect abnormalities. The intentional software “attack” happens during the test case delivery stage.

If the test is successful and the fuzzer detects an abnormality, the tool ceases operation. This happens because software overflow induces a system crash. Detected bugs are then reported and fuzzing has to be restarted to continue testing. The crash and restart process can make vehicle fuzzing a rather time-consuming endeavor. However, more advanced fuzzing solutions can automate operations to significantly reduce testing time.

For instance, AutoCrypt Security Fuzzer records the behaviors from the fuzzing target after a successful round of testing and automatically moves back to the second stage of test case generation. The results of the preceding tests are used to generate semi-random inputs using machine learning-based algorithms, greatly reducing fuzzing time while increasing the likelihood of bug detection. On top of that, if the Security Fuzzer causes a crash, it reproduces the same series of inputs based on the delivery history. Reproducing the test case allows for the replication of the test scenario, helping developers pinpoint the problems in the software. This algorithm-based smart fuzzing process allows for more precise and time-efficient testing.

Fuzzing is unique to its counterparts in that it can help uncover vulnerabilities that were previously unknown and help protect vehicle systems from zero-day attacks. Its special ability to detect unprecedented software issues makes it essential for vulnerability testing and risk assessment for UN R155. While complex and time-consuming, a fuzz test can be viewed as a health check-up that gives you an insight into how the systems are performing when there are no apparent symptoms present. When paired with other cybersecurity measures like penetration testing, a fuzz test can generate a holistic picture of in-vehicle systems operations and cybersecurity measure robustness.

To learn more about AUTOCRYPT’s vehicle cybersecurity testing measures and cybersecurity regulation compliance consulting services, contact