AutoCrypt Security Fuzzer Expands Vehicle Fuzzing Capabilities Through Major Upgrade

SEOUL, KOREA, September 5, 2023 — Automotive cybersecurity and mobility solutions company AUTOCRYPT released a major upgrade to its automotive fuzzing software—AutoCrypt Security Fuzzer. The upgrade (version 2.0) enables a much wider testing range and greater automation, allowing automotive OEMs to benefit from a more simplified and efficient fuzzing process for UN R155 (WP.29) compliance.

AutoCrypt Security Fuzzer was first released in December 2021. As the world’s first fuzzing solution for the vehicular environment, its fuzzing algorithms were built based on the structures of Unified Diagnostic Services (UDS), the communication protocol used in electronic control units (ECU). Version 2.0 expands the testing range beyond ECUs to include other protocols like the Controller Area Network (CAN), Wi-Fi, Bluetooth Low Energy (BLE), and most importantly, the Ethernet, which is a crucial component of software-defined vehicles. The v2.0 platform also allows new protocols to be added through software updates.

Offered through an intuitive UI, AutoCrypt Security Fuzzer v2.0 greatly improves the user experience. Yet, its biggest differentiation point is its smart fuzzing capabilities. It accurately identifies the functions and technical specifications of each test target and generates test cases based on these characteristics, ensuring that only relevant test cases are input into the program. Moreover, testing can be assigned at a project level, allowing for continuous testing for multiple ECUs. Even if an unexpected interruption occurs, the fuzzing process will continue based on its automation algorithms. All these features make AutoCrypt Security Fuzzer exceptionally efficient and easy to use.

AUTOCRYPT’s CEO, Daniel ES Kim, emphasized the importance of fuzz testing for vehicle production, “Fuzz testing is not just an effective way to identify software vulnerabilities at an early stage, but a necessary process to receive vehicle type approval as mandated by UN R155.” Regarding AutoCrypt Security Fuzzer, he added, “We developed the solution specifically for the automotive industry. It offers diagnostics services and NRC support features based on ISO 14229. It also provides support for all ISO-TP specifications as defined in ISO 15765.”

AutoCrypt Security Fuzzer is a component of AUTOCRYPT’s in-vehicle systems (IVS) security solution, an end-to-end automotive cybersecurity solution that secures all stages of the vehicle lifecycle, offering a wide range of products and services from TARA and security testing to the intrusion detection and prevention system (IDPS) and vehicle security operations center (vSOC). To learn more about AUTOCRYPT’s IVS solution, contact global@autocrypt.io.

ABOUT AUTOCRYPT

AUTOCRYPT is the leading player in automotive cybersecurity and smart mobility technologies. It specializes in the development and integration of security software and processes for in-vehicle systems, V2X communications, Plug&Charge, and fleet management, paving the way toward a secure and reliable C-ITS ecosystem. AUTOCRYPT also provides management and service platforms for the operators and end users of e-mobility and MaaS, contributing to sustainable and universal mobility.

AUTOCRYPT and RWTH Aachen University Co-Develop Fuzzing Solution for HIL Simulation

SEOUL, KOREA, July 6, 2023 — Automotive cybersecurity and mobility solutions provider AUTOCRYPT announced its new “AutoCrypt Security Fuzzer for HIL” solution, jointly developed by AUTOCRYPT and RWTH Aachen University as part of their industry-academia partnership. As an add-on version of the existing AutoCrypt Security Fuzzer, the new tool enables fuzz testing in the HIL simulation environment.

Hardware-in-the-loop (HIL) simulation is a testing platform created by generating a virtual simulation of the in-vehicle architecture so that all systems and operations can be pre-validated before producing and conducting tests on the physical vehicle. Given that a modern vehicle contains over 1,000 semiconductors, being able to pre-validate the systems through a virtual simulation greatly reduces the complexity and costs of early-stage testing.

AutoCrypt Security Fuzzer for HIL is a fuzz testing solution optimized for vehicle HIL simulations, fuzzing against the virtual operations of the vehicle systems and ECUs to detect and report vulnerabilities. As the world’s first fuzzing solution for vehicle HIL simulations, it complies with vehicular cybersecurity standards ISO 21434 and UN R155, and functional safety standard ISO 26262 regarding electrical current stability.

AUTOCRYPT’s CEO, Daniel ES Kim noted that “existing HIL tests mainly verify system integrity in certain specific scenarios, but AutoCrypt Security Fuzzer for HIL detects unprecedented vulnerabilities by exploring unexpected system abuse cases.” Regarding the partnership, he added, “We are excited to partner with one of the leading European universities. With contributions by RWTH Aachen University, we are now at the automation and advancement stages of the development process.”

Along with fuzz testing, AUTOCRYPT provides a full range of vulnerability testing tools and security validation services dedicated to different stages of the automotive manufacturing process, helping OEMs exceed cybersecurity regulatory requirements and save on production costs.

For more information with regard to AutoCrypt Security Fuzzer for HIL, contact global@autocrypt.io.

3 Ways of Testing Automotive Cybersecurity Management Systems

The future looks bright for connected and autonomous vehicles (CAVs) – in fact, analysts at McKinsey say that by 2030, 45% of new vehicles will be at SAE level 3 or higher, with market share value at 450 to 750 Billion USD. But as the market grows, so does the risk for cybercrime for new automotive technologies. This is precisely the reason that governments and manufacturers are on edge, implementing regulations like the 2020 WP.29 regulations mandating cybersecurity management systems be in place. In the next couple of years, manufacturers will have to ensure that their vehicle models meet the requirements to obtain type approval for cybersecurity measures. However, what many tend to forget is that implementation of cybersecurity management systems (CSMS) is not the end of the road. Testing is a major part of ensuring that the CSMS is fulfilling its duties. After all, there is really no point in implementing a system if you cannot be sure that it is working properly.

Here are the tests that will help make sure that the CSMS is really safeguarding your vehicle, defending your car and its systems from potential attacks.

1) Vulnerability Scanning

In any cybersecurity management system, assessing and mitigating any vulnerabilities is a key responsibility to ensuring that the product is functioning at the maximum secure level. Vulnerability scanning is not a one-stop check, but should be executed at each level of the product development process to allow for maximum mitigation and comprehensive analysis of additional threats.

Now, there are two specific testing analyses that should be taken note when vulnerability scanning, and both are just as important.

Software Static Testing

Software static testing is testing the source or object code without executing it to find and eliminate errors or ambiguities. It is usually done in the early stages of development. This step is crucial as it can uncover major issues like leaks, buffer overflows, and deviations from standards. Because testing is done at an early stage, it can ward against increased development timescales, and allow for fewer issues to be found at later stages of development, which can often be much more costly and time-consuming to fix.

Software Dynamic Testing

Static testing’s counterpart, dynamic testing tests with execution of code in order to find weak areas in runtime environments and in the behavior of dynamic variables. The main goal of dynamic testing is to make sure that the system is functioning properly without any flaws. Since the codes are actually executed, dynamic testing can take a bit longer than static testing and can increase the costs of the final product as the flaws that are found will take more resources to mitigate. However, dynamic testing will find the issues that were missed by static testing, usually finding more complex defects.

2) Fuzz Testing, or “Fuzzing”

The next step is “fuzzing” or fuzz testing. Fuzz testing is basically providing “fuzz” or invalid or random data into the application or software in order to monitor for crashes, potential memory leaks, or failed code. Generating this invalid or random data is usually done via an automatic program that generates the fuzz.
Fuzzing can be useful because it adds an element that cannot be generated by a human. However, there are limitations as it usually detects simple or basic threats, meaning it needs to be combined with other testing techniques to fully secure your security management system.

3) Penetration Testing

While fuzzing uses random or invalid data to test the system, penetration testing (also known as “pentesting”) utilizes known cyberattacks or vulnerabilities to initiate simulated attacks, identifying potential vulnerabilities and selecting countermeasures to mitigate those vulnerabilities. Think of pentesting as getting someone to act like a car thief to try to break into your car and gain access: through this “ploy” to take over, the manufacturer can learn a lot about how they can better secure their vehicle’s access systems.

Through pentesting and finding flaws within the cybersecurity infrastructure, manufacturers can upgrade their security systems to remediate any flaws in the system.

Testing is a major part of CSMS; arguably, it is just as important as the CSMS itself. However, as seen through the many different techniques, there is no single test that will ensure that a cybersecurity management system is perfectly foolproof. By utilizing regular different testing techniques like fuzzing or pentesting, manufacturers can ensure comprehensive security. As technological developments are constantly being applied in a vehicle, the system will need to go through multiple rounds and various types of tests to ensure that the risk is as minimal as possible.

If working with a security solutions provider to implement your CSMS, ensure that they will be routinely testing and working with you as the client long-term. For more information about AUTOCRYPT’s testing services as part of our WP.29 solutions, click here or contact us here.