On June 19, 2025, at the 4th China Internet of Vehicles Security Conference, Zhang Xuan, technical director and senior technical expert of Shanghai Kongan Trusted Software Innovation Research Institute, pointed out that the automotive industry is facing information security challenges brought about by the “new four modernizations”, and regulations and standards have been introduced at home and abroad to restrain all members of the automotive supply chain. Among them, GB44495 standards, as mandatory standards, put forward clear requirements for the network security management system and vehicle network security capabilities of automobile manufacturers, aiming to ensure automotive information security.
Zhang Xuan explained the content of the GB44495 standard in detail, including the overall framework, scope of application, automotive information security management requirements, basic information security requirements and technical requirements of the standard. He emphasized that the relevant standards also put forward specific requirements for vehicle development processes, risk assessment, and the use of cryptographic algorithms to ensure the security and reliability of automotive information systems.
Zhang Xuan | Technical Director and Senior Technical Expert of Shanghai Trusted Software Innovation Research Institute
The following is a summary of the speech:
Industry status
At present, the automotive industry is facing information security challenges caused by the “new four modernizations”. New trends expand the attack surface of vehicle systems, and hackers can exploit these vulnerabilities to carry out attacks, which in turn affects the functional safety of the vehicle. In order to cope with such problems, relevant regulations and standards have been issued at home and abroad to restrain members in all aspects of the automotive supply chain. However, at the specific implementation level of compliance testing, the existing solutions rely on manual operation, which has problems such as fragmentation, low availability, and poor reproducibility.
RecentlyIntelligent networkingThe automobile market continues to expand, and the product iteration cycle is shortened. At the same time, automotive information security incidents occur frequently, including malicious vehicle control, CVE exploitation, charging pile extortion attacks, and user data leakage. These information security issues directly promote the formulation and improvement of relevant standards and regulations at home and abroad. Driven by the dual constraints of the market and regulations and standards, the automotive information security industry has ushered in development opportunities. As a key link in ensuring network security, automotive information security testing urgently needs efficient and systematic solutions.
Source: Speaker material
Standard interpretation
When discussing strong standards, the R155 regulation is an important reference that cannot be ignored. The formulation process of strong standards draws on the relevant content of the R155 regulation, which mainly covers two aspects: first, for the manufacturer’s network security management system requirements, it is clearly stipulated that if the vehicle intends to enter the European market, it must pass the compliance certification of CSMS; The second is about the network security capability requirements of the vehicle, that is, the technical requirements of vehicle type approval, which requires manufacturers to submit the corresponding type approval application and complete the technical level test after obtaining the CSMS certificate.
The strong bid was officially approved in November 2019, and in July 2021, it was changed from a recommended standard to a mandatory standard, and then the project was publicized. On August 23, 2024, the standard was officially released. When comparing the R155 regulations with the GB44495, it can be found that the strong standard refers to the requirements of CSMS in Chapter 7.2 of the R155 regulations in the formulation process, and transforms them into the requirements of the automotive information security management system in Chapter 5 of the our country strong standard.
Source: Speaker material
The first four chapters of the standard are mainly overview, mainly explaining the scope of application, citation documents, term definitions and abbreviations. From Chapter 5 onwards, the standard is transferred to the specific requirements for the automotive safety management system, and the specifications that automobile manufacturers should follow in the construction of the information security management system are clarified. Chapter 6 focuses on the basic requirements of automotive information security and defines the minimum standards that should be met by automotive security at the macro level.
Chapter 7 goes deep into the technical level, putting forward specific technical requirements and development guidelines for the parts produced by each manufacturer, aiming to ensure that the parts meet the corresponding safety requirements. Chapter 8 stipulates the corresponding test and inspection procedures for the requirements of Chapters 5, 6 and 7. The requirements of Chapters 5 and 6 are usually evaluated through a review of safety process documents, while Chapter 7 requires verification with the help of technical testing.
Chapter 9 mainly deals with the determination of the unified type of vehicle. In order to reduce the workload of repeated testing, the standard requires the evaluation of electronic and electrical architecture, communication interfaces, and data security, especially for the application of anonymization algorithms, to confirm whether they are consistent with the basic models that have passed compliance certification, so as to effectively reduce the cost of repeated testing. Chapter 10 clearly stipulates the implementation date of the standard and provides a clear time node for the supervision and implementation of the standard.
The requirements of the automotive information security management system in Chapter 5 mainly include the following aspects. First, enterprises need to establish a comprehensive internal security management process and set up corresponding organizational teams to ensure that information security management work is effectively implemented and supervised. The second is the risk management process, which requires enterprises to carry out threat analysis and risk assessment according to the methodology of the ISO/SAE 21434 standard, and comprehensively identify, analyze and respond to potential information security threats, so as to ensure vehicle information security. In addition, enterprises should combine information security testing with the original functional test and integrate it into the relevant testing process to verify the security and reliability of the vehicle information system. Manufacturers also need to implement information security control measures with suppliers, service providers, and subsidiaries in the supply chain to ensure that all parties comply with unified standards and requirements for information security.
Chapter 6 is the basic requirements for information security. First, the vehicle product development process should follow the requirements of the automotive information security management system; second, conduct risk assessment of vehicles and manage identified risks; third, take disposal measures to protect vehicles from external attacks; fourth, the use of standard-compliant cryptographic algorithms and modules; fifth, the default security settings are adopted; Sixth, vehicle data processing should comply with the provisions of GB/T 44464-2024 “General Requirements for Automotive Data”.
Chapter 7 mainly focuses on information security technical requirements, including external connection security, communication security, data security, and software upgrade security.
Chapter 8 on inspection and test methods contains three parts: the first and second are the information security management system inspection and the basic requirements inspection, which are mainly verified through the process system and security document review, and the third is the information security technical requirements test, which mainly uses test methods and test tools for technical verification to confirm whether the implemented security measures meet the requirements;
Tests on technical requirements mainly include general security tests, remote control security tests, third-party application security tests and external interface security tests for external links.
In terms of communication security, it involves cloud platform communication, V2X identity authentication, etc., and mainly conducts tests related to confidentiality, integrity, and availability for communication.
In terms of software upgrades, it mainly focuses on the following three aspects: first, general security-related requirements, covering security protection mechanisms and vulnerability scanning and other tests; The second is OTA-related requirements, mainly including the identity authentication of the server, the tampering protection of the online upgrade package and the security test of the upgrade event log. The third is the security test of offline upgrades, if the on-board software upgrade system is used, corresponding detections need to be carried out, such as USB upgrades need to be tested for anti-virus. For tests that do not use the on-board software to upgrade the system, safety tests are required based on diagnostic instruments.
In terms of data security, it mainly puts forward test requirements for cryptographic data, vehicle driving data, and personal sensitive information involved in the driving process of vehicles. At the same time, vehicles are required to have the function of personal information erasure and recovery, and restrictions are placed on data export, and vehicles are prohibited from directly transmitting data overseas.
Test protocol
Our main testing services cover complete vehicles, parts and vehicle control application apps. In the conceptual design stage, threat analysis and risk assessment are carried out to identify and obtain conceptual-level cybersecurity requirements and clarify security objectives. For the upper-level safety objectives, further carry out the technical design of safety measures to provide guidance for actual development.
We have a self-developed automotive information security management platform, PeneX, which strictly follows regulations and standards, and can be customized according to the individual needs of enterprises. For mandatory standards, we provide an in-depth interpretation of their technical requirements and test methods, and based on this, we can form implementable automated, semi-automated, or manual test cases.
The image below shows the interface of our main platform. Among them, the compliance test management module is a major feature of the platform, which is different from most similar tools on the market. Currently, most tests against regulations and standards are based on specification documents and different tools, and the form is relatively fragmented and complex. Our approach is to conduct an in-depth interpretation of the requirements of strong standards, form special test methods and steps, and then associate them with practical tools and operation methods. With the Compliance Test Management module, we built a unified management platform that facilitates the generation of automated test reports.
Source: Speaker material
The platform has strong testing capabilities: hardware-level testing mainly focuses on hardware interfaces for secure access and other tests; In terms of communication, including in-vehicle network testing and off-vehicle wireless testing; Software security testing for vulnerability scanning and analysis of system firmware and applications; At the data security testing level, the authenticity, integrity, and confidentiality of data are tested in accordance with the requirements of data collection, use, storage, and destruction in relevant standards.
In terms of hardware testing, we carry out testing work based on different controllers, including hardware sensitive information inspection and PACK hardware debugging interface testing. Use hardware simulation and debugging tools to test the access control of hardware interfaces. At the same time, the component extraction test is carried out, and the main control chip or external flash of the vehicle machine is extracted and tested with the help of chip testing tools and related technologies.
For in-vehicle network testing, we rely on our own resources to carry out relevant tests using the SmartRocket TestSec tool. This tool realizes the sending and receiving of communication data based on different hardware boards. Unlike the tools on the market that are mainly used for automotive communication, if you use these tools for network security testing, you need to write a separate test case script, which is more cumbersome.
For the security test of out-of-vehicle communication, it is mainly based on different hardware wireless interface devices. According to regulations and standard requirements, wireless communication technologies such as WiFi, Bluetooth, RF, NFC, etc. are involved. We test with tools such as USB communication adapters or SDR radios, as well as GNSS, cellular, and V2X security checks using Rohde & Schwarz equipment. However, due to the high cost of Rohde Schwartz equipment solutions, in order to meet the needs of different customers, more cost-effective test solutions will be designed in the future.
Software testing includes compliance testing and vulnerability scanning. In terms of compliance testing, the authenticity and integrity of the application are mainly tested, mainly by tampering with the certificate and signature of the application, and unauthorized access control tests are carried out at the same time.
Vulnerability scanning covers scanning of application software as well as underlying system firmware. At present, the main risk items tested for vulnerability scanning include: configuration risk, that is, whether there is hard coding in the coding, etc.; Cryptography-related risks to reduce risks such as key leakage and insecure certificates; For sensitive information, it is necessary to check whether the files in the firmware contain sensitive information and whether they are stored securely. code security, check for insecure code configuration and other issues; Android or iOS apps to check for sensitive permissions, encryption security, and potential vulnerabilities.
Data security testing mainly conducts authenticity, integrity, and confidentiality testing for data collection, use, storage, and destruction according to standard requirements. The left side of the figure below shows the requirements of GB 44495, and the right side shows the test cases corresponding to the PeneX platform. In addition to the test content according to the GB44495, we will also integrate the relevant requirements of GB/T 44496.
Source: Speaker material
The software upgrade test mainly carries out upgrade compliance testing in accordance with the requirements of R156 regulations and GB 44496, including the following two parts: one is the general requirements test, covering the authenticity and integrity test of the upgrade package; The second is the anti-tampering test of the software identification code/version number, which is to read the software identification code and use tampering instructions to tamper with it, and compare whether the software identification code/version number is consistent, so as to verify whether the upgraded system has an anti-tampering mechanism.
Second, in response to OTA online upgrade requirements, when implementing OTA upgrades, it is necessary to meet user notification and user confirmation, and follow the relevant prerequisites. GB44496 there are some differences with R156 regulations, such as GB 44496 adding door anti-lock requirements in order to adapt to the actual needs of localization.
Based on previous testing work carried out at the customer’s site, the test content covers many aspects. For example, modify the version number; Check whether the notification mechanism before the user upgrade is effective. Evaluate the prerequisites before upgrading, judgment logic, etc. For example, the power guarantee test confirms the power requirements for a safe upgrade through the upgrade cloud platform before the upgrade, and the power requirements are usually maintained between 20% and 100% before the upgrade. During the test, the actual power of the equipment will first be consumed to less than 20% to verify whether the equipment can be upgraded normally under low power.
Source: Speaker material
The platform can provide customized test report output services, covering compliance test reports, penetration test reports, and fuzz test reports, to meet the diverse needs of different customers.
In terms of actual combat test scenarios, we carry out penetration tests of the whole vehicle and vehicle parts to test the protection ability of the system in the face of potential security threats. At the same time, based on the self-developed fuzz engine, our fuzz testing is more obvious in the actual test effect than the random fuzz testing method on the market, through which it can trigger abnormal situations such as car machine restart and find potential safety problems.
In addition, when carrying out penetration tests for the whole vehicle, access control tests are carried out through the OBD interface and related software to verify the system’s resistance to data replay attacks. Fuzz test the car machine to see if it triggers the car machine restart abnormality. For the penetration of the car machine, the car machine can also be accessed through the debugging interface to check whether there is a weak password setting; It also uses the port scanning method to check for unnecessary application services and access control permissions.
(The above content is from the keynote speech “Building a Solid Line of Security Defense for Intelligent Connected Vehicles: In-depth Analysis and Practical Testing Scheme for GB44495 Standards” delivered by Zhang Xuan, technical director and senior technical expert of Shanghai Control and Security Trusted Software Innovation Research Institute, at the 4th China Internet of Vehicles Security Conference on June 19, 2025.) )
