WithIntelligent networkingWith the rapid development of automobiles and increasing cybersecurity threats, compliance testing technology has become a key challenge for the industry. This presentation focuses on the latest trends, regulatory requirements, and testing practices in automotive cybersecurity, aiming to help organizations address risks.
Zhao Huanyu, deputy general manager of Weichen Xinan, pointed out that the current network security threats faced by intelligent networked vehicles are intensifying, and attack methods are gradually becoming combat-oriented. Taking the core system of remote control vehicles as an example, its attack logic is usually to obtain key data such as MQTT server address, authentication information and command format through illegal means, and then maliciously send vehicle control instructions to achieve the purpose of control.
He specifically introduced that Weichen Automotive’s network security test system can be used for the compliance verification of GB44495 standards, and can meet the verification needs of external vehicle connection, communication security, online upgrade and data security in multiple scenarios such as basements and factories. The system has the characteristics of strong portability and wide range of parts adaptation, supports rapid construction of test environments and automatic generation of test reports, and can shorten the test cycle of the whole vehicle to less than 10 days.
Zhao Huanyu | He is the deputy general manager of Chenxinan
The following is a summary of the speech:
Threat escalation: Actual combat attacks have become a core challenge for intelligent connected vehicle security
Automotive cybersecurity threats continue to intensify, gradually becoming combat-oriented, and remote control of vehicles has become a core attack scenario. According to the “2024 Intelligent Connected Vehicle Cybersecurity Annual Report” jointly released by Pengcheng Lab and Weichen Xinan, cloud platforms and vehicle-side business systems are the most attacked targets, accounting for the highest proportion. From 2023 to 2024, operating system vulnerability mining slowed down, but data security vulnerabilities increased significantly, especially in the field of personal privacy such as in-car recording, video recording, and positioning, with a year-on-year increase of 4%. Cloud security, communication security, and hardware security risks are rising simultaneously, and hackers are very attractive to carry out remote control command attacks through mobile phones or the cloud. Typical attack logic includes illegally obtaining MQTT server addresses, authentication information, and instruction formats, and maliciously sending vehicle control instructions. For example, after subscribing to a related topic of remote communication ECU (T-BOX), THE APP can send vehicle control instructions to realize vehicle control. This highlights the vulnerability of external vehicle connections and critical data, which need to be identified in a timely manner through compliance testing.
Source: Speaker material
Deepening of compliance: The global standard system drives the mandatory implementation of security technology
International and domestic standards jointly drive the automotive cybersecurity compliance framework, with UN Regulation No. 155 and R156 as international benchmarks, emphasizing the authenticity of software updates, communication channel security, and vulnerability protection. The domestic mandatory standard GB 44495 “Technical Requirements for Information Security of Complete Vehicles” was officially implemented on January 1, 2026, covering nearly 40 test objects and more than 130 test scenarios, including external connection security, communication security, software upgrade security, and data security.
Source: Speaker material
The standard requires closing non-essential ports, strengthening key storage protection, and clarifying data classification and grading, involving the confidentiality requirements of vehicle road perception data, algorithm data, and vulnerability management. In January 2025, the Ministry of Industry and Information Technology and seven other departments issued the “Guidelines for the Identification of Important Data on Connected Vehicle Operation and Autonomous Driving” to promote the filing of important data, covering 12 categories such as personal information and map information. Component standards such as GB/T 40855 (Electric vehicleremote service) and GB/T 40857 (automotive gateway security) are coordinated with vehicle standards to ensure data security throughout the life cycle. Application Guide Interpretation further refines testing steps and criterion to reduce execution ambiguity.
Source: Speaker material
Technological innovation: full life cycle testing solves the dilemma of fragmentation
Testing technology runs through the entire vehicle life cycle, and threat analysis and risk assessment (TARA) needs to be introduced in the design stage, component test specifications should be issued, and third-party compliance testing and penetration testing should be carried out. The test objects cover four layers: cloud, pipe, terminal, and data, including enterprise platforms, communication channels, mobile apps, operating systems, and key components such as IVI and TBOX.
Source: Speaker material
The testing process is standardized for project communication, environment construction, test implementation, fix suggestions, and regression retesting, and relies on test case databases, vulnerability knowledge bases, and test databases to achieve efficient verification. The environment construction involves APP security testing (APK file upload), vehicle bus (CAN/ETH tool), Ethernet security and data security testing (combined with WiFi, GNSS positioning spoofing and 4G/5G access). The trend towards penetration testing is clear, with enterprise needs shifting from compliance to adversarial drills, such as simulating cellular network attacks or Bluetooth denial-of-service testing through CRRC. This solves traditional pain points such as long test cycles (more than 3 months), poor environmental stability, and high technical thresholds.
Source: Speaker material
System breakdown: The integrated platform achieves ten-day vehicle compliance verification
Weichen Automotive’s network security test system solves the pain points of fragmented tools through integrated integration, supports portable deployment (suitcase form, ≤6kg), and is suitable for basement or factory scenarios. The system integrates nearly 50 scattered tool functions to achieve a 60% automated test rate, covering 38 technical points and 128 test items in GB 44495. The standardized process includes pre-test sample preparation, in-test data analysis (e.g., Bluetooth vulnerability scanning or GNSS spoofing), and automatic post-test report generation, with process data monitoring throughout the process to ensure visualization and evidence. The advantages of the system include reliable methods (adopted by six national testing centers), strong adaptability (adapted to dozens of car companies such as Changan and SAIC), and improved efficiency (vehicle testing has been shortened from 30 days to 10 days).
Source: Speaker material
Typical cases include GNSS security testing of an OEM: sending a dynamic hijacking signal of the whole constellation with one click, exposing the defects of the positioning algorithm and causing the car to crash; certainLuxury carsFactory Bluetooth security test: Detected CVE-2019-17060 vulnerability and triggered Bluetooth chip deadlock. The value of the system lies in establishing autonomous testing capabilities to ensure test consistency and confidence in conclusions.
Source: Speaker material
Future prospects and challenges
In the future, with the development of AI large models and low-altitude economy, automotive network security testing needs to integrate more cross-industry technologies, but the challenge lies in the controversy over test methods caused by dynamic updates of standards, as well as global adaptation (such as differences in data regulations in different regions). Enterprises need to continue to invest in automated testing research and development to deal with vulnerability growth and combat threats.
(The above content comes from the keynote speech on “Intelligent Connected Vehicle Network Security Compliance Testing Technology” delivered by Zhao Huanyu, deputy general manager of Weichen Xinan, at the 4th China Internet of Vehicles Security Conference in 2025 on June 19, 2025.) )
