Security Testing: The Essential Role in Automotive Cybersecurity

The explosive rise of interconnected automotive technologies is transforming the driving experience like never before. From seamless keyless entry and smartphone apps that control in-vehicle functions, to Vehicle-to-Everything (V2X) systems that enable cars to communicate with infrastructure, other vehicles, and real-time data sources — today’s vehicles are smarter, safer, and more connected. These innovations reduce the burden of manual operations, enhance entertainment, deliver over-the-air software updates, and uphold strict standards for safety and reliability. Yet, as connectivity deepens, so does the need for rigorous security testing to ensure these intelligent systems remain protected from cyber threats. Robust security validation is now a cornerstone in paving the way for secure automated mobility and the next era of intelligent vehicles.

However, along with the evolution of modern vehicles are the increasing cybersecurity risks and potential vulnerabilities. A study by Mudhivarthi et al. (Aspects of Cyber Security in Autonomous and Connected Vehicles, 2023) highlights that both V2X protocols and in-vehicle networks (IVN) still contain unresolved security gaps: Attackers can exploit communication channels to perpetrate Denial-of-Service (DoS) attacks, create fake identities (Sybil attacks), or impersonate other vehicles, while the transport layer is highly susceptible to replay attacks and data eavesdropping.

Similarly, research by Minh Pham and Xiong (Security Attacks and Defense Techniques for Connected and Autonomous Vehicles, 2021) warns that keyless entry systems are vulnerable to relay attacks, allowing criminals to unlock and start a car within seconds. These findings reinforce a critical truth: while connected technologies bring convenience, security loopholes remain a serious concern and can be exploited with severe consequences. 

In this context, the key questions are: How can connected vehicles be protected against increasingly sophisticated cyber threats? And what measures can ensure that new features deliver convenience without compromising cybersecurity?

The answer lies in the pivotal role of security testing within the broader framework of automotive cybersecurity. It serves as a critical gatekeeper, ensuring that every new function — from V2X communication to OTA updates — is both safe and resilient.

In the sections below, we’ll explore how security testing is applied in real-world automotive development, the standards it must align with, and why it has become indispensable in the age of smart, connected mobility.

Automotive Cybersecurity & Security Testing

Automotive Cybersecurity

Automotive cybersecurity refers to the set of principles, processes, and technologies designed to protect a vehicle’s electronic systems, in-vehicle communication networks, control algorithms, and operational data from cyberattacks, unauthorized access, or misuse. It is the foundation that ensures modern vehicles remain safe, reliable, and compliant with international cybersecurity standards. 

According to ISO/SAE 21434, cybersecurity in general and automotive cybersecurity in particular must maintain three core attributes: 

• Confidentiality: ensuring sensitive data is not disclosed to unauthorized parties. 

• Integrity: preventing data and signals from being altered or tampered with. 

• Availability: guaranteeing that systems and functions remain operational when required. 

In the automotive industry, cybersecurity extends beyond protecting user data; it is tightly linked to functional safety. With a successful cyberattack, hackers can take control of critical components such as brakes, steering, or the engine, posing direct risks to passenger safety and other road users. 

Therefore, to achieve the highest level of cybersecurity in vehicles, multiple defense mechanisms such as encryption, access control, firewalls, and IDS/IPS (Intrusion Detection/Prevention Systems) are required. These safeguards only prove effective when validated in practice, through security testing. 

Automotive Security Testing

Automotive security testing is a systematic process to evaluate, validate, and demonstrate the resilience of a vehicle’s electronic systems, software, and communication channels against potential cyber threats. The purpose goes beyond simply identifying vulnerabilities: it measures the effectiveness of defense mechanisms, ensures compliance with international standards such as ISO/SAE 21434 and UNECE R155, and provides a solid basis for continuous improvement and functional safety assurance. 

Methods of automotive cybersecurity testing can be classified based on three dimensions: Knowledge-level, Automation-level, and Test objective.  

 

 

A) Knowledge-Based Security Testing

Knowledge-based testing is performed according to the level of information available about the System Under Test (SUT). In general, it can be divided into three categories: black-box testing, white-box testing, and gray-box testing. 

• Black-box testing: Engineers have no access to functional specifications or detailed information about the SUT, and the target system is treated as a “black box.” The focus is on evaluating the system’s security design and defensive capabilities from an external perspective, closely simulating a real-world cyberattack scenario to assess how resilient the system is against potential attacks. 
• White-box testing: Full internal details of the SUT are available. Threats and potential vulnerabilities can be identified more thoroughly based on functional specifications and source code, without requiring significant time and effort for information gathering. This method enables a deep and comprehensive security assessment. 
• Gray-box testing: A hybrid approach that is a combination of both black-box and white-box testing, striking a balance between time and cost. In gray-box testing, engineers have partial knowledge of the SUT, allowing them to design targeted test scenarios based on the available information.

  

B) Automation-Level Security Testing

Automation-level security testing can be divided into three categories depending on the degree of tool and framework automation: fully automated testing, semi-automated testing, and manual testing. 
With the growing complexity of automotive electronic/electrical (E/E) systems, manual testing can no longer keep up with the increasing demand for comprehensive security validation. Moreover, testing time and cost are critical considerations throughout the vehicle development lifecycle. 
Automated testing significantly improves efficiency, reduces human workload, and minimizes errors caused by subjective factors. Tools commonly used in automated automotive cybersecurity testing, such as Vector CANoe, CANToolz, boofuzz, or V-SHIELD from Vietsol, can automatically generate thousands of test cases, monitor ECUs, and produce detailed reports without manual intervention. 

C) Test Objective-Based Security Testing

Test objective-based testing can generally be classified into two categories: requirement-based testing and threat-based testing. Requirement-based testing focuses on verifying whether the system design meets the defined security requirements of the international standards and regulations. This approach is closely tied to compliance assessments, aiming to demonstrate the system’s adherence to standards such as ISO/SAE 21434, UNECE (R155 Annex 5) regulation, or functional safety standards like ISO 26262. Threat-based testing, on the other hand, is conducted to identify potential threats and vulnerabilities of the SUT, with the goal of evaluating its overall cybersecurity level of the system. This method is further subdivided into 4 categories, including vulnerable scanning, penetration testing, fuzzing, and risk-based security testing.

Vulnerability Scanning 

Vulnerability scanning involves using automated tools or scripts to detect potential weaknesses in the system, based on common security vulnerability databases such as the National Vulnerability Database (NVD) and Common Vulnerabilities and Exposures (CVEs). For example CVE-2025-30113 (a dashcam with hardcoded credentials for services listening on ports 9091/9092, allowing configuration access without authentication). This method only identifies defined vulnerabilities in the database and is unable to detect loopholes that have never been recorded.

Vulnerability scanning is considered a proactive threat detection measure, offering greater effectiveness compared to passive defense mechanisms like in-vehicle firewalls.

Penetration Testing

Penetration testing is an authorized simulated attack conducted on a system, network, or application to identify and exploit vulnerabilities before malicious actors can do so. Its main objectives are to identify weaknesses, assess real-world risks, and provide remediation measures, thereby contributing to the Cyber Security Management System (CSMS) and supporting type approval for automotive cybersecurity. Typical test targets include: applications, communication networks and security-critical systems in the vehicle.

The penetration testing process can follow the PTES (Penetration Test Execution Standard), which consists of 7 phases: 

1. Pre-engagement: Define scope, objectives, reporting requirements, stakeholders, and collect supporting documents for white-box/grey-box testing. 
2. Intelligence Gathering: Collect and analyze security-related information about the target from client-provided documents and other sources to build a test strategy. 
3. Threat Modelling: Apply threat modeling methods (e.g., STRIDE) to identify critical assets, attack vectors, and prioritized scenarios. 
4. Vulnerability Analysis: Review and assess vulnerabilities using CVSS, check remediation feasibility, and create a target list for exploitation. 
5. Exploitation: Attempt to exploit vulnerabilities to validate their impact, ability to bypass defenses, and uncover additional flaws. 
6. Post-Exploitation: Evaluate the impact on the system, persistence access and actual risks to the system after exploitation. 
7. Reporting: Summarize findings, risk description assessments, exploitation evidence, and recommendations, including both an executive summary and a technical report. 

Fuzzing Testing 

Fuzzing testing (or fuzzing) is a software testing technique aimed at verifying the security and robustness of the SUT. It detects vulnerabilities by injecting large amounts of random or malformed data into the system and monitoring its behavior. A basic fuzzing system typically consists of three components: 

• Test case generator: produces input data (random, mutated, or model-based). 

• Monitoring system: observes system behavior (crashes, hangs, abnormal responses). 

• Test environment: the execution environment (simulation, real ECU, or entire vehicle). 

An attacker could inject multiple random or fuzzed packets into the CAN bus. ECUs receiving these packets might misinterpret them, leading to crashes, hangs, or incorrect data processing, all of which could be exploited by attackers.

 

The use of fuzzing for the targeted systems in the automotive industry is relatively new. However, it plays a vital role in automotive cybersecurity testing, as ECU function is considered similar to a computer system, each running different software and interconnected through networks such as CAN, FlexRay, or MOST. As a result, modern vehicles are exposed to similar security risks as traditional computer systems. Therefore, integrating fuzzing into automotive cybersecurity assessments is crucial for identifying potential vulnerabilities before they can be exploited.

Risk-Based Security Testing (RBST)

Risk-Based Security Testing (RBST) is a security testing approach that integrates threat analysis and risk assessment techniques. The results produced by this method are used to optimize the overall security testing process. The general process of a Risk-based security test includes: 

• Step 1 – Identify vulnerabilities: Identify vulnerabilities and threats, then assess and prioritize the system’s security risks. 

• Step 2 – Model design: Design a testing model based on the threats identified for risk assessment and a functional/behavioral model for system requirements. 

• Step 3 – Test case generation: Select appropriate criteria and algorithms to generate test cases from the testing model. Test cases may be automated or manual scenarios. 

• Step 4 – Test execution: Run the generated test cases in the test environment, using automated or manual scripts. 

• Step 5 – Analysis & feedback: Execution results often reveal new vulnerabilities/threats, which can be brought back into Step 1 as an input for the next testing cycle. 

Threat analysis and risk assessment play a core role in risk-based security testing. Outputs from these activities include identified threats, the likelihood and impact of attack scenarios, and quantifiable risk values. Using risk assessment results helps prioritize test scenarios and determine their execution order. 

Standards and regulations for Automotive security testing

ISO/SAE 21434 Standard for Automotive Cybersecurity

ISO/SAE 21434 is the international standard for road vehicles cybersecurity engineering, developed to define a structured process that ensures cybersecurity throughout the entire vehicle lifecycle. Jointly developed by ISO and SAE, the standard addresses the limitations of previous guidelines (such as SAE J3061) and establishes a comprehensive framework aligned with state-of-the-art technologies. ISO/SAE 21434 applies not only to automotive OEMs but also to component suppliers, embedded software providers, and connectivity service suppliers, ensuring a comprehensive cybersecurity ecosystem. The standard includes: 

• Organizational cybersecurity management: Requirements for the organization to establish cybersecurity and enable the project to develop secure products. 

• Project-dependent cybersecurity management: Planning and co-ordination of cybersecurity activities at the project level and measures to ensure the provision of evidence for the achievement of cybersecurity before SOP. 

• Distributed cybersecurity activities: Requirements for supplier selection, supplier management, and the relationship between customer and supplier 

• Continual cybersecurity activities: Provision of information for ongoing event assessment and vulnerability management of E/E systems until end of support  

• Concept: Definition of the item and its relevant assets, definition of cybersecurity goals, and derivation of the concept in order to identify the controls that are required. 

• Product development: Cybersecurity specification and implementation, and verification of the cybersecurity implemented in the item or component  

• Cybersecurity validation: Validation of cybersecurity achieved at the vehicle level 

• Production: Cybersecurity-related aspects of fabrication, assembly, and calibration of an item or component  

• Operations and maintenance: Activities related to cybersecurity incident response and updates to an item or component  

• End of support and decommissioning: Cybersecurity considerations that relate to the end of the lifetime or support decommissioning of an item or component  

• Threat analysis and risk assessment (TARA): Methods for determining the extent of cybersecurity risk 

Among these, Threat Analysis and Risk Assessment (TARA) is considered one of the core activities defined in ISO/SAE 21434. TARA is a specialized risk assessment process for the automotive sector, designed to identify potential threats and evaluate risks in automotive cybersecurity. The primary goal of TARA is to detect vulnerabilities and potential attack scenarios, thereby protecting critical vehicle components such as ECUs, sensors, and communication interfaces from cyberattacks. By applying TARA under ISO/SAE 21434, manufacturers can address security issues before they escalate into severe safety violations, enhance brand trust and reputation. 

 

UNECE WP.29/R155 Standard for Cybersecurity

UNECE WP.29/R155 is a mandatory regulation on automotive cybersecurity and software updates, issued by the United Nations, applicable to both commercial and passenger vehicles worldwide. Key requirements include: 

• Risk management and cybersecurity governance: OEMs must conduct TARA and demonstrate risk management capabilities throughout the vehicle lifecycle. 

• Over-the-Air (OTA) updates: Vehicles must securely receive and deploy software patches and security updates. 

• Compliance and approval: Vehicles can only obtain market approval and certification if they fully comply with R155 requirements. 

• Integration with ISO/SAE 21434: R155 encourages OEMs to adopt ISO/SAE 21434 to demonstrate secure development, testing, and maintenance practices. 

Together, WP.29/R155 and ISO/SAE 21434 form a comprehensive legal and technical framework, enabling automotive manufacturers to implement cybersecurity in a systematic, standardized, and transparent manner. 

Cybersecurity Testing advantages for businesses in the automotive industry

In the context of the automotive industry becoming increasingly reliant on electronic systems and network connectivity, cybersecurity has become a vital factor for businesses. Security testing is not only a technical step to detect vulnerabilities but also a comprehensive strategy that helps companies protect their products, users, and brand reputation. The benefits below highlight why security testing should be considered a top priority in the development and operation of modern automotive products. 

Early Vulnerability Detection 

Security testing allows businesses to promptly identify weaknesses and potential risks right from the design and development stages. Addressing issues early not only saves remediation costs but also prevents serious incidents during operation. Techniques such as vulnerability scanning, penetration testing, and fuzzing help uncover problems before attackers exploit them, ensuring that systems remain stable and secure. 

Protecting User Safety 

Cybersecurity is not only about data but is also closely tied to passenger safety. A compromised system could lead to loss of control over brakes, steering, or the engine. Security testing helps verify that defense mechanisms (encryption, authentication, firewalls, IDS/IPS,…) function properly, critical functions like ECU, ADAS, and IVI are protected, and all external communication channels (V2X, smartphones) are continuously monitored. This way, companies minimize accident risks and directly ensure users’ safety. 

Compliance with Standards and Regulations 

Standards and regulations such as ISO/SAE 21434 and UNECE WP.29/R155 require OEMs and suppliers to demonstrate the security of their products. Security testing enables businesses to meet these requirements, obtain international roadworthiness certifications, and provide evidence to regulators and customers regarding the system’s cybersecurity assurance. 

Reducing Financial Losses and Enhancing Brand Reputation 

An overlooked vulnerability can result in massive costs from remediation, product recalls, lawsuits, and loss of customer trust. By conducting security testing, businesses can proactively prevent incidents, minimize financial risks, and strengthen their brand image. Commitment to safety and security is not only a competitive advantage but also a foundation for building trust in the era of interconnected vehicles. 

Vietsol and the journey to elevating effective Cybersecurity Testing in the automotive industry

Vietsol is one of the pioneering companies in Vietnam providing automotive cybersecurity testing services for leading car manufacturers. We understand that in the era of smart and interconnected vehicles, security testing is no longer just a technical requirement, but a critical factor for businesses to maintain their reputation and meet international standards. 

Beyond implementing testing processes in compliance with international standards such as ISO/SAE 21434 and UNECE WP.29, we clearly define testing objectives, system scope, and select appropriate methods (vulnerability assessment, fuzzing, penetration testing,…). More importantly, we provide consultation and deliver comprehensive remediation solutions for businesses, including V-SHIELD and CANRAY. 

V-SHIELD – Vietsol’s Automotive Cybersecurity Testing Tool 

Vietsol is developing V-SHIELD as a significant step forward in our strategy to enhance automotive cybersecurity testing capabilities. This is not only an automation-support tool but also a solution that helps businesses shorten testing cycles, optimize resources, and increase reliability throughout the entire product development process. 

V-SHIELD offers clear advantages to manufacturers and suppliers when facing increasingly stringent cybersecurity requirements. By simulating real-world attack scenarios and providing detailed analysis reports, the tool enables enterprises to detect potential risks, prioritize remediation efforts, and define effective countermeasures. 

More importantly, V-SHIELD unlocks the potential to scale and standardize security testing across the industry, empowering businesses to strengthen competitiveness, achieve international compliance, and reinforce trust from customers and global partners. 

CANRAY – CAN/UDS Fuzzing Tool for Automotive Security Testing by Vietsol 

CANRAY is a CAN/UDS fuzzing tool developed by Vietsol, specifically designed to support both diagnostics and security assessment in automotive systems. With capabilities for ECU and UDS service scanning, customizing message sender, CANRAY provides maximum flexibility to simulate ECUs, transmit custom CAN frames, perform security testing, and detect potential vulnerabilities. 

All operations are supported by detailed logging, enabling faster and more precise vulnerability analysis and remediation. By combining automated scanning with flexible customizing, CANRAY becomes a comprehensive solution for modern automotive cybersecurity testing, meeting the growing demand for robust security in the automotive industry. 

Conclusions

Today’s modern vehicles are open and interconnected systems, which significantly expand the attack surface and increase cybersecurity risks. As a result, identifying threats and vulnerabilities in vehicles has become critical, with security testing playing a central role in this process. It is an indispensable stage in the automotive development lifecycle. Through methods such as fuzzing, penetration testing, and vulnerability scanning, businesses can not only detect vulnerabilities early but also build trust, strengthen reputation, and meet international standards. 

In the future, as vehicles progress toward higher levels of automation and connectivity, security testing will no longer be the final step but a continuous activity throughout the entire product lifecycle. One thing is certain: automotive cybersecurity has gone beyond being an option – it has become a prerequisite. Security testing, as a cornerstone, is the key to ensuring technical safety and maintaining customer trust in the era of smart vehicles. 

With an engineering team experienced in automotive cybersecurity, Vietsol is confident in delivering efficient, comprehensive, and practical testing solutions tailored to businesses in the automotive sector. Currently, Vietsol has become a strategic partner for many leading automotive companies in Vietnam. Our vision is to be the top choice for customers in building smart, safe vehicles that comply with global standards.