Digital protection in vehicles is now as critical as steel, airbags, and crumple zones. Regulations demand evidence, and it is the practical tests that determine whether a vehicle’s cybersecurity truly holds.
Vehicles today are advanced systems that communicate with apps, cloud services, service workshops, and production environments. This enables new functions and services, but also increases the number of risks. That is why processes and documentation alone are not enough. Security must be tested in real-world scenarios and continuously monitored throughout the entire vehicle lifecycle.
You can compare digital protection to the physical structure of a vehicle. Blueprints and specifications show how it is supposed to work, but it is only during testing that you find out whether the protection actually holds.
How cybersecurity is tested in practice
Ahead of type approval under UNECE R155 and ISO 21434, Assured verifies security in everything from individual components to full vehicles.
We have tested countless automotive components, and we have performed full-vehicle tests where we go through everything – from diagnostic ports and internal communication channels to infotainment, telematics, Wi-Fi, and Bluetooth,
says Alexander Alasjö, Senior Security Specialist at Assured.
Penetration tests reveal what’s hidden
Penetration testing is performed both outside-in and inside-out – as simulated attacks showing how a real attacker would behave. Tests examine what an app can access, whether a user can obtain more privileges than intended, and how the vehicle communicates with cloud services and backends.
We discover vulnerabilities in internal protocols, network architecture, applications, and wireless connections. The attack surface in modern vehicles is enormous,
Alexander explains.
New functionality on old architecture
A recurring challenge is when new functionality is built on top of older systems. In such cases, the entire platform can limit how secure the solution can become.
You cannot build modern security on an outdated foundation,
Alexander notes.
Just as you wouldn’t expect state-of-the-art crash safety in an older car, you cannot rely on digital protection built on obsolete architecture.
Reports are not enough
New regulations require manufacturers and suppliers to demonstrate how they manage threats, risks, and processes. The recommendation is to build documentation around evidence—not the other way around. Let real attacks drive what is documented, and link each risk to reproducible findings and measurable effects of mitigations.
The most important thing is real-world validation. You cannot determine from a report alone whether something is secure – it must be tested by experts,
says Alexander.
Many solutions work well in a protected IT environment. But when the same technology is moved into a vehicle, the conditions can be entirely different. You cannot make the same assumptions about how the system will be used or protected,
adds CEO Jonas Magazinius, PhD in Computer Science, with long experience in cybersecurity both in theory and practice.
Witnessed testing – the vehicle’s digital crash test
One of the critical steps in type approval is the witnessed test. During this process, an authority or technical service is present and selects specific test cases to review in real time.
During witnessed tests, we must demonstrate traceability throughout the entire chain – from requirements and risk analysis to test cases, tools, environments, logs, and evidence. Everything must be reproducible: same steps, same results, even with someone watching,
Alexander explains.
Each test must also be directly linked to R155 and ISO 21434. This requires clear logging, controlled versions of tools and data, and documented handling of evidence. If any part is missing, the results lose credibility.
Just like in crash testing, there is no room for assumptions. The outcome is black and white – either the protection holds, or it does not. For manufacturers, the result can mean either a green light to market or a blocked launch.
Read more about how we work with penetration testingEuro NCAP for cybersecurity?
The next wave of automotive development makes this need even more apparent. AI and V2X communication (Vehicle-to-Everything) enable new functions – such as vehicles communicating with each other, with infrastructure, and with traffic lights to avoid accidents or improve traffic flow. But each new channel also becomes a potential entry point for attackers.
A common rating standard for cybersecurity—similar to Euro NCAP for crash safety—would give both manufacturers and consumers a clearer picture.
We still lack a shared understanding of what “good enough” means. A vehicle can be approved without truly being secure. We need something equivalent to Euro NCAP for cybersecurity,
says Alexander.
Research and industry in synergy
Assured has roots in both IT security and the automotive industry. This combination enables us to merge practical penetration testing with training, workshops, and research projects. For over a decade, we have collaborated locally with Chalmers and industry actors in Gothenburg’s automotive cluster, as well as internationally with leading European vehicle manufacturers.
Bringing together research, processes, and real-world attacks gives us a unique position,
Jonas concludes.
Contact us or leave a message below to discuss how we can help you meet cybersecurity requirements and achieve type approval. We provide expertise in penetration testing, risk management, and secure development of embedded systems and applications.