GB 44495 Vehicle Cybersecurity Testing — What VTA Actually Tests

2026-07-01

A lot of articles describe VTA testing as three categories, with the first being system documentation review. That classification is wrong.

VTA stands for Vehicle Type Approval testing. It refers specifically to vehicle-level technical testing — communication security, code security, national cryptographic algorithms, penetration testing. Things you put the car on a bench to measure. That's VTA.

The information security assurance requirement review — policy document audits, vulnerability management process checks, supplier security agreement verification — belongs to system documentation review and factory CoP on-site auditing. It's independent of VTA testing, doesn't go into the VTA test report, and only serves as a prerequisite for CCC filing. Two separate workstreams. Separate their scheduling or you'll mess up your submission timeline.

What GB 44495 VTA Vehicle Testing Actually Covers

  1. Cybersecurity Technical Vehicle Testing

This is the main body of VTA. Four sub-domains.

Communication security testing. Can the vehicle's communication channels be illegally accessed? TBOX public-network communication encryption strength and certificate chain validation. Short-range communication — Bluetooth pairing, WiFi access point authentication mechanisms — can they be bypassed? V2X direct communication security policies — are they correctly implemented? The testing body uses packet capture equipment and protocol analysis tools to simulate man-in-the-middle attacks, attempting to break communication encryption or inject forged commands into the vehicle CAN bus and Ethernet.

Software upgrade security testing. The core here is OTA channel security. Two-way authentication between the upgrade server and the vehicle. Upgrade package signature verification. Anti-rollback mechanism effectiveness. One easily overlooked point. The automatic recovery strategy after a failed upgrade. The standard requires a safe rollback capability — a failed upgrade cannot brick the vehicle. Testing simulates multiple abnormal scenarios. Tampered upgrade packages. Hijacked upgrade channels. Power loss during upgrade.

Data and code security testing. Critical operation security validation. Can the OBD port flash ECU firmware without authorization? Can the USB port bypass system permissions to directly read sensitive logs and memory data? Does the JTAG debug interface have access control? The testing body uses external devices and dedicated diagnostic tools for interface security scanning.

Cryptographic algorithm security testing. GB 44495 requires national cryptographic algorithms. SM2 for digital signatures and key exchange. SM3 for hash computation. SM4 for data encryption. Testing verifies correct and compliant algorithm implementation, plus whether the full lifecycle of key generation, storage, and destruction has vulnerabilities. Hardware security module embedded key anti-extraction and anti-tampering capabilities are also checked.

One important boundary here. Vehicles sold only domestically are subject to the full SM2/SM3/SM4 national algorithm test suite. Vehicles manufactured purely for export with no domestic registration can get a national algorithm test exemption with a written declaration. No need to retrofit the hardware encryption scheme. Export OEMs, this saves you a security chip redesign cost.

  2. Vehicle Penetration Testing

Penetration testing is the part of VTA you absolutely cannot take lightly. The testing body's penetration team runs a full-spectrum probe of the vehicle attack surface against the CMA-stamped test plan.

Testing must run under near-real-world operating conditions. Vehicle powered on and running normally. All communication modules active. No switching to engineering mode or test mode to lower the difficulty.

Attack entry priority, ranked. TBOX first — it's the main gate for all external vehicle communication. Firmware extraction, communication hijacking, command replay — all of it gets thrown at it. Gateway second — domain isolation policy gaps, critical message filtering compliance. IVI third — application-layer vulnerabilities, system privilege escalation, sensitive data leaks. OBD port and USB port are near-field attack entries. Tougher attack conditions, but catastrophic if breached. Still mandatory test items.

Critical vulnerabilities found during penetration testing must be remediated and pass retesting. The complete stamped documentation package — vulnerability classification list, remediation plan, retest report, closure confirmation form — must be submitted for review. Missing one table and the entire submission gets rejected.

The remediation window is tight. Testing bodies won't wait indefinitely. If you can't close the issues within the test schedule window, the test report marks them as non-compliant. That directly impacts the downstream certification timeline.

  Highest Failure Rate Items

OTA upgrade package signature verification bypassed. Number one. National algorithm performance not meeting spec — actual encryption/decryption latency exceeding thresholds. Number two. OBD port security protection insufficient. Number three. TBOX firmware extraction protection weak, gateway domain isolation configuration gaps — also frequent problem areas.

Grind these down hard during pre-testing. Don't leave them to chance in formal testing.

Let me put some color on the number one failure. OTA signature verification sounds like a solved problem. You hash the package, sign the hash, verify on the vehicle side. Done, right? What we see in testing is that the verification chain breaks at the edges. The vehicle checks the signature but accepts a self-signed certificate. Or it checks the certificate chain but only validates the leaf certificate, not the root. Or the anti-rollback mechanism compares version strings instead of cryptographically signed version counters — trivial to spoof. These are not obscure attacks. They're basic certificate validation gaps that any testing team will catch in the first hour. Fix them before the vehicle goes anywhere near a formal VTA lab.

Pre-submission self-check list. Before sending the vehicle in, confirm a few things. PVID, software version numbers, ECU hardware part numbers match homologation filing parameters exactly. Vehicle network topology diagram is the latest version and matches the test vehicle. Test keys and certificates are pre-deployed to the vehicle and functionally verified. For supplier-provided security components, get the technical documentation and test reports in advance and submit them alongside the test materials.

One more easy-to-miss item. A complete TARA risk assessment report is a mandatory prerequisite for lab intake. Missing this report and the lab rejects the test vehicle outright. We've seen vehicles show up at the lab gate with everything ready except the TARA report, and the lab won't even unload the vehicle from the transport truck. Don't be that team.

  A Few Boundary Supplements

Change retesting rules. After testing, if you swap the TBOX, encryption chip, or gateway firmware, or modify the national algorithm implementation — these are major changes. Communication and cryptographic security modules need partial retesting. HMI text and prompt wording adjustments don't need retesting.

Imported vehicles using UN R155 equivalence assessment get simplified documentation review. But domestic communication security, national cryptographic algorithm, and vehicle penetration testing — all three modules require full retesting. Overseas VTA data cannot substitute for domestic testing.

After certification, the work isn't over. Each year's factory CoP surveillance audit may randomly select a production vehicle for retesting of certain security items. OBD security, national algorithm, OTA signature verification — any of them can be spot-checked. It's not just a document review.

Full VTA reports, vulnerability remediation closure materials, penetration test logs, key management documentation — retained until ten years after model discontinuation.

One last small but non-negotiable detail. After Amendment No.1, submitted system documentation and test plans must have the old CSMS terminology replaced with information security assurance requirements, and the old inspection term updated throughout. Mixed usage of old and new terminology gets the submission bounced for correction.


Need a VTA testing scope assessment for your specific vehicle configuration? Contact BlueAsia Testing's certification consultants at +86 13632500972 (Benson).