Connected Car Repair

Episode 193: Repair, Cyber and Your Car with Assaf Harel of Karamba Security

Massachusetts lit the match that started the American Revolution at the battles of Lexington and Concord back in 1775: an eruption of violence in response to the policies of a repressive and distant monarch.

On Tuesday, the Bay State sent another loud shot across the bow of yet another aloof power broker: the automotive industry. Voters in the state approved Question 1, a ballot measure that expands Massachusetts’ automotive right to repair law, giving vehicle owners access to wireless repair and maintenance data transmitted via telematics systems on modern, connected vehicles.

Report: Hacking Risk for Connected Vehicles Shows Significant Decline

Assaf Harel is the Chief Scientist at Karamba Security.

The question, which passed with more than 70% of the vote, was vigorously opposed by automotive manufacturers and dealerships as well as other technology industry interests, which spent tens of millions of dollars trying to defeat the measure, in part by warning about the cyber security and privacy risks of sharing wireless data.

Voters didn’t buy that argument. But the commercials and industry scare tactics do raise important questions about the security risks of connected vehicles and whether modern cars with their always-on Internet connections are susceptible to being hacked.

Episode 186: Certifying Your Smart Home Security with GE Appliances and UL

To dig deep into that question, I invited Assaf Harel of the firm Karamba Security into the Security Ledger studio to talk. Assaf is the Chief Scientist and co-founder at Karamba Security, which provides security solutions for automotive and IoT controllers.

In this conversation, Assaf and I talk about the state of vehicle cyber security: what the biggest cyber risks are to connected cars. We also go deep on the right to repair -and how industries like automobiles can balance consumer rights with security and privacy concerns.


As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 


Episode 193 Transcript

[START OF RECORDING]

PAUL: Each month, The Security Ledger Podcast informs and entertains an audience of thousands of technology and information security professionals.  If that sounds like an audience your company is trying to reach, consider sponsoring one of our podcasts.  We offer per-episode sponsorships of our weekly podcasts which feature news, analysis, and discussion of the most important cyber-security topics of the day, or you can commission a custom podcast to highlight your executives, researchers, and subject matter experts.  To learn more, point your web browser to securityledger.com/sponsor.

[INTRO MUSIC]

Hello.  This is The Security Ledger Podcast and I’m Paul Roberts, Editor in Chief at The Security Ledger.  In this episode of the podcast, number 193…

ASSAF: In terms of SOCO data here, I think here lies the dark side because they understand that instead of selling the device for x-amount of dollars, they can sell you as a product to advertisers and this is a different business model completely.  When you become the product, at least you should know.

PAUL: Massachusetts lit the match that started the American revolution with the battles of Lexington and Concord back in 1775 and on Tuesday this week, they sent another shot across the bow of an aloof power broker, the automotive industry.  Bay State voters approved Question 1, an expansion of Massachusetts’ auto Right to Repair law that will give vehicle owners access to wireless telematics data generated by modern connected vehicles.  The question which passed with more than 70% of the vote was vigorously opposed by automotive manufacturers and dealerships as well as other technology industry interests which spent tens of millions of dollars trying to defeat it in part by warning about the cyber-security and privacy risks of sharing wireless, maintenance, and repair data.

In the end, voters didn’t buy that argument but the commercials and industry scare tactics do raise important questions about the security risks of connected vehicles.  To dig deep into that question, I invited Assaf Harel of the firm Karamba Security into The Security Ledger studio to talk.  Assaf is the chief scientist and co-founder at Karamba which provides security solutions for automotive and Internet of Things controllers.  In this conversation, Assaf and I talk about the state of vehicle cyber-security and what the biggest cyber-risks are to connected cars.  We also go deep on Question 1, on automotive Right to Repair and how industries like automobiles will need to balance consumer right to access with security and privacy concerns.  To start out, I asked Assaf to just tell us a little bit about Karamba Security and the work that they do with automotive companies.

ASSAF: Assaf Harel.  I am the chief scientist and one of the co-founders of Karamba Security.  Karamba Security is a company that is focused on IoT cyber-security, IoT device cyber-security.  We offer products and services to enhance the level of cyber-security of these Internet of Things devices.

PAUL: Okay, so Internet of Things devices; that’s a huge space ranging from huge pieces of equipment down to little webcams in your home, right?  So, tell us just a little bit about Karamba’s technology and the types of IoT companies you guys work with.

ASSAF: I think the question is more towards why would an IoT company even invest — device company even invest in cyber-security?  What we found, we found several sectors that — where cyber-security is critical, mainly because of several factors.  One of them is that they actually have some physical control of our lives, so cyber-security becomes part of the safety question.  You can think of medical devices or transportation, of course, like vehicles and cars and airplanes and trains, et cetera.  You can think of industrial scenarios like the electrical grid or a dam or a factory that is handling some sensitive materials.  The last settings where cyber-security is very important is standard enterprise, so where we have our computers and our smart phones, we also have devices.

Think about router and switches, think about IP cameras, printers.  All these devices can also be part of an enterprise.  It’s quite a shame that we call it standard enterprise attack but we have so many of them.  IoT devices are now pulled into this battle as well.  Another thing that I wanted to say is that many sectors are also standardized and some of the standard requires stronger safety measures and cyber-security is included.  The automotive industry is a very good example but other medical and — medical sector and other sectors as well.  The third and maybe also interesting aspect is that sometimes it is a business competitive decision and we do see companies that want to say our device is more secure than the competition.  Therefore, they will work with cutting edge cyber-security technology.

PAUL: I mean, the conventional wisdom has been in the Internet of Things base for a long time that security is just a cost, that there isn’t much market value to it.  Consumers aren’t selecting for security as they do in other industries.  But you see that — you say that’s changing.

ASSAF: Well, there are certain — so, for — in enterprise, for instance, for sure.  We see companies that are positioning themselves as the most secure thing.  Let’s say, printer or — so, HP for instance, they have a full marketing campaign regarding how secure are their printers comparing to other printers.

PAUL: We talk about threats to these devices, again.  It could be automobiles, it could be network printers, could be industrial equipment and things like that.  What are we talking about generally?  Are these new types of threats or more revisiting some of the old threats and attacks that we used to see maybe targeting Windows laptops, desktops, and servers, but now they’re just targeting devices running embedded operating systems?

ASSAF: Yeah, so I think more than less the same but the reason there is some difference is because we see more nation states there than comparing to some — to the standard enterprise landscape of attacks.  In enterprises, we mainly see ransomware these days.  It’s a very lucrative business to send ransomware because immediately, some of the ransom is being paid.  In IoT we see less.  We also see ransomware but less.  What we do see, we see botnets.  So, the infrastructure that is behind the ransomware is being built on IoT devices and we see nation states.  Like, for instance, the electrical grid in the Ukraine and of course the famous Stuxnet in Iran and things like that.  So, industrial setups are mainly nation states.  The electrical grid, and even automotive; when we are considering automotive cyber-security, some of it are also nation and states looking for ways to — easier ways to control important vehicles.

PAUL: Well, there was this story I think about, somebody trying to bribe a Tesla employee to install some malware within their manufacturing facility, right?

ASSAF: It was a nation state attack, yes.

PAUL: It was a nation state attack, yeah, yeah.  Is that about, as you say, potentially some long-term controlling a particular car driven by a particular person of interest or is it more theft of intellectual property and secrets and…

ASSAF: Yes, yes.

PAUL: …nation state competition around industrial edge and advantage?

ASSAF: I think both but when we are looking today at the — specifically at the automotive industry, we see that most of the hacking of vehicles is actually to steal the car.  So just the stealing of cars became high-tech as well.  You don’t need no — you don’t need the — a school driver.  You need the — an iPad.  With that device, you connect to the car remotely and it just opens itself to you because you have the right software installed, and that’s it.  You can drive the car.  We see that in many different car models.

PAUL: Let’s just talk about attacks.  Obviously when we’re talking about cars, the attack that comes to mind for most people is of course Miller and Valesek’s Jeep Cherokee hack from 2015, I guess, that Wired wrote about and kinda just blew up, I mean, became a huge incident for a lot of reasons.  We’re talking about these ISO standards and stuff.  I guess we know that Detroit and other automakers really started to engage with cyber-security after that little demonstration, as you would expect they would; made some hires, really retooled.  2020; are those types of attacks still possible?  Does this new ISO standard make it more or less likely that those types of attacks are gonna be possible going forward?

ASSAF: First of all, attacks are always possible.  This is something that is very unfortunate in our business but something that is a realization that all industries, in specific the automotive industry, has to understand because again, when they’re writing down their failure mode analysis, they need to understand that some probability will always remain because of the innovative way that researchers are thinking and building new exploits that nobody thought about, that were even possible.  After I put that claim aside, we can certainly build much more secure units, specifically or especially when these units are — they have inputs from external — so, external inputs like the head unit that you mentioned.  There are at least three or three to seven such units in the car.

Take, for instance, a new electrical — electric vehicle that has a charger, right, to charge it with — in a charging station.  This is an input.  The charger talks with the charging ECU in the vehicle and they communicate over some protocol that is well-agreed between all the OEMs.  That protocol has some — if it has vulnerability, cyber-security vulnerability, I can go to your vehicle overnight, connect with some plug that I created and take control of your car, so — and it’s very — the battery is very close to the powertrain, very close to the engine, right?  So maybe I will be able to turn on the engine just by being at the same domain, the same network as the battery.

PAUL: Right.  In the same way that you could walk up to a laptop that was unattended, kind of stick a USB stick into it, load some malware onto it.  I mean, this is obviously how Stuxnet happened and lots of attacks happened.  Same thing with a vehicle.

ASSAF: So, 57 ECUs; this is what we Karamba think is the attack surface.  That’s a 10 ECU, something like that.  Not the 50 or even 100 ECUs that are actually in the vehicle because most of them don’t have an interface, an external interface.  What they’re doing, OEMs and Tier 1s, they are investing…

PAUL: ECU; just define that for — in case our listeners don’t know what an ECU is.

ASSAF: Electronic control unit.  So, the units, when you’re going to the garage and they tell you I have to replace the unit, there are like fifty of them or even more; seventy.  Depending on how new and how fancy is your car, it can be even close to one hundred different units in the car.  But only less than ten are actually externally connected and therefore can be manipulated by attackers.  What we need, we need — so, since these ECUs are now being rigidly developed under the ISO standard, sooner than later, vehicles are going to be much more secure than what Miller and Valasek saw in front of them.  Actually, in reality, most of the vehicles even today are more secure than what Valasek and Miller saw.  I mean, new vehicles, and maybe we still have the legacy vehicles to bring up by means of software update and things like that.  OEMs are working on that as well.  I can tell you that some of the deals that Karamba is involved with, customers I mean, is actually retrofitting vehicles that are already on the road because we now understand there are several vulnerabilities and we want to make our cars — the cars that are actually on the road, we want to make them safer so we are working on that and we are working on new models that are much more [inaudible].

PAUL: Are cyber — software-based cyber-attacks on cars, whether they’re physical, like, you kinda plug the dongle into the port or like Miller and Valasek did, remote wireless; are they a real threat today?  We’ve seen proof of concept attacks from university researchers and security groups and independent researchers but would you consider them actually something that late model vehicle drivers should actually be concerned about, whether it’s a nation state or just a ransomware again?

ASSAF: I think — so, one thing is that they think that stealing a car is a big problem.  It’s not a nation state problem but it’s a nationwide…

PAUL: Yeah, this car, just run of the mill car, then.

ASSAF: Yeah, it’s a nationwide problem that now hackers are very focused on how to steal a car.  It’s a lot of money.  There is a lot of money there, so why not? We have a lot of experience in other industries and sectors to tell you what is — what should be selected and some of them didn’t select — and this is — by the way, part of the problem is the full five years gap because when you make the decision in 2015 but the car is out in 2020, computers are so much more…

PAUL: Just breaking encryption, basically.  Just cracking keys and…

ASSAF: Yes, so I can tell you that some OEMs are working, for instance, on homomorphic encryption and on — the days where RSA will not be secure anymore, the standard RSA that guards everything that we do, right, but they have to think ten, twenty…

PAUL: The first quantum-type thing.

ASSAF: Yeah, quantum encryption and they have to think ten, fifteen, twenty years ahead so the advanced research groups are working on that already exactly because they have to live in the future or they will die.  It’s not a decision.  It’s a business decision.

PAUL: You and I recently ended up — were in a meetup in a discussion, online discussion, with the Boston Network Users Group, BNUG, which is a very old and respected network administrator IT user group here in Boston that now meets via meetup.  We were there on opposite sides of a debate on a ballot question that voters in Massachusetts are gonna vote on on November 3rd, Question 1, which was an expansion of the auto — the state’s automobile Right to Repair law to include telematics.  I was there with this group’s secure repairs I set up to kind of get the security professionals to support digital Right to Repair broadly.  We’re out in favor of Question 1 and you were there in your capacity as expert on automobile cyber-security to really raise some concerns you had about the wording of the ballot in question.  Talk about your thoughts on Question 1 and then let’s talk a little bit about this larger issue of Right to Repair.

ASSAF: So, first of all, I want to talk generally about the Right to Repair.  I think that it’s beautiful.  I think that it’s beautiful that in the US…

PAUL: I’m putting that quote up on the website, actually.

ASSAF: Yeah, sure.  Sure.  I think that it’s beautiful that in the US every dealership can — has the right to the diagnostic information and can repair a car.  I think that it’s one of the things that make America so great, that we maintain, we protect the ability or capability of the small business to stay and operate and be — make profits.  This is something that is very fundamental in the American way of thinking and America — and you know…

PAUL: Let me just add that Americans once again have Massachusetts to thank for that Right to Repair, just like Lexington and Concord, just like they can thank us for the revolution and saying goodbye to Great Britain.  They have to thank us for Right to Repair because there is no federal Right to Repair.  It only exists…

ASSAF: In Massachusetts.

PAUL: …because of the Massachusetts law.  Actually, it hangs by a fairly thin thread but anyway, go ahead, sorry.

ASSAF: I want to say another thing.  I want to say that the OEMs that we are working with in the states, most of them are from Michigan but also they’re spread around different states.  They’re also Americans.  They’re also patriots and they also want to take the car to the local dealership and they understand it and they don’t fight it in that sense, in the sense that we should — and they even — when they try to explain their business model for us, they don’t do it a lot but when they do, they explain that dealerships is a different and separate business and sometimes it’s even franchised, so I’m saying that just to — we are — we explain that we think that the voters should vote no and I just want to say that it’s not because we think the Right to Repair is bad.  The Right to Repair is beautiful, really.

I think that the wording was — so, the wording was not — I’m sure that some cyber-security experts review the wordings.  I’m sure that they didn’t do it without any consultancy but what we identified in the wording as the ability to control the car with specific in-vehicle commands, standardized and unauthorized so that the OEMs cannot authorize anybody to send from — sending these commands.  This is too wide of a way into a vehicle.  In terms of cyber-security, the vehicle is not built to protect against these type of commands very well.  I think that if you go back to my explanations of how to — how do they protect the vehicle, you’ll see that the explanation, the reasons.  The OEMs are very focused on the ECUs that they’re externally connected because what they understand, they understand the attack will start from there and then it will find its way into the internal network.

In the internal network, they have some means of separation between networks by a gateway and other measures like authentication of messages and things like that.  But what we’re afraid of is that cyber-security within the vehicle is not as strong as it is on the external interfaces.  So, what we are giving now the attackers, we are giving them the right not to repair; the right to attack.  You are giving them a way into the vehicle to send commands in a standardized way, in a unauthorized way which means that their first step into the vehicle just became so much more easy than the standard 2020 or 2021 vehicle before that amendment.

PAUL: You know, that is the concern of the vehicle-makers.  Of course, the history of this is automaker voters passed a ballot initiative back in 2012 regarding basically physical access via the ODP — ODB port to the diagnostic information, and the carmakers made pretty much the same argument then; it was dangerous, this data — not everybody should have access to it, it’s very sensitive, the operation of the cars are so sophisticated these days.  It was the same damn argument, right?  But so, I guess my question is — and I think a lot of people — the Boston Globe just came out with an endorsement of yes on 1 but with kind of an asterisk that I think is probably a fair asterisk which is there’s probably more work — this is, first of all, an issue — and I said this in the meeting we were in — this is probably not a great issue to put before voters because it is an extremely complicated question.

ASSAF: Yeah, that is very difficult to vote no against because again, as I said, the Right to Repair is beautiful.

PAUL: Right.  But how modern car repair works and telematics systems and repair and maintenance data, this is — these are fairly — for most people, are not familiar with these types of terms or they don’t really know much about how their car works or gets repaired or anything, so it’s a tricky issue to put before voters.  Of course, it only went before voters because lawmakers of Massachusetts refused to take any action on it in any way.  But in theory, this is kinda why you elect people and send them to — in Massachusetts, Beacon Hill, is to do the research and the homework and think up the smart way to do it, right?  But that didn’t happen.

It may be the case that changes need to be made to this law to address the issues that have been raised.  My issue and kinda what I’ve said, and whenever I’ve been asked are there cyber-security risks to connected cars; my answer is always absolutely.  Sure.  Yeah.  In and that — and Karamba actually put out a white paper on the Question 1 and I think what you — you make a point which is a great point which is if you add — you connect anything to the internet, you’re increasing the attack surface.  I know you know that — and one of the interesting questions is just how rich the surface of these vehicles are.  There are so many sensors and so much data.  I think the figure is like 25 gigabytes per hour of operation for a modern connected vehicle or something like that.

ASSAF: A few gigs.  I don’t think that 25…

PAUL: A few gigs, yeah.  Gigabytes.

ASSAF: Still a lot, it’s still a lot, yes.

PAUL: This is all kind of happening a little bit under the radar for people.  I mean, these capabilities are presented as features and conveniences but my sense is consumers are not — as with their phone, maybe are not quite aware of all the data that’s being collected and transmitted to the automakers from these vehicles and conversely, the risk, the cyber-risk that goes along with that.  Talk about — I mean, ‘cause you work with carmakers.  How much data is being collected and as they add new sensors and capabilities, is there any kind of risk assessment that goes along with those basically product marketing decisions?

ASSAF: Yeah.  So, this is — really depends on the OEM and on the car model.  In that sense, newer and more advanced, fancier cars actually collect more and want to give you more capabilities.  There is still a lot, a lot, a lot of developments under the hood and in the Cloud, so the collecting is easy but doing something with the data, this is still in the works and figuring it out.  Here, a model would be — the value — well, they hope that the value will not take five years because it’s — it becomes a SaaS model where you can develop things online and present it through the infotainment or through something…

PAUL: Which Tesla already does.

ASSAF: Yeah, exactly.  So, everybody looks at the Tesla model and they want to repeat it and whatever they can.  They are working, at least on the info [inaudible] level on bringing it up.  Some are more advanced than the others.  In terms of cyber-risks, of course if you connect something there are risks, and this is exactly why ISO and other standards and the OEMs themselves are looking exactly at these ECUs, at these five, six, seven ECUs that are connected and are sending information outside to enhance and have very strong — and even as we talked about quantum encryption, and even future-looking cyber-mitigations in place.  I think that in the context of the Right to Repair, the Right to Repair is right to demand that data — that can be used, can be used by repair shops and these gigabytes of data that is being uploaded to the Cloud and can be used for repair or will be used for repairs by the OEMs should be shared with the local repair shop.  I don’t think that there is a mistake here.  Probably, the Right to Repair is right in the sense that things that were right in 2012 are not the same in 2020 when the cars are getting more and more sophisticated.

PAUL: Let me challenge you on your position though which is aren’t you basically making a security through obscurity argument that we — this is a system that is by its very nature insecure because you’ve got a car connected to the internet while it’s driving on the road.  But if we can limit the access to the network and to this connected thing, then we can keep it secure but if we have to open access to it, then it becomes insecure and wouldn’t a security engineer say well, then you don’t have a secure system?

ASSAF: Yeah, I think that I understand but security is not only just putting things in place.  I mean, cyber-security technology security is — but when it is being done properly, it is being done against attack scenarios, attack threats, attack surface.  Therefore…

PAUL: A threat model.

ASSAF: …a threat model, exactly.  Therefore, before we opened the car through such Right to Repair requirements, we focused on other attack scenarios and therefore the rest of the vehicle is less secure for obvious reasons.  It was less prioritized and OEMs are still businesses and are still — operate within budgetary boundaries and priorities, et cetera, so they decided to put strong — not obscurity; strong cyber-security measures.  Not just hiding things but actually protecting with encryption and with cyber-security agents and with monitoring, et cetera, on the right interfaces according to the threat landscape that they had.  Now, we are changing that so eventually they will — if it will be changed, assuming the yes vote; and I think the polls are something like 80% of all — yeah, so it’s very difficult to vote no against such a basic right.

PAUL: Let me ask you, is there a way — just to put the wording of Question 1 aside ‘cause people have issues.  People of good intentions can agree to disagree on the wording of it.  Is there a way to do — to achieve what the proponents of this bill who, let’s be honest, are independent — the Auto Care Association and Triple A and the AutoZone and those types of companies — is there a way to do this to achieve what they want in a way that does not increase cyber-risk; it’s neutral on the question of cyber-risk?

ASSAF: Yes.  So, if I would have reviewed the Right to Repair, I would have removed these two sentences that give access to the vehicle — in-vehicle network.  I mean, more access than what they have right now.  I would — focused on the data in the Cloud.  If there is diagnostic data in the Cloud, it should be made — it should be easy for the owner of the — of the owner of the vehicle, right, which is who is the owner of the data.  It should be easy for them to provide it to any diagnostic — to any repair shop by just a click of a button or something or something like that.  No authorization is needed, et cetera.  Just like, by the way, private information like the GDPL that we have in Europe, private information that the OEM is collecting and routes are private and my playlist is private and my list of connections that I shared with — between the smart phone and the infotainment, all of them are private information.  I don’t want it to be shared with anybody and maybe I want to delete it from the Cloud.  So, exactly the same.

PAUL: Yeah.  I mean, you know, one of the issues I have is I kinda see the automakers talking out of both sides of their mouth.  On the one hand, they’re — in their commercials here in Massachusetts, they’re making very dire warnings about how the data collected by these cars could be used to stalk you and figure out where you live or break into your home, all this type of stuff.  On the other hand, they are completely nontransparent about what data they’re collecting, how they’re using it, how they’re storing it and how long they’re storing it.  All of these questions are completely — it’s a black box.  I think CPPA has shed a little bit of light on it in the United States but in general most consumers do not know or understand what their car is transmitting [inaudible].

ASSAF: This is where I would have focused, within the Right to Repair and even within other rights like the right to control my own data, the right to be removed from databases.  Like, we have that in Google and we have that in Facebook and — but to fight Google and Facebook about having these rights was not easy.  Eventually I think that Europe led but also there were some battles in the US as well, and I think that this is the right way to approach this problem and not by providing in-vehicle access to the diagnostic information to send commands, et cetera, because of the cyber-security.  So, let’s even enhance it because of the safety risks that such an opening creates.  If something like that would happen, we will have to do CERT analysis again, understand that the car — the picture has now changed, the landscaped changed.  We need to create different measures against these new type of attack scenarios and we will solve that.  It will just take the time that it takes.  This is one of the things that the OEMs are against in the Right to Repair.  The Right to Repair I think will go — will be mandatory in 2022, and this not enough time for them to accomplish such a…

PAUL: Let me ask you this bigger question which is — the other issue — again, secure repairs is really about digital Right to Repair, so it’s not automobiles specifically.  It’s everything, right?  It’s appliances and phones and medical devices, potentially, and machinery, agricultural equipment.  It seems to me like there’s — one of the things I worry about is that the dynamic that we see playing out here in Massachusetts around Question 1 is kind of the — as they say, the canary in the coal mine.  It’s an early warning of things that are to come.  The concern is that basically consumers end up buying a lot of really cool connected stuff but as a precondition of that, everybody wants to have what Apple has, right?  Apple’s iPhone, iPad, app store model basically becomes everybody’s business model.  It’s one in which they more or less enjoy a monopoly and have total control over the device and the ecosystem.  Apple obviously has been very hostile, generally, to repair, to the point of preventing them from — people from bringing secondhand batteries into the country to use as replacements and third-party screens that might be — so, it’s this — I feel like the gee whiz features that are great features can’t be conditioned on your company getting a monopoly on this product, right?

ASSAF: I completely agree.  I think that nobody will object other than these monopolies.  Even these monopolies, when you talk to the founder of whomever invented the cool innovation that started this company, will tell you I never meant for it to be a dark side monopoly that controls your life.  I just thought it will be cool to, I don’t know, scan the internet and search the internet or, I don’t know, connect everybody together.  Yeah, so I think it’s a very easy question and it’s a very difficult battle because these innovations are — they have the marketing appeal.

PAUL: Yeah.  When you look at Tesla, right, they are obviously the vanguard of connected vehicles but they — I mean, they just sent out a letter to all the Tesla owners in Massachusetts saying vote against 1.

ASSAF: Really?  Wow.

PAUL: Yes.  They have been — there are all kinds of stories about them really trying to frustrate the effort of Tesla owners to do what car owners in the United States and elsewhere have been doing forever which is to modify their vehicles, hot rod their vehicles, just kind of — it’s my car, I want to customize it.  I guess the question is if — I guess it’s okay to do that if you’re no longer — if you just don’t sell — if you just don’t tell people that they’re buying something, right?  If you want to just lease it to them, right, and say here are the conditions under which I’m leasing you this thing but then you’re gonna give it back to me.  Then okay, but when you sell something to somebody, it’s their property.

ASSAF: Yeah, well, what you can claim and I think this is what Apple claims; Apple, what they’re saying, they’re saying I’m selling you a full product and probably Tesla is saying the same which means that it went for rigorous testing.  We tried to think about all the user scenarios.  Now you’re changing things; you’re pulling the carpet behind our — under our legs which means that we will not be able to support you anymore because you’ll bring a new battery and the device will catch fire.  We didn’t test the device; we don’t know that this battery doesn’t introduce a new safety risk that we didn’t consider.  I think this is why they are reluctant, more than anything else in terms of hardware fixes or hardware changes or — in terms of software, in terms of SOCO data, here — I think here lies the dark side because they understand that instead of selling the device for x-amount of dollars, they can sell you as a product to advertisers or to other — and this is a different business model completely.  When you become the product, at least you should know.

PAUL: That’s exactly right, that’s exactly right.

ASSAF: Because you are making a deal.  You are making a deal.  When you are buying Alexa or Google Home Mini for thirty dollars, you know that they are not making a lot of profit out of this transaction.  Something else is going on, right?  You should understand that you are now the product.

PAUL: That’s right.  When you buy that combination scanner, fax machine, color printer for ninety-nine dollars…

ASSAF: Yeah.  You should understand — they should…

PAUL: There’s something — there’s some other thing here that I’m gonna end up paying for.  Right.

ASSAF: Yes, and you should understand that.  By the way, and I think that as generation grows, our kids are more happy for this deal and it’s okay because their life is public anyway.  They’re used to share things and they don’t — they are not afraid of that.  So, okay, so just know that you are the product.  The car will be cheap or even free or even leased or whatever but you, your patterns, your behaviors, your — the things that you like, the things that I can push and you will — and it will click something because you are hungry, because you are somebody that likes this over that.  This will trigger action from you and you’ll make financial decisions based on that.  If you agree to this relationship then by all means, the car is free or very cheap.  It’s not just the car; it’s just like you said, every device.  Every device has some sort of…

PAUL: Yeah.  I used to — I spent my adolescence going into Boston to used record stores and buying vinyl records and CDs to bring home and listen to.  My kids have Spotify and it’s like turning on the tap and getting water out.  They just type in what they want to listen to and it’s there.  But Spotify knows a hell of a lot about their musical preferences and probably a lot more about them as well.  They know that and that’s the business model and that’s fine.

ASSAF: As long as you know that and as long as you can opt out, and as long as you can say you know what?  I prefer my privacy.  Please remove me.  Remove me from this.  I regret; I regret that I did it.  I now want out.  If this can happen and I think that OEMs in cars are not different than any other — these huge companies that control our lives, unfortunately control our lives.  But on the other hand, they provide — you just mentioned Spotify.  Spotify, they bring so much value to our lives.  What we had to do with vinyl records and then CDs and then USB sticks and then media players, et cetera, et cetera, they bring so much value to our lives that maybe I agree to that deal, maybe.  Maybe.

PAUL: I do.

ASSAF: I do as well.

PAUL: I still have the vinyl.

ASSAF: Yes.

PAUL: Assaf, this has been such an interesting conversation.  Thank you so much for coming on and talking to us on Security Ledger Podcast.

ASSAF: Sure.  It was — honestly, it was my pleasure as well and I hope you’ll have me again sometimes in the future.

PAUL: We absolutely will have you again.

ASSAF: Thank you very much.

PAUL: Guarantee it.  Is there anything I didn’t ask you that you wanted to say?

ASSAF: No, no.

PAUL: That was a good talk.  I know you’re busy.  I don’t want to take up too much of your time.  I could talk to you for another hour but we all got things to do.  Okay, I’m gonna press Stop Recording and then just hold the line while it uploads your file, okay?

ASSAF: Yeah, sure.

PAUL: Three, two, one.  Assaf Harel is the chief scientist and co-founder at Karamba Security.

[MUSIC ENDS]

Transcribed by: www.leahtranscribes.com