In this episode of The Security Ledger Podcast (#257) Paul speaks with Dennis Kengo Oka, a senior principal automotive security strategist at the firm Synopsys about the growing cyber risks to automobiles as connected vehicle features proliferate in the absence of strong cybersecurity protections.

[Video Podcast] | [MP3] | [Transcript]

---

Almost from the get-go, automobiles symbolized a kind of dynamic and restless American identity. The auto industry epitomized U.S.’s vibrant and innovative economy. With the help of some serious federal dollars, they also became indispensable parts of 20th century American life. By the 1950s, accepted wisdom was that automobiles and the automotive industry were inextricably linked to the well being of the U.S. – what’s good for GM is good for the United States, and vice versa – as the saying went.

But all that romanticizing of cars and the cheerleading of the powerful and influential auto industry forestalled much-needed oversight of vehicles. The auto industry fought calls for federal auto safety rules and requirements for decades, arguing that driver error and unsafe roads were responsible for accidents, not their vehicles.

A four decade delay in vehicle safety regulation

It wasn’t until the mid 1960s that Congress got around to passing the National Traffic and Motor Vehicle Safety Act in the wake of the publication of Ralph Nader’s Unsafe at Any Speed – an expose of how the auto industry prioritized style and features over safety. By that time, automobile accidents were responsible for 49,000 deaths, 1.8 million minor injuries, and $8.5 billion in damages, lost wages, and medical expenses annually. (By comparison, 46,980 people died in auto accidents in the U.S. in 2021, despite the fact that the number of registered vehicles on the roads has more than tripled in the intervening years, from around 90 million vehicles in 1965 to more than 280 million in 2021.)

Since then, the auto industry’s tune on vehicle safety has done a 180 degree turn. Safety features -like airbags and collision avoidance – and vehicle safety ratings are, today, a key selling point for cars. But that focus on safety doesn’t extend to the software that increasingly runs our vehicles.

Vehicle safety? Critical! Vehicle software safety…umm….

As with the advent of the automobile in the first decades of the 20th century, the arrival of the “smart car” in the first decades of the 21st century has transpired as an industry-led initiative transpiring in a vacuum of government oversight, regulation and guidance. The result: exploitable cyber-physical software flaws were documented starting as early as 2011, with a dramatic display of the potential to use software flaws to affect vehicle performance by Charlie Miller and Chris Valasek in their legendary Jeep Cherokee hack in 2015. That same year, autonomous driving features by automobile manufacturers like Tesla cropped up on U.S. roadways. And yet it took more than six years before NHTSA, the National Highway Traffic Safety Administration, began looking into the safety of such systems, following reports of numerous accidents, injuries and death linked to the autopilot feature, while comprehensive federal vehicle cybersecurity regulations are still missing in action.

In the meantime, threats and vulnerabilities are growing. Recent research like that conducted by Sam Curry and a team of researchers disclosed wide ranging, exploitable flaws in vehicle telematics systems by 16 manufacturers. At a leading GPS supplier to major automakers, Curry and his team claimed to have obtained full access to a company-wide administration panel that gave them the ability to send arbitrary commands to an estimated 15.5 million vehicles. More recently, researchers at Colorado State University disclosed vulnerabilities in common Electronic Logging Devices (ELDs) that are required technology on US commercial trucks. Those vulnerabilities could be present in over 14 million medium- and heavy-duty trucks and can be accessed over Bluetooth or Wi-Fi connections to spread malware between vehicles, the Register reported.

That sad reality is beginning to change, as more consumer, media and regulation attention begins to focus on the cybersecurity of vehicles and vehicle data. To help explore that topic in more depth, we invited one of the most respected experts in vehicle cybersecurity: Dennis Kengo Oka of the firm Synopsys. Dennis is a 15 year veteran of the vehicle cybersecurity space and serves as a senior principal automotive security strategist at Synopsys. In this conversation, Dennis and I talk about the fast and dynamic vehicle cybersecurity space, as automakers scramble to shore up the cybersecurity of smart, Internet connected, software-driven cars, even as feature development explodes creating the possibility of more and diverse risks and attacks.

Check out my full interview with Gary above, or view a video of our conversation below!

Video Podcast and Transcript

Video Podcast

You can watch a video of my interview with Dennis below. Check out more Security Ledger podcast interviews on our YouTube channel!

Transcript

Paul: [00:00:00] Hey, welcome back everybody to another edition of the security ledger podcast. I’m your host, Paul Roberts, and I am the host editor in chief of security ledger. And we’re in the studio today with Dennis Kengo Oka, who is, Well, one of the most renowned experts on automobile cybersecurity. and, that’s a topic that we’ve, we’ve talked about and written about a lot, and a topic that’s very much in the news these days.

Paul: so, Dennis, welcome to security ledger podcast.

Dennis: Thank you very much, Paul. It’s a pleasure being here.

Paul: So before we get going, tell the folks a little bit about yourself and, how you came to the auto cyber problem.

Dennis: Sure. thank you. hi everyone. My name is Dennis Kengo Oka. I’m a senior principal automotive security strategist at [00:01:00] Synopsys. I work globally with, automotive customers, such as OEMs and Tier 1s and Tier 2s, all over the world, assist them on various, security strategy topics, for example, how to establish a secure self development, lifecycle, how to establish security processes and practices within the organization, I’ve always been interested in, cyber security.

Dennis: as I was growing up, I was interested in, security, at the university, I took all the classes on, security related courses, software security, network security, operating system security, embedded security, cryptography and so on. and then I, you know, had opportunity to, to start in automotive security.

Dennis: that’s really been, been my background now for the past 15 plus years, almost two decades now.

Paul: And like you said, you work for Synopsys. I mean, a lot of us are familiar with, I mean, Synopsys is, Amazingly well known company and we think about them often around security around silicon, but also embedded devices, but also like what type of work does [00:02:00] synopsis do specifically around auto cyber?

Dennis: So, especially for the, the software integrated group, uh, within Synopsys. we work with, a number of different organizations to help them, build. more high quality secure software faster. so we provide a set of, tools, a comprehensive set of application security testing tools and, services.

Dennis: and especially for the automotive industry, we have, tools that are very, strong in, for example, C and C plus plus, covering various coding rules such as MISRA and Autosar. So we have a very strong focus on the automotive industry. also have tools that are certified to ISO 26262, so tools that can be used for development of safety critical systems, which again, you have in the automotive industry.

Paul: So, I mean, you’ve been doing this for a number of years and in some ways you’ve really seen or witnessed the birth of auto cyber security or cyber security in the [00:03:00] context of automotive, from 20 years ago, kind of nobody was really talking about this as a thing. These days it’s very much a thing.

Paul: how have you seen the like conversation evolve both within like the InfoSec community and then also on the manufacturer side?

Dennis: Yes, so like you mentioned, like when I started with automotive security, there’s not much going on in that whole field. so coming from, a more general security background, I had opportunity to look into automotive security.

Dennis: This is back in 2006. at Volvo Car Corporation in Sweden. So, uh, I was one of the 1st people there to, do some research on automotive security, especially looking at, uh, remote diagnostics and secure software updates over there. and then, uh, doing further research on securing vehicle communication and so on.

Dennis: but as I did that work and, went out to. Present the different conferences or talk to different [00:04:00] companies. I realized there was not much activity in this area at that point. it was a, uh, very interesting area, uh, you know, coming from, more traditional, you know, network security operating system, you know, software security, looking into the embedded and automotive security, and realizing there are so many things that we can do.

Dennis: We can learn from these other industries and we can improve security in the automotive industry as well. Uh, we just need to have the, awareness. In the industry to realize that we need cyber security, because in the early days, the most common, comment was that why do we need security? We have cars already, they’re working as they, you know, as they should, there’s no need to have any security.

Dennis: So that, that was the big challenge, I would say, for the industry to start realizing the need for cyber security. And I think that that took, uh, took many years and it took many of us, who are passionate about cybersecurity to, to try to change the automotive [00:05:00] industry, by again, trying to show what can happen if.

Dennis: You don’t protect your car, uh, in a proper way.

Paul: If you were to characterize where the auto industry is right now, the manufacturers and their suppliers, with regard to this question of cyber security, and, you know, You know, how, prominent an issue it is, and how big of an area of investment it is for them. where do you think we are?

Paul: Are we still, are we, you know, sort of look at like the crawl, walk, run stage? Like, where are we in that evolutionary stage?

Dennis: So it’s a really interesting question because as we see the automotive industry apply more cybersecurity solutions into their vehicles or the entire ecosystem, at the same time, vehicles are also evolving. So you would have different types of vehicles now than you had 10 years ago, 20 years ago.

Dennis: So the good way to look at it is. how fast is cybersecurity kind of following the [00:06:00] regular development or advancement of vehicles? So if we look a little bit about, uh, or back, uh, into history, we saw the early days more focusing on, say, traditional security for the vehicles, not perhaps cyber security, but security in the sense of, making sure your vehicle is locked properly and you have your immobilizer and you can prevent car theft. So those type of solutions came, as we saw more vehicles being stolen, for example. So, in the early, say, 2000s, we saw a rise of more use of immobilizers using cryptographic functions and so on to prevent vehicle theft.

Dennis: that was kind of like the start of. Not cyber security per se, but more security solutions being, applied in the vehicle industry. and then you had more, research and consortia in the automotive industry, where they looked at secure hardware. So, for example, in 2009, you had the, SHE, the secure hardware extension specification released, that provided a lot [00:07:00] of the, features to enable security solutions in your car.

Dennis: With using cryptography. So that again was another way to improve the security posture in the industry , as well as allow new security solutions to be deployed and then that continued on to. early 2000 tens, but you had more, security solutions in your vehicle. and then you also had the, the big, presentations at Black Hat and Defcon by,

Dennis: uh

Paul: Miller, and Valesek.

Dennis: And Charlie Miller. and I think that also helped grow that awareness in the industry that this is possible. You can perform these type of attacks on vehicles, and the impact can be huge as well. So I think that, uh, was another level in the industry where. we had initial car thefts being 1, activity to happen.

Dennis: We, we came up with new solutions for that. we had these attacks, , shown by Miller and Velasek, and now we have to come up with new solutions to prevent that. so I think we’ve always seen this, uh, evolution of new solutions coming in. and nowadays when we move towards more, [00:08:00] software defined vehicles, we have this whole mobility ecosystem.

Dennis: So we go beyond the car itself to, back end solutions, mobile apps. And that means we also need to protect those parts of the ecosystem. So I think that that’s how we, we see that secure solutions are, constantly evolving in industry. but the scope of protection is also evolving. As mentioned initially, maybe it’s just one ECU, for, uh, you know, like your immobilizer.

Dennis: then it grew to maybe your external facing ECUs. like your telematics units. And

Dennis: now you have the ecosystem, you have your backend solutions and your mobile apps, so you have more and more systems and, assets you have to protect, as well as new solutions you have to apply to that. So, so that’s the evolution I see right now happening.

Paul: I mean, I remember like with Miller and Valesek, which obviously, you know, so cybersecurity reporter got my attention and many others. One of the interesting things that I recall is that, you know, before the Jeep Cherokee hack, which I think it was [00:09:00] 2015, they had done a similar. Type of attack, but using the OBD2 port, I on a, I think it was a Prius or something like that.

Paul: you know, and they were able to control it and control braking and steering and stuff like that. And as I recall, the, the reaction from the industry was kind of a big shrug like, well, I mean, yeah, but they’re in the passenger compartment and they have access to the port, you know, we do two ports. So, I mean, you know, practically this isn’t that big of a deal.

Paul: And, but at the time, of course, all these automakers were either rolling out or about to roll out. vehicles with cellular data connections, right? And to me, it sort of struck me like, well, aren’t they putting two and two together and being like, well, okay, there’s a software based attack that has control over.

Paul: You know, cyber physical systems, like actual kinetic systems on the device. And, oh yeah, we’re also, we’re adding this like always on internet connection. So actually you could like, once [00:10:00] that happens and you could get, you know, and like, I mean, was that conversation happening within car companies, like way back, you know, pre Jeep Cherokee to be like, Oh yeah, like we got to really rethink our whole, approach to security because our risk posture just really is changing as we’re adding these, these connectivity features.

Paul: Or was it more kind of, as we see so often, you know, the hack begets a reaction. And then there’s a lot of bolt on fixes and stuff like that, but there isn’t this sort of anticipation.

Dennis: Yes So so there’s actually a couple of research papers in 2010 and 2011 that also the same type of attacks, right? So you had wire type of attacks, uh, will be two or directly to the canvas. As well as wireless attacks, and I think that it showed technically what’s feasible, but, for the automotive industry, as you know, there’s always this risk, uh, level, calculation [00:11:00] see how easy it is to

Dennis: perform such an attack and how large the impact could be.

Dennis: so initially, you know, there was not too much attention about these, attacks in 2010 and 11, but it’s more when it hit mainstream media in 2013, as you mentioned with the Prius attack in 2015 with the Jeep attack, where more people, know, were aware of this type of attack,

Paul: It’s in wired. Yeah.

Dennis: exactly.

Dennis: And then, suddenly you also have, thousands of other people looking into this and trying to learn how to hack these cars. So you have many more people, uh, getting into, learning, understanding what are, you know, weaknesses in vehicles, how can you exploit them. So now you have much more attention, uh, than you used to have.

Paul: Car hacking village at DEF CON. Right. right. Yeah.

Dennis: exactly. So now you have all these new, car hacking villages. You have all the, security people moving into looking at automotive. And I think that’s partly where you see the automotive industry change their view of this as well, where in the early days, as you said, like, in [00:12:00] 2013, basically, that’s how the vehicles function, right?

Dennis: So there’s not a security issue if you send a command to, you know, tell the ECU to do something. ECU is going to do that. So, it’s kind of like the early days with, uh, with Telnet. Uh, you know, there’s no encrypted communication. It’s all in plain text. but that’s not really a security issue. weakness in that say, or like, well, I’m built it because that’s how the protocol is designed and very similar to The

Dennis: canvas.

Paul: Pretty much all of the core internet protocols were sort of pre security. Right. It’s like, let’s just get everyone talking to everyone and then like, you know, security stuff, like,

Dennis: exactly. So I think that’s part of the, the thought process where, the vehicle has, it’s, you know, internal, in vehicle network. It’s isolated. there’s no security in that sense, because you have trusted. You see, use some notes on that network. and if you connect something to that network directly, like,

Dennis: you did in 2013 and you send messages, of course, these [00:13:00] users are going to respond that’s how it’s designed.

Dennis: So I think that was part of the, response from the industry that yes, that’s going to happen. If you connect something and send the correct message, that’s going to happen. but I think in 2015, where, Vlasic and Miller really showed that, well, we can do this remotely. Yeah. And that really changed the attitude from an industry because

Dennis: uh, yes, if you connect something directly, that’s going to happen, but remotely, and bypassing all these security measures that you would typically have in place, that really show that we have to

Dennis: do something better.

Dennis: We have protect our vehicles. that’s where we saw a lot of investment happening, both in organizations to establish cybersecurity teams, change the development processes. we also saw the, the birth of, cyber security standards in the automotive industry. So, 2016, I think was the first release of the SAJ, 3061, which was more of a, uh, you know, I guess the first cyber security standard for automotive.

Dennis: And that was then, replaced or superseded by the ISO [00:14:00] 21434. but it also showed that the industry was very serious about cybersecurity and started, forming these, these groups, creating standards, thinking about how do we improve the security posture, in the industry.

Paul: So these days, when you think about, or you read about auto cyber, a lot of what you’re seeing is, car theft stories, right? you know, can bus injection attacks where they’re kind of, you know, you get the thieves on video kind of up under the wheel. Well, and they’re, they’re finding the, ECU there and, Basically unlocking the doors and starting the car without a key.

Paul: and then stealing it, is that sort of where the rubber meets the road, pun intended on, uh, auto cyber right now, or is that sort of like, okay, yeah, but that, that’s a fixable problem there. There are bigger problems to deal with? So,

Dennis: so you’re right. I think we see those type of attacks and that kind of goes back to the early days. As I mentioned with, you know, when you started getting, better solutions for immobilizer and so on a lot of [00:15:00] these, new solutions are driven by, for example, car theft or attacks that happened to cause some financial damage or brand damage.

Dennis: So that’s where we see, the introduction of, for example, at the time, you know, these immobilizers using cryptographic, uh, functions and so on. and

Dennis: now, as you see, we have those, uh, relay type of attacks fobs as you

Paul: Amplifier kind of amplifying the

Paul: key.

Dennis: exactly. Or like you say, just, uh, directly plug into the CAN bus and then, you know, unlocking the vehicle.

Dennis: So, those type of attacks have, uh, direct financial damage on, vehicle owners and OEMs as well. brand damage for OEMs. Uh, showing that those type of attacks, uh, are possible, and those are very, say, practical attacks because they can happen, uh, can be, you know, uh, performed by organized, groups and so on.

Dennis: and we also have the other, you know, type of attacks, which are more of these, research, related attacks, right? [00:16:00] Where we, look at new attack vectors. So you have the V two X, for example, the vehicle, the X communication. So finding new vulnerabilities in, that type of communication. we also look at the EVs, so looking at the charging stations, electric vehicles,

Paul: as a vector for malicious software, for example.

Dennis: yes, exactly.

Dennis: So that’s another type of attack vector where either you can try to attack the vehicle directly, you can attack the charging station. Uh, you can trick the charging station so that

Dennis: you can. basically charge your vehicle for free. so again, a lot of financial, incentives, are driving these type of attacks.

Dennis: and as he’s mentioned, like, we have the CAN based attacks where you need physical access. I think we will always have some of those attacks because vehicles are out there in the world. people can physically walk up to a vehicle, unplug or, you know, take out the headlamp and try to plug into the CAN bus.

Dennis: So there’s always going to be a physical threat to vehicles, but we’ll also see more of [00:17:00] these wireless type of attacks, as, as, as mentioned with the keyless entry, V2X, we’ll have the, again, physical type of attacks with the EVs and the charging stations. So, I see the attack surface growing as we have, more features in vehicles and, you know, it’s, it’s gonna, you have more improved user experience adding these features.

Dennis: At the same time, you also have new. attack surfaces you need to, yeah, think

Dennis: when you

Paul: as with every other product. Yeah, right, right. like you mentioned, I mean, some of these technologies, like the canvas technology are quite old. They were, you know, pre pre Internet, and we’re not really designed with security in mind. They were really about. response time and availability and where the, where the priorities, are automakers looking to replace those with, you know, newer.

Paul: protocols and kind of core systems and technologies that are better adapted for, you know, the modern threat environment. and kind of, discontinue some of those, some of those [00:18:00] legacy protocols and technologies. Is that something that’s going on right now?

Dennis: we see different types of security approaches being taken in an industry now. So, as you mentioned with the CAN bus tip that, in the early days of designing CAN bus, and, um, the architecture, you would have, pretty much a flat architecture so that, if you connect to the CAN bus, you have access to any other ECU on that, that network.

Dennis: So we see changes now in having more isolation, you have some kind of secure design of the architecture so that if an attacker is able to compromise one ECU, they’re only able to compromise or be able to access other ECUs on that same domain or on that network so that you can limit some of the damage, and then you have another security hurdle that you have to bypass to get to the next level.

Dennis: So those are types of approaches we’re seeing. we also see, as you mentioned, improvements to the CAN protocol. we already had the, in AutoSAR for example, the definition or the specification for, SEC OC, Secure Onboard Communication. So now [00:19:00] you can have authenticated communication, on the canvas.

Dennis: so that allows you to verify, messages are authentic. They haven’t been modified and they come from the right sender. we also see a shift towards using automotive Ethernet where you, again, can have more security solutions, for example, using Mac sec. or TLS. so we have, more security, protocols or security solutions that we can run on, on, on these protocols.

Dennis: but as you mentioned before too, it’s a, we have some of these legacy protocols in the vehicle because there’s still a, uh, a cost versus risk calculation, that’s being performed by car manufacturers. so we can see changes into the E architecture. A lot of these platforms have been built for many years.

Dennis: So it’s not going to be easy to replace everything at once. so we’ll probably see like a gradual upgrade of certain protocols being replaced. But you’ll still have some features running on simpler protocols because that’s all they need.

Dennis: and you may have [00:20:00] more of the important, communication performed over more secure protocols or networks.

Paul: What’s really interesting to me is, ~there are almost like two different conversations going on with auto cyber. One is the, which is the area you’re really focused on, which is the, vehicle itself, the core systems, mechanical and, and software systems that run the vehicle. But then as we know, there’s this whole other application layer, you know, cloud based servers, mobile applications, lots of data and and commands going back and forth. and what we’ve heard about that from cyber security researchers who have looked into it. Sam Curry is one. I mentioned a lot Mozilla Foundation did a big report on this, you know, not not super encouraging what they’ve found in terms of the application security around some of these peripheral, auto applications, and infrastructure.~

Paul: ~just from your experience working with automakers, Are these like two separate, channels within these organizations or do they actually look at this as, as part of a whole, like the, you know, the application and the hardware, like the cloud and the hardware, it’s all part of the whole, and we’ve got to think holistically about.~

Paul: ~how attackers might move from one to the other or how a vulnerability here in this web server might actually give them access to a, a vehicle going 60 miles an hour on the highway. Like, is that conversation happening or is it sort of different camps within these large organizations, each making their own stuff, but not really thinking in terms of the, the overall risk.~

Dennis: ~Yes, so that’s a really good point, and it goes back a little bit to what I mentioned about the attack surface is expanding. Uh, so you had teams before working on securing the ECU, for example, hardware security, securing the in vehicle network, and then the architecture, securing the, the vehicle itself from external facing, attacks.~

Dennis: ~And then you have the cloud side mobile apps and so on and. big challenge that I’ve seen is because they grew, I would say naturally from protecting you know, hardware, to larger systems to, you know, the vehicle and so on. then you add on the cloud side and mobile side.~

Dennis: ~Naturally or traditionally, they haven’t really had a, uh, you know, holistic view of. The security solution, because they’ve been developed in different areas, and I would say that still in many organizations, you have different teams and different departments working on these different areas. the challenge now is when they start communicating with each other and you, you’re able to say, unlock your car from your mobile app, or, you have some features on your, web app that allows you to control your vehicle, that the security threat analysis that you’ve done on your web app before now could include, you know, impact that can cause.~

Dennis: ~Injury to a human, on the vehicle side. And that was probably not something that was originally, included in the scope of your threat analysis of the web app, for example. So I see that we need to have these teams working together. we have to think about end to end solutions, because again, you risk.~

Dennis: ~having teams working in silo.~

Dennis: ~I’ll protect my application, uh, on my unit. but I’m not sure what. It’s going to happen on the other side, right? So, I think we need more teams working together to make sure that you do protect, the whole ecosystem. it’s just a challenge where everything becomes more complex and you larger systems and, again, more attack factors you have to consider.~

Dennis: ~but I think part of that development is making sure that you know, where, your assets are, what kind of communication you would have with them, what kind of control or, what kind of impact they could have~

Dennis: ~on, on your system so that you can put requirements on these other systems that are communicating with the system that you’re designing and developing.~

Dennis: ~so I think that is going from the isolated point of view to more of a, who am I talking to, who can control my functionalities in my system I’m designing, I can put the right requirements, to secure my system, making sure ~

Dennis: ~that everyone else who’s talking to me is also secure. I ~

Paul: ~Mm hmm. I mean ~automakers Have always had among longest and most complex supply chains, right? Of components for these vehicles. So, I mean, supply chain management and security around, you know, integrity and identifying counterfeits and stuff like that. I mean, automakers are, have always been the forefront of that.

Paul: but as, you know, increasingly software, you know, the supply chain conversation is these days often about software supply chain, you know, open source, third party code, you know, internal 1st, party proprietary code and kind of where, where risks can work their way into. Do you see that conversation happening the automotive space as well?

Paul: So, you know, they’re very sophisticated on the vehicle supply chain, but are they as attuned to software supply chain risk?

Dennis: that’s a really good point. And, and we see that’s happening now in the past few years where, [00:21:00] software security, supply chain has become a really big topic. And as you mentioned, you have, uh, again, you know, looking at software defined vehicles, for example, you have larger software code basis coming from multiple sources.

Dennis: Uh, you have your in house development. have your third party supplier code, open source software. you have auto generated code from, from various tools. and now lately as well, you have, AI generated code as well, that you have to consider. So. You have all of the different types of code, right?

Dennis: And, and now you need to understand how can that piece of software affect my system that I’m designing or developing. And attackers can see this as well that it might be hard for me to directly attack, a certain software or hardware, uh, sorry, uh, ECU for a vehicle, but if I can maybe target a software supplier and inject some malicious code there.

Dennis: Then that’s going to get included in, in the whole chain of, you know, suppliers, and finally ended up in a, in a vehicle. could be a [00:22:00] backdoor, it could be whatever it is. so that approach of, you know, taken by attackers is also changing, which is why the industry has to look at not only protecting my code that I’m developing, but every piece of software I receive from any supplier, I need to verify that that also, doesn’t contain any malicious code or doesn’t contain any additional weaknesses or vulnerabilities.

Paul: Sure. It’s a solar winds, you story, but across the whole economy, right? I mean, it’s not just automotive that has this, it needs to have be having this conversation and looking at solar winds or 3 CX or whatever, you know, as, as a, as a cautionary tale, I guess. Exactly, and maybe just to add to that

Dennis: is the added functionality now with software updates over the air. it’s not only during the development of the vehicle that you have to make sure that software is included in a proper way, but now you have features that allows you to update your software after release as well.

Dennis: And that’s another huge attack vector where, attackers could potentially. Inject their code [00:23:00] into that software update. So again, we have to look at how do we protect this whole vehicles ecosystem. you have even some entertainment systems that allow you to download 3rd party apps and plugins and things like that.

Dennis: That could be another attack vector. So. It might be outside of the original control of the. And now you have these new attack vectors again that you have to look at when you, when you want to protect your vehicle.

Paul: I mean, I’ve definitely talked to threat researchers and stuff who will sort of say, like, listen, you know, it’s only a matter of time with just the explosion of the Internet of things and, you know, connected everything that, ransomware groups clue into the fact that, like, well, we’ve, we’ve got this B2B model, but like, Let’s go be to see, you know, let’s start putting ransomware on refrigerators and automobiles and people’s driveways.

Paul: Like, that’ll really, you know, it’s a much bigger, much bigger sea of, you know, potential victims that we can, attack. do you think. The manufacturers see that as a potential risk and [00:24:00] are prepared for that. Or is it going to once again fall to the bad guys to lead by example, and then everybody will just react and respond to it.

Dennis: so I think that’s also a very interesting topic. so ransomware, vehicles, there was some research done a few years ago. they showed, for example, your entertainment system could get infected by ransomware.

Dennis: So when you, are about to to

Dennis: you know, take your car and drive off, there might be a, a screen on the entertainment or a message on the entertainment system. saying that, you know, uh, your car has been locked and you have to pay this much, unlock your vehicle. from the auto manufacturers point of view, I think what’s important to understand is, how do you prevent such attacks from happening on a large scale?

Dennis: So, if a ransomware occurs, want to make sure it’s at least, uh, isolated as much as possible, so that if 1 vehicle is infected, another vehicle cannot be infected very easily. Because if you have this happening to millions of vehicles, that can cause a huge damage. But if it takes a lot of effort from one, you know, or a [00:25:00] team of cyber attackers to create this ransomware for one vehicle, and it’s going to take the same amount to do it for a second vehicle, then at least you have some design and some solutions that can prevent this from scaling easily.

Dennis: So I think that’s one way of looking at, uh, we can’t, Prevent 100 percent of these type of attacks. We can make it harder for attackers to perform these type of attacks on a large scale. So I think that that’s the main point. another part is making sure that when you do your, initial threat, analysis and risk assessment, make sure you consider those type of threats.

Dennis: Ransomware is a threat. How do you design your systems? maybe you have some additional countermeasures If you detect something like this, can you somehow go into a fail secure state allow certain critical features of the vehicle to work? Maybe everything won’t work, but at least you can maybe drive your vehicle and.

Dennis: You know, take it to a safe location. So things of that, like, how do you have some kind of safe state where the vehicle can revert to in there [00:26:00] is a cyber attack on the vehicle?

Paul: right, right. Kind of isolating the core functions of the vehicle from of attack.

Paul: Okay, so I would be, you know, me, I’m very involved in the right to repair as an issue. ~Do you have time for 1 more question, ~

Dennis: ~Oh, yes. Yes. Sure. Sure. Yeah. ~

Paul: 1 of the issues, questions that often comes up with the right to repair in the context of automotive is cyber security, automakers f suggested that, you know, opening up, vehicle telematic systems to independent repair car owners would pose a cyber security risk that, you know, it can’t be done securely.

Paul: And so we need to be the ones who control that. this is a bigger question. This goes beyond automobiles to really. This notion of, reuse and circular economy, you know, that we need to, we need to be able to repair and fix and maintain our stuff. Manufacturers, often not automobiles so much, but other types of manufacturers often just walk away from their products.

Paul: You know, they stop. Maintaining ’em and, doing security updates. And so the owners are kind of left in alerts, like, well, how do I keep, you know, keep this thing [00:27:00] running? and that is potentially an issue that could affect vehicles down the road as well. what are your thoughts? are these two things, you know, repairability, um, maintainability in tension with cybersecurity, or is.

Paul: can you have both? Can you have both cyber secure and more or less open in terms of maintenance and repair and stuff like that

Dennis: that’s a very good question.

Dennis: I was in a number of different, areas or things that you need to consider, for this type of solution. so now, on the 1 hand, having or providing the data required to perform repairs. I think that that would be something that, 3rd party repair shops and so on, have access to, right?

Dennis: Because then they can perform the repairs they need to do. the challenge is how do you provide that data, because the OEMs are typically collecting that data and you need to make sure that you provide that data to the right dealer, at the right time, the right type of data.

Paul: And in some kind of time limited, right? It’s not a permanent open [00:28:00] door. It’s, you know, you have this window right? Yeah.

Dennis: And I think that that’s where I see some of the challenges of how can I make sure that if my repair shop can only have access to my data for 24 hours, for example, and this type of data. perform this type of repair, don’t want them to access other types of data from my vehicle. Maybe there’s some privacy related topics there.

Dennis: and also I don’t want them to, access the data after. So can I revoke the access somehow or make sure that they can’t keep accessing my data? that whole system of making sure that as a user, I can feel comfortable that my data is only accessed by someone that I give permission To for certain amount of time, for example, and certain type of data.

Dennis: And from an attacker’s point of view, that system that will provide all of this access to data is going to be very, very lucrative target as well, because maybe I

Dennis: can, pose as a

Dennis: you know, 3rd party repair shop and say, I need access to these vehicles and I can get all the data. How do I authenticate that I’m an authorized dealer?

Dennis: or maybe there’s even weaknesses in that [00:29:00] communication protocol, that vehicle portal, whatever they need to build. who is responsible for ensuring security for that portal? maybe I can perform some injection attacks there And

Dennis: extract all the data from the database. So those are the type of security threats that would exist

Paul: So those threats exist with the OEM systems. I mean, that’s kind of what Sam Curry was showing you. Like, those, those threats are there for, with the OEM system as well. Are there, are there vehicle makers, not, maybe not consumer, but commercial? I mean, is it, are there, are examples of that kind of open? I mean, I know we have it with, you know, the physical access, EOBD, right?

Paul: Two port like that already a thing, right? Independent repair shops can plug in under the get all that. but when we look at it, like, wirelessly and the more modern telematics system, are there examples of systems like that? That are both secure, but also open to 3rd parties and non non dealers, non authorized owners and independents as well.

Paul: Are there examples of [00:30:00] that? That we know of

Dennis: so I’ve only seen in the past when they like OEMs would release a version of their diagnostics tools. that you plug in, you know, over OBD2 port, you would have maybe some limited functionalities. You can’t perform all the things that an OEM can do. but you can still access some of the data and you can perform some of the, diagnostics, the function tests and, you know, reprogramming and so on.

Paul: things you need to complete repairs, right?

Dennis: yes, exactly. But I think there’s still some features, uh, security related features that, OEMs,

Dennis: want to keep, to themselves, it could be related to, you know, intellectual property or, you know, secure, uh, algorithms and things like that. So there may be some features that, you would have to take it to an, you know, official, OEM dealer, to have fixed.

Dennis: and I think with the telematics data, that’s the challenge of how do you, Separate something that is a non security related data that, you know, you can provide to, third party, repair shops [00:31:00] and what is, security related data that, the OEM should have access to only and make sure that, you know, it’s protected. Is that data separate now, or is

Paul: it all basically in the same stream?

Dennis: typically now it is, uh, should be separated in way, and especially for the OEM to make sure that some of those security features are only accessible by authorized dealers. I

Dennis: think that that’s where the challenge is. If how do you make sure that you can provide, especially now when you collect so much more data from vehicles, how can you still provide some of that data

Dennis: to all of these different dealers in a secure manner?. Again, you need to have that platform set up. You need to have, different authorization, access to certain types of data to certain dealers and so on. think that that’s really where we are on how do we make sure that we can do that in a proper, secure way.

Dennis: To avoid any potential, you know, security, incidents from happening.

Paul: Dennis, is there anything that I didn’t ask you that you wanted to say?

Dennis: one thing I did briefly mentioned before that I also think [00:32:00] it’s, becoming, you know, very relevant nowadays is the AI topic. So see a lot more focus on AI and automotive industry. so AI, being used for development, code generation, as mentioned before, and we have the big challenge of using AI for code generation is, for example, the code that’s being generated, you can’t assume that it’s safe and secure code as being automatically generated from your tool.

Dennis: there might be vulnerabilities or weaknesses in that code. so it can create a false sense of security that if I just ask AI to write my code, I’ll get the perfect code. So that’s one thing where we’re trying to make sure that we have to still be careful with the code that’s being generated by AI systems.

Dennis: we still have to do our testing, of that code, scanning it, finding weaknesses, vulnerabilities as any type of, software that you

Dennis: write. there might also be license compliance problems because that code could have been trained on open source software projects and now generate code that’s actually using that open source software project and you [00:33:00] have that license, tied to that as well.

Dennis: So, we’re really trying to make sure that AI has a lot of benefits. But you also have to consider challenges are still there with AI. but definitely we see also new solutions with AI, for, you know, developing more secure software, with, for example, providing more information to the developer, how to fix a problem, how to do some, uh, auto triage and auto fix issues, automated testing.

Dennis: So definitely a lot of benefits in using AI, but also being cautious of the results that you get from AI systems.

Paul: It’s knowledge of code is based on code written by human beings, so You know,

Dennis: yeah

Dennis: yeah

Paul: buyer beware, right? Yeah, and we all know human beings are fallible. Um, yeah, Dennis Kengo Oka, Senior Principal Automotive Security Strategist at Synopsys. Thank you so much for coming in and speaking to us on Security Ledger Podcast.

Paul: It’s really been a pleasure.

Dennis: Thank you so much, Paul. It’s been a pleasure.

Dennis: being here. I really appreciate your time today.

Paul: Yeah, we’ll do it again.

[00:34:00]