Exploited: The Cyber Truth,  a podcast by RunSafe Security. 

[Paul]

Welcome back, everybody, to Exploited: The Cyber Truth. I am Paul Ducklin, joined by Joe Saunders, CEO and Founder of RunSafe Security.

Hello, Joe.

[Joe]

Hey, Paul, great to be here, and I love today’s topic.

[Paul]

I somehow thought you would, because it opens, I don’t want to say a can of worms, because worm has very special meaning when it comes to cybersecurity. But some fascinating insights will come out today, because our topic is what drivers really think about connected car safety. RunSafe Security’s 2025 Connected Car Cyber Safety and Security Survey just dropped, in which 2,000 drivers, i.e. consumers, not manufacturers, not OEMs, not cyber security experts, were asked what they thought about vehicle safety and security. So let’s start with a simple question. Do you think remote hacking of vehicles is possible? 65% of drivers said, yes, I do think it’s possible.

That kind of suggests that 35% think it can’t be done, despite years of evidence to the contrary. What do you make of that?

[Joe]

Well, I think it’s interesting. You noted there were 2,000 respondents. They are consumers.

They’re based in the United States. They’re based in the UK. They’re based in Germany.

And you would think that in all areas, consumers would be well-informed. But since we did a cross-section, I think it is interesting, having interviewed 2,000 people, that the findings are what they are. In my mind, people are generally aware that hacking, so to speak, or attacking cars is certainly possible.

And only a subset believe that they’re fully protected. And maybe the reason there is this confidence gap is in part that people don’t anticipate they would necessarily be targeted. So they can’t envision they would be attacked.

But they somehow know at the same time that it is possible.

[Paul]

I hear you, Joe. I guess what you’re saying is that they’re not really answering, do I think that in theory somebody they wanted to go after could get pwned? It’s more like, what’s the chance that I’ll be driving along the freeway and someone will swerve my car into the armco?

Probably very little. That’s the wrong way to think about it, isn’t it?

[Joe]

Of course, because we have to look at this in a broader sense. And that includes a couple of things. The consequence of an attack could lead to maybe an accident and someone could get injured or even worse.

And also we need to look at it from a kind of an insurance and a liability and different business costs for the manufacturers to produce products that are safe. In my mind, the bigger story is about safety. And this is a factor that suggests that manufacturers should continue to invest in safety.

Safety is one of those key issues that people care about. Naturally, from my perspective, I consider cybersecurity a really important subset to the ongoing safety of vehicles going forward, especially as we get further into various forms of autonomy, whether that’s autonomous driving itself or driver-assisted capabilities and controls that might affect cars on the road today.

[Paul]

So I guess that does sort of explain why 79%, let’s call it eight out of 10 people, said protecting physical safety in connected cars is more important than protecting personal data. But it definitely does not mean that those 80% of people don’t care about protecting personal data. But one interesting thing I noticed, Joe, is that there’s a separate question in there about over-the-air updates.

Now, on that issue, 80% of respondents were concerned that over-the-air updates could be interfered with by cybercriminals. That doesn’t seem to mesh with the idea that only 65% of drivers thought that remote hacking was possible, because I’d have thought that hacking and cracking an over-the-air update is the ultimate form of remote hack because it’s 100% persistent. You basically take over the car forever, and officially at that. 

So how do you explain that difference? Do you think that’s just a matter of understanding or of semantics? 

[Joe]

Really, as we thought about this internally at RunSafe, we realized that over-the-air updates are probably more commonly utilized in certain types of vehicles that are newer on the market.

[Paul]

Yes. 

[Joe]

Let me back up first and say over-the-air updates are essential to fix bugs, to ensure that safety persists on vehicles. And with 100 million lines of code on modern vehicles, there is reason to believe that we should do everything we can. Just as we patch our mobile phone, we should be patching our mobile vehicles because of all the software that’s on it these days.

I think the autonomous features themselves, features that are coming fast and furious down the road. But do all drivers today utilize autonomous features today? The answer is no.

It’s a small subset. And so I think over time, these statistics are going to change. And it’s in part as more and more vehicles are incorporating more and more autonomous features.

And there’s more advanced applications that are used on vehicles, on devices. We will see more and more concerns about over-the-air updates. And I do think in the subset of people that have vehicles that are updated often, I do think they probably have a higher incidence of being concerned about the updates over the air getting compromised.

[Paul]

I guess if we can get there with mobile phones, I’m sure we can get there with cars. And if you’re concerned about updating your mobile phone, you should definitely be concerned about updating your mobile car, shouldn’t you? Not least because most connected cars these days, they include all the features of your mobile phone.

Apps, infotainment, a mobile connection that you don’t even choose. It just comes with the car and always works. They’re a mobile phone and much, much more.

I think the reason that over-the-air updates could be a great savior in the automotive industry is that historically, these kind of fixes have been done with product recalls, haven’t they? Please show up at your dealer within the next six weeks. If you show up, that’s great.

But what if you forget?

[Joe]

It’s very true that not updating software can lead to tremendous risk because you’re still exposed to a vulnerability that’s not been patched on your device. I actually get annoyed now if my overnight updates on my iPhone don’t take place because all of a sudden I’m exposed. I do think it’s just kind of the maturation of the process.

It’s a new environment and over time, people will settle in and just be normal. Like we do with phones, I think with cars, having regular updates will be acceptable at some point for sure. But everyone, I think, realizes the safety aspects of automobiles means that those updates have to be perfect. 

[Paul]

And the cryptographic correctness of those firmware blobs that get downloaded and updated is important. I don’t think we should be surprised and indeed should expect that automotive vendors will be even more careful to make sure that the firmware blobs they deliver to their customers will be the ones that arrive and will be the only ones that actually get installed and used.

[Joe]

Exactly right. And I think automotive makers are very cautious about safety violations or risk to drivers’ safety. And so with that, they go through very extensive software testing.

I don’t think we will see the kind of compromise in a software update in vehicles sending something out that hasn’t been tested, as you might see in other domains. Automotive makers know that they do need, in fact, have to adhere to safety expectations not only consumers have, but regulators have. 

[Paul]

Absolutely. Having said that, Joe, do you think that standards like ISO 26262, which includes a part called ASIL, which I believe stands for Automotive Safety Integrity Level, particularly relevant for driver assistance, self-driving features in cars. Do you think that will extend to include what you might call ACIL, Automotive Cybersecurity Integrity Level?

Do you think that we will see government-mandated cybersecurity standards for vehicles that can deal both with safety-related firmware updates and what you might call functionality firmware updates, like Infotainment Bluetooth stack? Games, which I see are the latest thing that the car vendors are getting into supplying in-vehicle, cloud-based gaming for your kids while you drive. What could possibly go wrong?

 So where do you think the regulators will go?

[Joe]

I think the regulators will stay in the safety arena when it comes to cyber mandates, in all honesty, although I will caution everyone to say that the infotainment systems are an access point onto vehicles from which attackers might jump to another segment of a vehicle and do some kind of cyber attack. Over time, I think there’ll be better network segmentation on vehicles.

[Paul]

By network segmentation, you mean that if you break into the infotainment network, it will be somewhere between very hard and almost impossible to jump across. My understanding in the aeronautic industry, they’ve tended to stay quite well apart, whereas in automotive systems, it hasn’t quite worked like that, has it? The same touchscreen menu that the driver has to select engine-related settings like fuel economy, power boosts, hill start assist, all of that stuff, the very same interface also deals with Bluetooth and what parental controls do I want over the movies my kids can watch in the back seat.

So they have traditionally in automotive not been as well segmented as perhaps they should have been. Would you agree with that?

[Joe]

I would agree, and I think part of it is if you were designing a vehicle from the ground up, quote unquote, whole cloth, you would be able to implement architectures without any kind of legacy dependencies. And we know in the automotive industry, there are subsystems that have been around for dozens of years, if not 30, 40, 50 years. And the CAN bus protocol and the CAN bus itself on vehicles for a majority of cars has been an essential aspect to help deliver messaging from one component to the other.

 And so if you were able to design around the CAN bus itself, then you probably could have greater network segmentation as a result. I think there’s a legacy aspect that has affected how security itself evolves. And all of this is changing. 

I mean, we’ve come a long way in 10 years since that original GPAC, whether it’s 2014 or 2015 at this point, I can’t quite remember. But let’s say 10 years ago when that Jeep got driven off the side of the road due to a remote attack.

[Paul]

 That’s the video with Andy Greenberg of Wired driving his Cherokee. I presume he just hired it without telling anybody. The hackers were sitting at Charlie Miller’s house, weren’t they?

[Joe]

Yeah.

[Paul]

They’d done it before. They’d hacked his car while they were plugged into the OBD port. So they were in the back seat.

But this time they said, no, we want to prove we can do it wirelessly. And I just think he made a terrible blunder. He should have made one of them get in the car with him as an insurance policy. 

Because they basically cut the car off while he was on the freeway at a part that had no emergency lane. And it wasn’t downhill, so he couldn’t coast and escape at the next off ramp. So yeah, that was a bit of an eye-opener, wasn’t it? 

[Joe]

Yeah. And without the same level of publicity in the early days at RunSafe, we had coordinated with the FBI and the Virginia State Police and demonstrated how even law enforcement vehicles could be compromised while law enforcement were driving those vehicles. And it was kind of a scary thought for law enforcement to think that they could be targeted. 

[Paul]

Wow, yes. Because even a simple denial of service attack, like where the vehicle splutters or cuts out, or you can’t put the blues and twos, the sirens and the lights on, to attend to an emergency would be quite catastrophic.

[Joe]

Our premise at the time, and I think it’s still in part true, is those badges are potential targets and logos are targets, if you think about fleets. And so there’s other forms of motivation beyond consumers.

 [Paul]

For someone to be able to collect data about an entire brand’s fleet, that would be valuable to script kiddies, to cyber criminals, and very definitely to state-sponsored actors, wouldn’t it?

[Joe]

Exactly. And so you might find out route information, you might just disrupt deliveries in general. Imagine the kind of activity that’s done with trucks or delivery companies and logistics companies.

I think UPS, I think FedEx, I think the major trucking companies are pretty sophisticated when it comes to cybersecurity. What’s changing in the industry though is the autonomous nature and the proliferation of software on these devices. So I think 10 years ago, that was accurate.

I think it’s still true, but the landscape is changing with all the different kinds of communication ports that are on these systems and the dramatic increase in lines of code. The risk is changing because of the amount of software exposed.

[Paul]

You know, Joe, another interesting pair of facts to my eyes are one very good and the other possibly even better. And that is that despite the fact that we said only 65% of drivers think that remote hacking is even possible, nevertheless, 87% actually said that cybersecurity, strong cybersecurity would influence their buying decision, which is very good news, isn’t it? And perhaps even more interestingly, only 35% of them said, we’re prepared to pay more for that.

They’re saying, you know what? This is so important that we’re not paying extra for it. We expect it to be in the car in the same way that we don’t expect to pay a premium to have brakes that work or steering that can go left as well as right.

[Joe]

And it points out that I think there is room for regulation when it affects safety. I do think consumers care about safety, as I’ve mentioned several times, but I do think that cybersecurity is top of mind and could be listed as a strength in one’s vehicle, especially given all the complex systems around there. People wanna have confidence that their devices are going to be secure.

If you have a gadget at home, if you have a full network that operates your house, maybe you have a surveillance system. I think if you saw that there’s one surveillance system that is cyber hardened and one isn’t, I think that could make a difference. 

[Paul]

Exactly.

[Joe]

And I think in vehicles, people have an expectation that cybersecurity would be there. But again, I would point out that difference, the 87% say strong cybersecurity will influence their buying and 35% willing to pay a premium does feel like a disconnect in one sense. But as you say, it may be because they have an expectation.

I think regulators need to consider that kind of data. I think it’s important for them to consider consumers have an expectation that their vehicles will be safe and secure and it’s not necessarily on them to pay for it.

[Paul]

Yes. And it also suggests that good old market forces themselves could have a very positive influence on cybersecurity because the other way of reading that is 65% of the people surveyed said, we’re not prepared to pay more for cybersecurity, but we’re certainly prepared to pay nothing at all. In other words, we’ll ditch your brand and we’ll shop somewhere else.

[Joe]

And I think it’s important to point out if everything else is equal, maybe the cybersecurity one does break the tie. There are still other main things and main reasons why people buy cars. Say it’s a family driving kids to school.

They want the safety or they want the comfort because someone has a long commute or they use the vehicle for their work and they have lots of communication needs and lots of connectivity needs and they need to make sure that they can continue to operate.

 [Paul]

I’m smiling at you, Joe, if you can see me on the video. I’m just thinking, will he mention heated seats and soft closed doors? And those are all things that do influence people’s decisions, but I bet you wouldn’t get 80% of people in a survey to say, yes, I definitely need the soft closed doors.

They can probably do without those, but you did get 87% of people saying strong cybersecurity will influence their buying decisions. So do you genuinely think that strong cybersecurity from a particular automotive vendor will become a major differentiator, but people will look at that in the same way they look at fuel efficiency, emissions, safety ratings? 

[Joe]

I do think that vendors or OEMs and automakers today look at cybersecurity from a safety perspective and do everything they can to minimize safety risk to consumers.

[Paul]

Yes.

[Joe]

And so for me, I don’t think that’s necessarily a differentiator. I think it’s a must-have for all vehicles.

[Paul]

Yes, particularly when the safety aspect increasingly depends on the cybersecurity aspect anyway. For example, you’d better secure your over-the-air updates if you’re fixing something to do with braking, steering, lighting, et cetera. So, Joe, that brings me to another statistic which I found intriguing, and that is that nearly 30% of respondents, 28%, said that they weren’t confident that their car is properly protected from hacking.

Do you think that is down to the fact that they’re right, or simply that communications from vendors about their cybersecurity measures should or could be improved? When somebody does have a competitive advantage in cybersecurity in their vehicles, how do they communicate that to consumers without falling into the sales, spiel, marketing hype trap? 

[Joe]

Yeah, no doubt manufacturers can incorporate cybersecurity into their branding and into their products and give assurances to customers. I think OEMs and auto manufacturers need to put forward a basic level of confidence to all consumers, a seal of approval, if you will, that coincides with safety but also cybersecurity. And one day I hope that is the case, that people will sign up for a form of validation that they adhere to the strictest security methods.

And until then, I think we will have an information gap. I don’t expect that car salesmen or saleswomen will be asking people instead of kicking the tires to hack the car to see if you can break in. I don’t think that’s ever going to happen.

[Paul]

So, Joe, one more interesting set of numbers before we wrap up and summarise. And that was, whom do you believe should be held responsible if a cyberattack on a connected car due to a third-party vulnerability causes an accident? 33% of people said OEM, 20% said OEM slash supplier, 14% just the supplier.

But fascinatingly, 10% of people thought that the fault would lie with the driver. And understandably, perhaps, 10% of people said, look, the crooks, the cybercriminals, the attackers should bear the liability. So what do you make of those stats?

Where should the liability lie? And how can we all do our bit even if we decide it ends with someone who isn’t the attacker, but maybe is the OEM provided the insecure part?

[Joe]

I think ultimately the OEM is responsible for certifying that their car is safe, is secure, does what it says it’s supposed to do, and will operate as expected. And so I believe that these cyberattacks are foreseeable events, even though they are not necessarily predictable.

[Paul]

Yes.

[Joe]

And what I mean by that is there are ways to do mitigation on vehicles that is in fact the responsibility of the OEM. And so with that, I do think it’s funny, like you point out, that 10% of folks said that the driver is responsible.

[Paul]

If the crash was down to the cyberattack, not down to poor driving, what’s the driver supposed to do? This isn’t like a hobbyist computer that they built themselves, thanks to regulations in the industry.

[Joe]

I think maybe respond to the incident and recover and get the car back into a normal operating mode or whatever. However, we do need to be aware and it is the driver’s fault if they’re speeding and it starts to rain and you don’t turn your headlights on. I do think there’s probably conditions in which a driver has to be able to respond to some unexpected event and maintain control of the vehicle.

[Paul]

Yes. On the other hand, if you have a vehicle that says when I detect that it’s raining and it’s not light enough, I will automatically turn the headlights on. While the driver should intervene if they can see that that system hasn’t worked, you would expect that that system would work correctly very, very, very much more often than it failed.

Like the hill start assist. So you don’t use the brake, you just let the clutch out and drive off. If that fails, you’re going to roll back and hit the car behind you.

Now, who’s liable? Is it the driver? Because they should have covered the brake anyway.

Or is it the manufacturer who said, no, this system allows you to drive without using the brake. I suspect that there are lots of open questions there. But it is interesting that there is at least a suggestion that, well, we all have at least a part to play.

Because it wasn’t 99% of people said, it’s the person who made the part. Or it wasn’t 80% of people said, oh, well, the driver should have just been clever enough to fix it. Though I was intrigued that 4% of people said, it’s the regulator’s fault. 

A software bug is hardly their fault, is it?

[Joe]

It’s hardly their fault, but they are producing standards against which OEMs and the suppliers should be building their vehicles. To the extent that the automakers themselves are not solving the problem, I do think there’s a backdrop where regulators have a role. But like you said, I think ultimately the OEMs and the suppliers need to have a solid program to build security into the vehicles.

They don’t want to have an accident result from a cyber attack in one of their consumers, one of their passengers, one of their drivers. And as a result of that, they ultimately have the most motivation to ensure that the cars stay safe. 

[Paul]

 So Joe, I hope you don’t mind if, to finish up, I ask you a very forward-looking question. And that is, if we ignore just the remote hacking of vehicles, the, oh, I swerved you off the freeway and you crashed and there was nothing you could have done about it, what other emerging cyber risks do you think we will see in the automotive industry, in consumer vehicles, in the next three to five years? 

[Joe]

I think there could be ransomware. I think there could be locking of vehicles.

[Paul]

Oh, you mean, hey, pay me $3,000 or I’ll melt your car down and it’ll cost you $30,000 to get it fixed by the dealership.

[Joe]

Yeah, or maybe multiple cars are affected and they go after the manufacturer to pay a ransom.

[Paul]

Oh, right, your whole fleet will not start from 10am tomorrow.

[Joe]

Yes.

[Paul]

All vehicles will cut out, pull to the side of the road, and stop. Wow. 

[Joe]

So if it’s not really a safety concern and it’s a financially motivated one, I think the deepest pockets are the car makers and not the individual drivers themselves.

[Paul]

Well, it’s hard to see how something like a ransomware attack that stops vehicles would not be a safety concern, because at least some of them are going to stop where they jolly well shouldn’t. If they’re delivering fresh food, then there’s the whole supply chain safety of society problem. So what do you hope will be different, perhaps, or what different questions would you like to ask in future editions of the Run Safe Security Connected Car Survey?

 [Joe]

Yeah, I think we probably want to get some comparison data from some of the different stakeholders in the ecosystem.

[Paul]

Yes.

[Joe]

I’d love to supplement this with some feedback about how OEMs are creating standards for their supply chain to incorporate security into it, what the state of the art is there. Also, how are organizations changing their development practices? How are they sharing information about vulnerabilities?

And what information could be shared at which levels to further substantiate bolstering cybersecurity in the vehicles? It is great to get the consumer perspective. I also think we need a little bit more from the OEMs and their supply chain, or even their customers that are not consumers, the fleets.

[Paul]

So rather than just waiting for the regulators to tell the OEMs and the vendors what they need to do, you’d like to see what the OEMs and the vendors are throwing forward to the regulators to say, here are some new standards we’ve come up with all on our own, and this is what we expect you to hold us to in the future. That would be much more proactive and very much the opposite of checkbox compliance, wouldn’t it?

[Joe]

And I think the OEMs are doing a lot with their suppliers even today. 

[Paul]

I agree.

 [Joe]

I’m encouraged by developing common frameworks and architectures that allow people to have more mature software in these vehicles. Not that it’s been immature lately, but doing more robust framework and architecture development with suppliers so that we can minimize the vulnerabilities throughout the entire supply chain.

[Paul]

Joe, thank you so much for your passion. You know so much about this and you talk about it with such breadth and depth and without getting into any kind of sales spiel mode, I deeply appreciate that. I’m sure our listeners do too.

So thank you very much and thank you to everybody who tuned in and listened. If you find this podcast insightful, please subscribe so you know when each new episode drops. Please like us and share us on social media as well and don’t forget to share us with everybody in your team.

That’s a wrap for this episode of Exploited: The Cyber Truth and remember, stay ahead of the threat. See you next time.