A Chat About CyberSecurity with Dr. Steven A Wright

[00:00:02] Hello everyone and welcome to Kilowatt, a podcast about electric vehicles, renewable energy, autonomous driving, and much, much more. My name is Bodhi and I am your host. And on today's episode, we have an interview. But before we get to that, just kind of want to give a little introduction here.

[00:00:19] So, at the moment, you know, we live in a very hyper-connected world, even compared to, you know, what it was five years ago. If you drive an electric vehicle or really any modern vehicle nowadays, you're not just driving a car, you're driving a computer that's constantly connected to the internet and it's collecting data and sending it back to, you know, like the mothership, whatever the mothership happens.

[00:00:49] What's the difference to look like? Now, this does bring a ton of convenience, for sure, but there is a downside. And that downside is a whole new landscape of different vulnerabilities that can come from software exploits or even basic social engineering, which is something we'll talk about in this episode with our guest, Dr. Steven A Wright, who honestly has a very unique background and perspective on this.

[00:01:18] Dr. Steven A Wright, who is a very unique background and perspective on this.

[00:01:40] Dr. Steven A Wright, who is a very unique background and perspective on this. He's also the author of a book called Securing Your Data Supply Chain, which I'll put links in the show notes to all of this. And in this particular episode, we're going to talk about security risks surrounding EVs, e-bikes, autonomous vehicles.

[00:02:08] We'll talk about, you know, we'll talk about, you know, different threats when it comes to deep fakes and data poisoning. This is a very accessible interview. We don't dive deep into any of these topics, but, you know, what I wanted to do is have Dr. Wright on so that we can discuss this so we could keep everybody's, you know, we'll say digital hygiene nice and tight.

[00:02:34] There are so many bad actors out there. And the more connected our world becomes, the more vigilant we need to be. So having said all that, let's welcome Dr. Wright to the show. Glad to be here. Thanks for having me.

[00:02:51] Steven, you have a very unique background. I've had lawyers on the show. I've had people who are involved in like cybersecurity on the show. I don't think I've had somebody who does all in one. So why don't you tell people just a little bit about your background?

[00:03:07] Sure. So my educational background, I have a MBA, a PhD in computer engineering and a law degree. My main focus at the moment is, well, it's really around the sort of problems that companies get into where they need people with all three expertise.

[00:03:28] So typically I'm helping one part of the organization translate what's going on in another part of the organization and helping them sort out those problems. In general, this tends to be things in cybersecurity or the legal issues around that or the data governance. Again, the legal issues around that trying to explain the legal problems to the technical folks and the technical issues to the legal folks.

[00:03:56] Now, that is an amazing way of putting that because obviously if you're an engineer, you're not going to speak lawyer. And if you're a lawyer, typically not going to speak engineer. And there's lots of room in between that to have misunderstandings. So that's fantastic. And both groups tend to get very upset when the CEO says, but what about the business? Why are we making money?

[00:04:24] Yeah. Yeah. I would imagine it's even worse when you get a marketing person in there in that meeting. Yeah, they have a different axis of iVerbally, yes. But that comes with the territory trying to figure out who's your audience and what they're looking for. But today we're talking about electric vehicles. Yeah, let's start on that because we're living in a much more connected world than we were even five years ago.

[00:04:54] So, you know, if you have an EV, you know, there are several points that could, several access points that could be a vulnerability. You know, you could have somebody who's hacked a charger, for instance, and maybe that's a vulnerability or some small part that is a connected part that some supplier didn't secure in terms of, you know, a way in.

[00:05:17] So let's talk a little bit about, you did some research on some different vulnerabilities with electric cars. You want to start us off with those? Sure. So I'm glad you mentioned the charging because it's more than just the electric car. And indeed, there's more things than just cars to worry about. It really does help to think about the broader ecosystem. So with your electric cars, you've typically got some charging arrangement.

[00:05:44] Otherwise, your car is a very expensive ornament somewhere. And that could be home charging or that could be some public charging network. And typically those charging networks have cloud backends and some charging system operator that's administering who gets to use those charging systems. And once you get to that point, then you've got to have personally identifiable information about, okay, which account's getting charged?

[00:06:13] How do you identify who it is that's making use of the service and preserve all that data from a sort of payments perspective? And so the charging points themselves and also the cloud backends and the apps that access those cloud backends, all of those things become potential target areas for attacks of various kinds.

[00:06:38] And there have been some breaches of charge point operators that have exposed the sort of PII, personally identifiable information of owners of EVs, for example. So that's one area of vulnerabilities. There's other issues around EV chargers themselves.

[00:06:58] The public EV chargers are perhaps a little more robust than the private ones because you tend to have some physical security around the private EV charger. So it's typically inside your garage, although it doesn't have to be. You could put it outside and let your neighbors use it. But there's those issues. There have been cases where people have attacked public EV charger locations.

[00:07:27] There's cabinets by the side of the road where you can plug your car in. I guess from the early days of the initial EVs, a lot of the software to access the chargers was all proprietary. But there have been some protocols standardized around communications with charging systems.

[00:07:51] These are more focused on the mechanics of getting the data backwards and forwards that they need to get those systems to operate. And they've been criticized in terms of the level of encryption and authentication that's associated with them. So they may not be as rigorous from a system point of view as you'd like to see. Yeah, I don't think a lot of people, I mean, people typically do listen to this show and other shows like this have a better understanding in general.

[00:08:21] But I don't think a lot of people have an understanding of, like, if you go to Joe Bob's Chargepoint in, you know, wherever. We'll pick Tempe, Arizona. That's just where I live. And there are so many layers of different organizations. There's somebody that's taking your and processing your credit card. There's the company that built the cabinet. There's, like you said, the folks on the cloud side. There's folks monitoring it to make sure that it's not down. And all of these things, it's not all necessarily the same company.

[00:08:50] Like, Tesla would typically be. They built everything. I'm sure they probably still use some third-party stuff. But for the most part, it's Tesla's supercharger. But that doesn't necessarily mean that's going to be the case for every charge point operator out there. Which, like you said, leaves a lot of room for exploiting vulnerabilities. Yeah.

[00:09:14] The more people you have in the chain, the more attack points there are between all of those parties. And I guess that's, that may be perceived as a strength for somebody like Tesla that has the sort of soup to nuts approach. Have you ever heard of any sort of malware or anything like, even if like through Pondone or some other contest like that, were they able to put something on the vehicle itself through the charger or vice versa?

[00:09:47] I don't know of a specific attack against the vehicle coming through the charger. There have been attacks. A lot of vehicles have not just the charger connection, but also have over-the-air software updates. And so that's another attack factor. And there have been some compromises there.

[00:10:15] There's been compromises through systems on the vehicle, like the in-vehicle entertainment infotainment systems. Sometimes those have been hacked. And then once they get that compromised system in the vehicle, then it can move elsewhere within the vehicle into other systems. And if you go around the vehicle and think of what other communications entry points are there into the vehicle,

[00:10:43] there are contactless interfaces to sometimes both the chargers and the vehicles. And sometimes those can be exploited. So those are things like near-field communications and RFID interfaces. They typically don't have as much security as some of the more rigorous protocols for more rigorous communication protocols

[00:11:12] or banking security type protocols. I think the other dimension to think about is what's really the target of the attack. Is it the vehicle itself? Is it the charging station? Is it the back-end systems with the payments? Are you trying to, with the charging station and even the vehicle attacks,

[00:11:38] is it really against those devices or are you trying to destabilize the grid in some ways from the power by having power attacks on the grid? Yeah. Or are you trying to do some unsafe power delivery into the electric vehicle itself, whether that's to destroy other components or degrade the batteries? So there's a lot of different targets associated with this as well.

[00:12:06] It's not just a financial attack on somebody's account or some provider in the chain. Now, I've been doing this for almost 10 years now. I haven't really heard of anything in the wild. Are these theoretical or are these just things that people have done in a lab? Or have we seen some of these things out in the wild? There's been some of these things out in the wild.

[00:12:34] Not all of them, but some of them, I think all of them have been done in a lab. It's then a matter of have the systems been patched to protect against what's been discovered in the lab or how serious is the vulnerability. So let me talk about it from the sort of software vulnerability perspective.

[00:12:58] You have a big supply chain of software associated with all of these systems. So the way almost everybody writes software is you're including libraries from elsewhere that other people have developed. And then you need to, these are typically open source software.

[00:13:25] And so then you need to continuously check whether there have been any vulnerabilities detected in that upstream software. And so most software development organizations have been in various stages of maturity trying to follow some government directives about trying to have a more rigorous bill of materials for the software components in their supply chain to understand what these components are.

[00:13:54] Are they on the latest versions? Have they updated everything? And so forth. But it really is an ongoing challenge for the software developers to keep that stuff up to date because it's not just the software they're developing. It's all of these other pieces from upstream have an ongoing risk of vulnerabilities being created either from newly introduced code for feature upgrades in these other patches

[00:14:24] or it's somebody finally discovered a vulnerability in something upstream and it takes time to get those things patched and rolled through to your production environment. And so this is the kind of thing that you may have seen some headlines from Enthropic with their Mythos product where they discovered a lot of vulnerabilities that were already existing in code bases.

[00:14:51] So that's something that needs to be resolved. And it's not always easy to resolve those vulnerabilities directly from the final users of the library because it's managed by some upstream party that may take time to get fixes injected. Yeah. And for folks who don't know what Mythos is, it's a tool that Enthropic released to like 20 different companies to find vulnerabilities.

[00:15:20] It's really good. It's an AI tool, really good at finding different vulnerabilities. But not everybody has it. Like a small company like Slate, for instance, although Slate is mostly owned by Jeff Bezos. So maybe there could be some sort of deal on that side of things. But a small company is typically not going to have it. It's typically given to like an HP or a Microsoft, that kind of thing. Yeah. I mean, there are other tools that do similar things.

[00:15:48] It's just I think you could use OpenAI's codecs to do something similar. And I think there are other tools that aren't AI related that help you search for software vulnerabilities of different types as well. The point is, how rigorously do you search and how quickly can you act on the results of the search? I mean, ultimately, it's a big advantage.

[00:16:12] But also, if you have a small team fixing these bugs, all of a sudden, all of these organizations are now having to deal with, how do we fix all of these things that we didn't even know, didn't even have a clue were a problem? Yeah. And it takes time to do that. And you may not have direct control of an upstream source library.

[00:16:40] So for your listeners who aren't directly in the software business, let me try and explain. Usually, particularly in open source projects, you have a large community of volunteers that are maintaining that software. And depending on how active the community is, you may have a mechanism where you can report a bug. And then over time, those folks will work on their bug list and improve the software.

[00:17:09] And they have people reviewing their checks to make sure they're doing what the fix is supposed to do. But these are all either unpaid volunteers or there are other companies that are in the ecosystem that have a financial incentive to... You'd also think like a moral, right? Because they are using from the open source and there is an expectation that you contribute back to the source code. Yeah, but there's a... Or the project.

[00:17:38] The issue is the sort of response time and performance. How quickly can you get a fix? And that's... Even if you're XYZ e-vehicle company and you discover a fix and you've got a big team of software engineers. But the problem is in some upstream software community, if you're coming in new to that community, how quickly can you get a fix through that community's process? Oh, yeah. That's a good point. Right.

[00:18:04] If I miraculously found a problem in the Linux kernel and I've got to get Linus Torvalds to approve it, that might take a while. Yeah. Right? Just part of the challenge of mitigating these things. But the good news is lots of people are working on fixing these things as problems become detected. And I kind of derailed you a little bit. I don't want to get too far off topic because I apologize.

[00:18:34] Now, with some of the other vulnerabilities that you were researching, is there anything else that stands out to you? Several things. Let me go back up at a very macro level and you look at EVs as a category and your mind tends to go to things like cars, like Teslas. But there's a much broader range of EVs.

[00:19:01] There's a lot of e-bikes and e-trikes and things like that that people are using. There's drones and other unmanned vehicles. And then there's things like the Jetson 1, these personal flyers and robo-taxis and stuff like that.

[00:19:17] So, there's a much broader variety of electric vehicles that consumers may be engaged with, either as an operator or as a passenger in various robo-taxi services, whether terrestrial or airborne. And so, how do you issue a safe safety in that environment, right?

[00:19:38] Because there's certainly different consequences if a drone falls out of the sky versus if your stereo on your Tesla or whatever brand EV suddenly starts playing the wrong channel. So, there's a much broader range of consequences here. And then there's the consumer protection for information. You talked about financial information.

[00:20:07] But I think there's other privacy issues around location, for example. And so, there's quite a few different areas to worry about. Sure. Sure. With that, you know, if we were to look at... I mean, we could turn this into a very scary episode. And I don't want... Like, all of these things exist. But they exist for anything that's... Even things that are air-gapped.

[00:20:32] You can still have somebody come inside your air-gapped network and throw a USB in and put malware on the system. Like, this stuff happens everywhere. And there are dedicated people who are trying to stop it. And there are dedicated people who are trying to cause more problems. Whether it's, like you said, to steal information, personal information, or to cause chaos.

[00:21:01] But with that, you know, what do you see in terms of different vulnerabilities in the supply chain? We kind of touched on this a little bit in the beginning. Like, back in the day, when photo frames came out where you can just hook a frame up to grandma and grandpa's... An online frame, a digital frame, to grandma and grandpa's house. Meanwhile, it had no security. And it just left the whole network open to different types of vulnerabilities.

[00:21:30] Not that an average person would necessarily have to worry about that. But, you know, the same kind of thing can happen in a supply chain. The smallest part from the smallest company could potentially be an entrance point for an attacker, like you said. So, kind of how do we shore up that supply chain?

[00:21:54] I think you really have to have all of the players in your supply chain take cybersecurity seriously. Which, maybe that has a number of different ways it gets expressed. It may be contractual requirements on subcontractors who are supplying components, for example. It may be industry standards or government regulations around understanding your bill of materials

[00:22:18] and keeping things within a certain range of what's the currently recommended versions. It may be educational as well for the users of these systems to be aware of what kinds of things are out there and the ways in which scams can happen so they can be vigilant for that kind of thing. Ooh, yeah. That is a good point.

[00:22:46] The whole, what is it called when you hack a person? I'm blanking. Identity. Social engineering. Social engineering, yeah. Yeah, social engineering is another whole direction we could spend a long time on. But I think the thing I would say there is as the underlying systems get hardened, the easiest vulnerability remaining is the people at the top, right?

[00:23:15] So more and more attacks target the people rather than the systems. And that's an even bigger problem with the advent of readily accessible AI systems because it makes it so much easier to generate things like deep fakes, to engage in things like data poisoning or data suppression,

[00:23:40] which is errors of commission and omission in the information that's made available to you. So you need to be vigilant for those kinds of things. What would that look like? Like what would somebody, working that kind of an attack on somebody, what would that look like and what should somebody look out for? Well, the short answer is I wrote a whole book on that. I can put the link in there. No, no. I know. I know. I did research.

[00:24:09] So deep fakes is the obvious one. And just the first thing is awareness. You've got to be aware that this stuff could be happening. So for a consumer perspective, the example I tend to use that people resonate with is something like revenge porn. Whether that's your favorite political enemy or whatever, dancing in the inappropriate clothing,

[00:24:38] or a more serious deep fake where there have been some attacks on companies where you had the CEO in a Zoom call where all of the other participants were deep fake videos and not real people scamming the company. Data suppression and data poisoning is messing with the information you're receiving.

[00:25:02] So just because you make an inquiry on Google or ChatGPT or whatever and get some answer back, what can you do to verify that information? Can you ask somebody else? Can you verify it in some other way? The simplest example is if you're using an AI system to collect your information,

[00:25:26] all of these ethical guardrails and safety rails that the promoters of these systems talk about are in some way filtering or misleading the results coming out of those systems. And so they're either emitting information or they're putting new information in which is not correct. So for example, there were some cases of people generating images

[00:25:53] images of George Washington, but he was portrayed as a black skin color, which was factually incorrect, right? So it's that sort of thing going on. And there's various efforts to suppress information. The most obvious suppressions tend to be political type topics. You could imagine if you're using an AI system to do shopping for you and the vendor of your AI system has cut a deal with vendors in the area that you're asking,

[00:26:23] to promote their products and they're being returned and not competitive products. You could see how that could be an incentive that would not be helpful to consumers. And so you need to be aware of that kind of thing. So with this, right, there's not a lot you can do if someone throws malware on a charger, right? You as a person, there's not a lot you can do to protect yourself.

[00:26:50] This kind of all relies on the companies that are doing all this. You know, every one of all of those companies that are in the stack that we talked about, all the different layers, it's on them to make sure that their security is tight. What are some things that consumers can do up to and including like being able to like report when they think something is compromised?

[00:27:19] Yeah, I think the, it's just firstly awareness and then knowing who to report things to. So most of the chargers that I'm aware of, you tend to be using an app with them rather than putting a credit card into the machine kind of operation. Because there have been card skimmers and things like this in the ATM industry. And I think they've generally tried to avoid that in the charge point operators.

[00:27:49] But if you have apps on your phone, then you, as you as the operator of your phone, need to maintain reasonable operational hygiene or security hygiene on your phone. So keeping, not downloading spurious apps that you don't trust from wherever, keeping your passwords safe and not repeating them.

[00:28:14] That kind of security hygiene, which is regrettably not as widely practiced as it should be. But I think that's kind of the things that are within your control. And then being careful about what information you're sharing and how you're sharing it. So that may unfortunately mean you need to read the terms and conditions of all of these apps that you've put on your phone to see which ones they're sharing with

[00:28:41] and which ones, which things you can actually turn off. There are, like I was just asked recently to go on a show to talk about different accessories or apps that I use with my car, my, my, I have a Model Y. And, uh, you know, is there any app? The question was something like, were there any apps that you use to like check your car in, in, in more detail than what Tesla's app gives and blah, blah, blah, blah, blah, blah, blah. And I was like, I don't do any of that.

[00:29:11] I don't, first of all, I'm not putting anything on my car that's going to void my warranty because I don't have that much money to eat that. And second of all, uh, you know, I don't know, like if I open up this, uh, to this third party company and early on I had several companies, uh, app companies that were like, Hey, do you want to use this app? I didn't have a Tesla at the time. So it really wasn't a big deal, but I still wouldn't have used it.

[00:29:36] Cause you're just, you're just Joe working in your bedroom, in your spare bedroom. Like, I don't know what you've done to, to, you know, make sure that this information isn't getting out and I don't know what you're doing with this information. This is terrible. It seems like a terrible idea. So, um, yeah, I don't, I don't throw any third party stuff on my car or apps cause there are plenty of apps out there that will, that'll surface just tons of information about what your car is doing. And that's cool.

[00:30:05] But who, who else is getting that information? Where does it be? Like GM got in trouble for sharing customer data to insurances. You know what I mean? It's not like, there's lots of stuff out there that we don't need more data just to leak out and we don't need to be the cause of that leak. Yeah. Yeah. I mean, if you're, I guess that is another point. I mean, you need to consider that you could be the cause of the leak. So it may be that this other app is perfectly legitimate and it's taking all good efforts

[00:30:35] to take care of things on its end. Um, but because their app is on your phone and your phone gets hacked, uh, then you've, you've not only exposed to your information, but potentially you provide a, uh, a vector into somebody else. So, yeah, it's, it's, it's sometimes the ease of use gets ahead of, um, thinking of thinking through the consequences. No, a hundred percent.

[00:31:05] And you know, if you're, if you're tired and you're, you're hungry and you're just trying to get something to work, all of a sudden, all of those spidey senses that you might have, they go away real quick. If you're just like, okay, I'm just going to turn off all of this safety so I can just get it to connect and then, you know, maybe I'll go back and fix it later. Oh yeah. That, that happens way too often. Um, which is where, uh, most organizations have layers of protection to try to prevent

[00:31:33] you from doing that, or at least do whatever is sandboxing or scoping to, um, minimize the blast radius when you do things like that. Um, and that's, that's, um, a lot harder for consumers to do. Most, most of whom don't even know what all the settings are on, on their phones. So, yes, I will say my wife knows almost nothing about technology, but she is a zealot when it comes to like cybersecurity. Like if somebody sends her a sketchy text, she's like, Hey, just be aware.

[00:32:02] I re in, she, this goes out to the entire family. My 13 year old, my 30 year old doesn't really matter. It goes out to every, my father-in-law goes out to everybody. Be aware of this is happening. Uh, she is constant vigilance, uh, with that one. That may sound a little overkill, but I think that's better to be safe than sorry. Yeah. I mean, this is, uh, I mean, this isn't security and this stuff isn't my job. It's more my hobby.

[00:32:27] But, uh, when, when it comes to making sure that, uh, you know, uh, everything's safe, I, I, that is fully my wife. She'll be like, have you heard of this? I'm like, I have, she's like, should we be worried about it? And I was like, probably not. We're not, we're not presidential quality. They're not looking for us, but, um, we, we will make little adjustments here and there to make sure that when, especially my, my 13 year olds, cause they're, you know, young

[00:32:56] and impressionable and have phones, make sure they're, they're aware. Well, Steven, thank you so much for coming on. Um, you mentioned you had a book. Can you tell us a little bit about your book? Sure. Uh, the book is called Securing Your Data Supply Chain. It's available on Amazon. Um, and it talks about those, um, emerging data threats, the deepfakes, uh, data suppression,

[00:33:26] um, and data poisoning. And, um, why enterprises in particular need to worry about their data governance. And, and all of those threats are either generated from AI or they're massively magnified by the, the easy availability of AI systems. And yes, you can use AI to fight AI, but you've got to be aware of the problem and you've got to have systems set up in your company to check the data as it's coming in and, uh, make sure it's,

[00:33:57] it is actually valid and not just faked in some way. There's good information, not only for the security and CISO team, but also like everybody. Yeah. Now you, you and me as consumers, we, we don't have a security team backing us up on everything. Um, and so it's just my wife. Exactly.

[00:34:21] It's, it's much more an issue of awareness and education on the consumer front and just, um, having a certain amount of critical thinking and yeah, this doesn't smell right. You know, um, for, for, for most, for the average consumer, um, you're probably not going to be the target of a nation state nefarious attacker that's has the resources to do all of this stuff.

[00:34:47] Um, you, you may be the, um, um, unfortunate, um, bystander to some random script kitty who's sent something out there that, that, that has a sufficient blast radius to catch, catcher people. Um, and so that's more of the, um, the kinds of things most consumers need to be aware of and, and do what they can to, uh, avoid.

[00:35:14] I mean, that's kind of within the feasible range of control. And so that's, that's what I'd suggest folks worry about. Awesome. Uh, where, where would people find you? Are you, you're on LinkedIn or where else are you that people can go and follow what you're doing? Sure. Uh, you can find me on LinkedIn or you can find me on X. Um, and I do have a mailing list and a small, uh, YouTube channel. Uh, so it's at Dr.

[00:35:43] Stephen, a right on X or Twitter and on LinkedIn. It'd be the easiest way to find me. And I'll put all of the links and the proper spelling of Stephen and right in the show notes as well. Fantastic. Thank you very much. Thank you, Stephen. All right. I want to thank Dr. Stephen, a right for coming on and being such a great guest. This was, uh, honestly, this is kind of, I'd like to do more stuff in the realm of cybersecurity

[00:36:11] and EVs and autonomous driving and stuff like that. Cause I do think this is really important for us to keep tabs on. I know a little bit, but I don't, I don't know a lot. I mean, it's just a fraction of what somebody who actually knows what they're talking about. I barely know a fraction of a fraction. So, uh, it's good to get somebody on who actually knows about this stuff. If you'd like to know more about what Dr. Wright is up to, I put all of the links in the show notes.

[00:36:41] So it's nice and easy for you to find, because I don't know if you know this, but there's a famous comedian named Stephen Wright. So if you try putting in Stephen Wright into Google, you're going to get him 99% of the time. So just to make it easier, I put all of Dr. Wright's links in the show notes. So I would highly encourage you to go and follow him and, um, yeah, watch it. Check out his YouTube channel, follow him on LinkedIn, all that fun stuff.

[00:37:10] And if you do let them know you came or heard him on kilowatt. All right, everybody, if you want to support this show, you can go to support kilowatt.com. There you are. You're given two choices, uh, supercast or Patreon. If you want to support the show, that that's where you do it. And all of the money goes back into the show. None of the money from Patreon or supercast goes back into my own pocket. And, uh, yeah, you can sign up for as little as a dollar.

[00:37:40] I try to keep it really affordable. All right. Uh, I think that's it. Uh, I hope y'all had a wonderful week. Uh, next episode we'll be talking news. So be good. And I will talk to you soon. If you liked the show, please take a moment to rate, review, and subscribe. It really does help the show to grow. Thank you for listening.