Electronics Era editorial team interacts with Mr. Jonathan Jay Turla of VicOne. VicOne equipped with proven automotive threat intelligence to support large-scale connected car deployments, VicOne delivers cybersecurity solutions that support OEMs and Tier 1 suppliers in their defense against evolving threats and their compliance journey with new regulations.
With a vision to secure the vehicles of tomorrow, VicOne delivers a broad portfolio of cybersecurity software and services for the automotive industry. Purpose-built to address the rigorous needs of automotive manufacturers and suppliers, VicOne solutions are designed to secure and scale with the specialized demands of the modern vehicle. As a Trend Micro subsidiary, VicOne is powered by a solid foundation in cybersecurity drawn from Trend Micro’s 30+ years in the industry, delivering unparalleled automotive protection and deep security insights that enable our customers to build secure as well as smart vehicles.
Electronics Era: Nowadays, Consumers demand better in-vehicle experiences, and modern cars already feature extensive connected technology, not just in EVs but also in traditional vehicles. Increased connectivity and the trend toward Software-Defined Vehicles (SDVs) amplify hacking risks. So, according to you how can we overcome these hacking risks?
Jay Turla: Right now, we see a lot of risks because vehicles are increasingly becoming connected. For example, using the modules TCU or telematics control units allows the vehicle to be connected to the network. Now, imagine if hackers bypass these systems. They can potentially control certain parts of the car, and this has already proven. There is a lot of research and publicly available information on hacks of this nature.
What is the role of companies in addressing this? OEMs are aware of such attacks and, consequently, collaborate with cybersecurity solution providers. For example, they use virtual security operations centers. This is one of our products we offer at VicOne. If someone tries to send a malicious message to a component of the car or hack it (e.g., unlock the car), these systems can alert the owner or block the attack.
Additionally, a community of security researchers and automotive companies, including OEMs, work together to address these threats. There are global forums where current threat landscapes are discussed. For example, VicOne is a member of such communities, and we are aware that OEMs are becoming increasingly proactive in implementing security solutions.
Furthermore, some automotive companies are running bug bounty programs. These programs involve ethical hackers finding vulnerabilities in their systems. For instance, we hosted an event called 2024 Automotive Pwn2Own, and will hold it again on January 22-24 in Japan; where researchers successfully identified a vulnerability in a vehicle module can be monetary rewarded, and the total rewarded prize is more than $1,000,000 for the findings. Although the reward seems significant, it pales in comparison to the costs associated with a recall, which can be much more expensive. For example, in the U.S., the standard cost for a recall is $7 per vehicle. Multiply that by millions of vehicles, and the cost becomes astronomical.
Back in 2017 and 2018, I participated in an event called “Car Hacking Bug Bash,” organized by an automotive company. It invited 20 researchers who were tasked with hacking cars. The findings from these events contribute significantly to improving vehicle security.
Currently, the automotive sector is showing interest in solutions like threat intelligence. Companies like ours provide insights into ongoing attacks—not just targeting vehicles but also customer accounts. For example, there are reports of customer accounts being sold on the dark web. Threat intelligence also focuses on identifying the devices used by attackers.
One such device is a keyless repeater, which amplifies the signal of a car key stored inside a house. This allows attackers to start the engine and unlock the car without the physical key.
Electronics Era: Vulnerabilities in connected cars are like entry points for water flow—hackers can exploit any weakness. How you addressing zero-day vulnerabilities for comprehensive protection?
Jay Turla: So that’s one of the things—how do we address this? We have things like zero-day initiatives.
Basically, Trend Micro has what they call a zero-day initiative and Pwn2Own. This helps to make them aware of vulnerabilities through disclosures by researchers. For example, they reward researchers if they find vulnerabilities, such as zero- vulnerability.
So that’s one of the things, we do. Then we offer solutions to mitigate the findings identified by researchers. Like I said, there are multi-projects that track and address the bugs being discovered.
Electronics Era: Automotive data, including driving habits and vehicle health, offers valuable insights. So, how would GenAI adoption increase data’s value and incentivize data monetization?
Jay Turla: There is already GenAI for Qualcomm; they are developing a processor focused on in -vehicle systems. For that, they are offering GenAI, which interfaces with their product for driver assistance and improving the entertainment systems.
Now, from there, GenAI is also recording certain data. So that’s data as well. However, with GenAI, there are privacy risks. For instance, someone could jailbreak the GenAI system, gaining access to information about the user’s driving locations.
By jailbreaking the server, the attacker could pinpoint where that user is and sell this information to the target. This highlights that the data is vulnerable.
Electronics Era: While looking ahead an early integration of cybersecurity into vehicle design, given the long-life cycle of automotive production and rising cybersecurity regulations, how do you think it benefits both OEMs and consumers?
Jay Turla: OEMs save money because, for example, “recalls” are expensive. For the customers themselves, they get assurance regarding their privacy risks. Additionally, vehicle safety is enhanced, as there are ways to attack critical parts—not just controlling or unlocking the car, but also behaviors like spoofing the brakes or killing the engine, which could pose significant security risks.
There is also an ISO standard, ISO 21434, which address vehicle security and vehicle cybersecurity. This standard is being widely adopted as it ensures not just safety of OEMs but also safety of passengers. By bolstering cybersecurity, OEMs save money, and users are better protected to enjoy the new applications and better driving experiences while using their cars.
Also, branding is also a big element to OEMs too, vehicles are assuming a safe space to stay and commute people to different places, a reliable and secured images are required to help OEMs to sell their vehicles.
Electronics Era: Kindly elaborate how VicOne’ s solutions, such as the X-Nexus platform, support Indian automotive OEMs with cloud-based threat detection and intelligence, bolstered by white-hat collaborations like Pwn2Own Automotive.
Jay Turla: Two days ago, we met with an Indian OEM, and this OEM is one of the top three Indian OEMs. They are very much interested in the xNexus platform.
The xNexus is a cloud-based platform where we provide threat intelligence feeds and allow them to be alerted if someone is attempting to attack one of their vehicles. This aligns with our product called xCarbon, which based on the detection model or system for vehicles.
If deployed in a car, it can alert the system; if someone sends a malicious message to the vehicle, such as attempting to control the brakes. Since this is an anomaly, it triggers an alert. They are very interested in threat intelligence and anomaly detection in vehicles.
Electronics Era: What are VicOne ‘s expansion plans in India to collaborate with Indian automotive companies?
Jay Turla: We have plans to collaborate, which is why two days ago, we actually met with an Indian OEM. We are trying to secure a deal, collaborate with them one step at a time. They are also building something that we are interested in, and I believe they are equally interested in this collaboration.
If we secure this deal, we plan to expand further. I hope to see us hiring engineers as well.
In addition to the existing automotive companies, various startups are also emerging in the Indian automotive sector within a short span of time.
Electronics Era: Along with the existing automotive companies, various startups are also emerging in Indian Automotive sector within in a short span of time. What is the message you would give them to raise awareness about threats in all vehicle types, including passenger, commercial, e-bus, so that automotive cybersecurity is proactively embedded in vehicle design?
Jay Turla: My message really is to attend hacker and security conferences because you can meet some hackers there. I think it’s interesting to collaborate and attend tech talks like the Auto EV. By doing so, I’m pretty sure you will gain insights about attacks, as there will be speakers besides me who are also experts in security.
To OEMs, please be mindful of your cybersecurity, build your cybersecurity team if you’re new, and invest in cybersecurity solutions. To car users, please awarded that the car can be hacked too, a cyber-secured car will save your life and also the data privacy when you’re using the applications in the car.
