Infrastructure Hacking and Autonomous Vehicle Security Artwork

Empowering Tomorrow's Automotive Software

The automotive industry is experiencing change at a tremendous rate. The software-defined vehicle is leading the future of mobility - the car is rapidly becoming an electronic device on wheels. Empowering Tomorrow's Automotive Software will look at how electrification, automation and connectivity are impacting the industry, from changing the development process and software architecture to how data is generated and processed.

The podcast is brought to you by the experts at ETAS, leaders in automotive software.

To learn more, visit etas.com

Produced by ETAS Inc.; Madelyn Downs, madelyn.downs@bosch.com

Imprint and contact information:

ETAS Inc.
15800 N. Haggerty Road
Plymouth, Michigan 48170 USA
contact.us@etas.com
Privacy Policy

All Episodes

Empowering Tomorrow's Automotive Software

Infrastructure Hacking and Autonomous Vehicle Security

November 11, 2025 • Zane Pelletier, Tiffany Rad

0:00 | 40:00

In this episode, ETAS host Zane Pelletier speaks with cybersecurity expert Tiffany Rad about the evolving threat landscape in automotive and transportation systems. They explore autonomous vehicle vulnerabilities, supply chain risks, insider threats, and the role of AI in embedded systems. Tiffany also shares insights from her work in industrial control systems and space cybersecurity, offering guidance for students and professionals entering the field.

If you want to learn more about some of the challenges mentioned in the episode, see below:

Tell us what you think - send us a text message!

Thanks for listening!

Email us at: contact.us@etas.com
Learn more about ETAS on our website
Follow us on LinkedIn: @ETAS

00:00:02 Voiceover

Welcome to the Empowering Tomorrow's Automotive Software Podcast, brought to you by ETAS, a single source of cutting-edge software and hardware solutions that make automotive embedded systems safe, smart, secure, and sustainable. Each episode, we'll be joined by ETAS and industry experts to discuss how electrification, automation, and connectivity are impacting the automotive industry. Now, sit back and enjoy the discussion.

00:00:32 Zane Pelletier

hello, everyone. Welcome to the Empowering Tomorrow's Automotive Software Podcast. I'm your host, Zane Pelletier. I'm an automotive security tester. And today I'm very, very proud to welcome our guest, Tiffany Rad. Today we're going to be discussing topics along the lines of automotive autonomous vehicle threats.

00:00:53 Zane Pelletier

We're also going to talk about some supply chain issues and maybe some other manufacturing vulnerabilities, and also get into the nitty-gritty with testing autonomous vehicles in the field, and potentially also what it takes to practice offensive cybersecurity in space. Today, we're very lucky to have someone who has been hacking and defending transportation infrastructure for two decades now. Tiffany Rad is the CEO of two companies, ELC Networks and Anatrope.

00:01:22 Zane Pelletier

She has 20 years of cybersecurity experience, specializing in vulnerability research on vehicle embedded systems, intellectual property analysis, and industry standards and legislation. In addition to her day job, she also teaches cybersecurity at UC Berkeley and the University of Maine.

00:01:39 Zane Pelletier

Among her many accomplishments includes her research that was listed as #4 in Top 10 White Hat Hacks by Bloomberg and was featured in 2013 in the Discovery Channel's documentary, The Real Story, Live Free or Die Hard, based on the movie by the same title. Welcome, Tiffany.

00:01:57 Zane Pelletier

To get started here, I just want to ask you if there's anything else you wanted to tell us about yourself. And a question that I always like to ask people in this field, how did you get into hacking cars? What was kind of the origin story for you? And why are you still so passionate about this after so many years?

00:02:16 Tiffany Rad

Hi, Zane. Thank you very much for having me. Yeah, I very much enjoy this topic, and I teach this topic to undergraduate and graduate students to get more students interested in doing testing of automobiles and other things in critical infrastructure, and as you mentioned, soon, space systems. I got into this by, I was interested in the idea of what hacking was when I was in college,

00:02:40 Tiffany Rad

But later on in grad school in particular, I moved to the state of Maine, where they have some fantastic off-roading over, that's now called, we do overlanding. And I had a Land Rover Discovery, and I was, I wanted to make some changes to it, some modifications.

00:02:57 Tiffany Rad

And I wasn't really sure if a lot of what I was doing would be legal. So one of the things I wanted to do was I wanted to pursue how the Digital Millennium Copyright Act affected some of the security research I wanted to do on my own car. So I learned a lot through that process and modified my vehicle in ways in which would be better suited for what I was doing with it, which was off-roading.

00:03:20 Tiffany Rad

And then researching and learning about and contributing to, for example, the Right to Repair Act and other pieces of legislation that allowed security researchers and people that were modifying and repairing vehicles to be able to get access to car computers.

00:03:36 Tiffany Rad

So the embedded systems, that's one of the times in which I got very into learning about how they work, what kind of protocols, where that's one of the ways that I figured out a lot of the vulnerability research I've done over the years is researching the protocols and the standards. And here I am, I'm writing standards on a bunch of projects now for automotive cybersecurity. So that's one of the ways in which I got interested in doing this work. And I'm still doing it. I'm still doing modifications to vehicles. And it's a lot of fun. I'm in this industry because I enjoy it very much.

00:04:06 Zane Pelletier

Awesome. Yeah, no, that's a very common, I would say, kind of entry into the domain, right? Somebody has their own vehicle, maybe they have something that they want to do with it that is not intended to do originally or they're modifying it, and they get into going down the road of building their own custom firmware, you know, installing components that weren't originally supposed to be on there. And in order to do that, you need to figure out what's going on with the vehicle network. And I agree that that's probably one of the best ways that

00:04:35 Zane Pelletier

you can learn this stuff is by kind of tinkering with something that you have an ulterior motive that you're trying to get at there. So that's very interesting. And I know you've been working in this area for a very long time. So I know that you've also been doing a lot of research looking into and thinking about the idea of

00:04:55 Zane Pelletier

kind of the recent proliferation of autonomous vehicles, right? We have things like the Tesla robo taxi, right, that's starting to make its way onto the streets. Waymo is pretty well established. I think I saw that Zoox actually has some of their first vehicles rolled out recently in Vegas. You can actually take autonomous vehicles in lieu of something like Uber or Lyft, right? I guess with the proliferation of all of these autonomous vehicles that are starting to be on the road,

00:05:23 Zane Pelletier

How do you think that the, let's say, threat actor that has traditionally been working with embedded systems and maybe trying to do things like steal cars, that's one of the most, I think, common things that a threat actor is looking to do with automotive systems, either that or right, either do that or do the modifications to the vehicle similar to what you did when you first got into this. So I guess my question to you, do you foresee kind of a paradigm shift in the way

00:05:53 Zane Pelletier

these types of threat actors that target these vehicles are going to adapt their strategy, apart from what we see in a more traditional embedded environment, something that you've been working in for a while, right, doing your security research. How would you say that, you know, I guess if you had to make a prediction, I know there haven't really been any that I'm aware of, largely publicized hacks on autonomous vehicles, but yeah, I'd like to hear your thoughts on that.

00:06:20 Tiffany Rad

I enjoy doing remote access on vehicles. So with remote access, I look at a lot in the RF spectrum that's being emitted from the vehicle. And one of the attack vectors that people have done, it's been done at DEF CON, it's, you know, black hat, it's been very, in the car hacking village, in fact, this is done too, is taking a look at some of the, how the communication systems or navigation systems can be affected by someone looking at it from the outside in. Now, I do think with autonomous vehicles and what's up and coming,

00:06:50 Tiffany Rad

I think that there's an insider threat concern for a lot of automotive industry and even in the third-party manufacturers. If you can get something into the supply chain with an insider, that's a big concern.

00:07:02 Tiffany Rad

But also, looking at the vehicles from the outside in is something that's more of a challenge. In cybersecurity, we usually say when you have local access to something, it's a lot easier. If you're sitting in the vehicle already, a vehicle's been left, I'm thinking of this from the perspective of a car thief, been left unlocked, you know, someone, it's in someone's driveway, you can plug in to some things in the vehicles that make it a little bit easier. But when you're looking at it from the outside in, taking a look at the different encryption that's used to protect some of the ways in which the vehicle communicates

00:07:32 Tiffany Rad

with over-the-air updates. I think that this type of remote, these remote attacks, maybe with these vehicles that are autonomous, such as the robotaxi, I saw that in Vegas when I was at DEF CON recently.

00:07:46 Tiffany Rad

But it was, I think that this might be a little bit more of a shift and more remote type of work. But the insider threat in particular with a lot that's being used with AI now with the large language models and trying to, what type of, what code is going in to program these vehicles, I think that manufacturers in the automotive industry and in all industries are concerned about what kind of, what are they being used, what's the training, the training LLMs.

00:08:13 Tiffany Rad

how that's going to, it could be a threat vector that the companies are considering is bad, bad code that's going in, or code that's backdoored. And so these types of things might get missed. And in particular, if there's a great reliance upon AI, and maybe less so on the human engineers going through and reversing how these things are working, how well they're working. But I think this is a concern when it comes to the autonomous vehicles is both

00:08:42 Tiffany Rad

The remote threat and also with insider threat and organizations,

00:08:46 Zane Pelletier

certainly, yeah. I guess that's a perfect segue. I was also going to ask you about, so this concept of how do you know what's in your software, right? You hear there's lots of...

00:08:57 Zane Pelletier

talk of SBOMs going around and figuring out how do I really know what comprises the software that actually goes into the vehicle, right? And the fact that we also have these kind of more dynamic systems that are coming into play now with the machine learning that's happening both on and off the vehicle potentially. I know that there have been some attempts to address this. There is an upcoming BIS rule from the Department of Commerce, and you know, they're

00:09:25 Zane Pelletier

looking into enforcing, and let's say also, trying to figure out where the software is coming from and what the affiliation with the organizations that are writing the software. And I would say one of the kind of biggest, most recent events that comes to mind when it comes to the supply chain and manufacturing is what happened recently with Jaguar Land Rover.

00:09:48 Zane Pelletier

So for those who are not aware, they've recently had a breach. It actually halted manufacturing for about a month after it happened. I believe it happened at the end of August. And I think that they've been down for a while, but I think that begs the question, the supply chain aspect of the automotive industry is increasingly becoming an attack factor as well.

00:10:10 Zane Pelletier

There's a lot of damage, and increasingly there's more exploitation of systems that are not related to manufacturing or automotive that proliferate to these other and threat actors that seem to move laterally through these types of systems.

00:10:24 Zane Pelletier

So I guess my question to you, what would you say that the producers of these parts, these end products, these vehicles, right, the suppliers and the OEMs, what can they do to tackle areas that aren't traditionally covered thoroughly when assessing the security posture of an embedded system, like a vehicle, right?

00:10:42 Tiffany Rad

I was reading that this is one of the most expensive cyber attacks in the history of the United Kingdom. So it was a big deal. It affected not just Jaguar Land Rover. It was also 5,000 other companies that had contracts with these, with the automotive, the OEM. And one of the concerns that all those companies had is they started laying off people because of the effects of this large hack. And a loan had to be issued from the UK government. So I've been reading up on this

00:11:11 Tiffany Rad

this attack, and some of my students are doing, in fact, at Berkeley, one of them is doing research on this for their final project in my class. It looks like it was perhaps related to industrial control systems, although there hasn't been a lot come out yet about this, about specifics of how it happened. It looked like maybe it was a two-tier type of attack, but it's a problem because with industrial control systems, a lot of these systems, they don't get updated very frequently. And I think a lot of attackers know this, and it's something

00:11:41 Tiffany Rad

that has been, researchers have, I've done some research on this too, but researchers have presentations at Black Hat and DEF CON about this for over a decade. So, but it's still a difficult problem to tackle. And for the smaller companies that are relying on this, one of the lessons I believe that's come out of this is, and I know it's a difficult one, in particular for smaller companies that make, for example, maybe just the windshield or some other parts that need to go into these vehicles,

00:12:05 Tiffany Rad

is the resilience. And it's just in time is one of the models that has been used for in Land Rover for getting these parts out there. While it's efficient from a cost perspective as well, the difficulty now is the just in time is immediately all these other companies were affected by this.

00:12:26 Tiffany Rad

So perhaps it might not be the business model that they choose to follow with in the future, but it is more cost effective when it comes to manufacturing. So this is, I think, a lesson from that, but the difficult part is the resilience with this. Like when more details come out about how this hack was done, what do they, which systems specifically did they attack? Because as of today, when we're recording this, not a lot of details have been released.

00:12:55 Tiffany Rad

Here in the United States, we have legislation that's coming up. CIRCIA is one of these pieces of legislation, which is about critical infrastructure protection. And the government in the United States wants to know, and not in days or weeks, but within hours, about

00:13:12 Tiffany Rad

whether a US company has experienced A ransomware attack or it's had a breach in their system. And one of the reasons for this is I think we can learn from what's happened in the UK is this piece of legislation is supposed to make it a little bit quicker for the US government to react to this and to notify companies that have

00:13:31 Tiffany Rad

dependencies on the company that might have been infected. And so they can get information out quicker so that companies can do some mitigation quicker, in particular if it's spreading through some of the companies that are associated with the original equipment manufacturer, the OEM. And so if it's something spreading, they can quickly decide to stop it or to shut things down.

00:13:55 Tiffany Rad

So it doesn't get, it looks like that's what the company, what Jaguar did was to stop everything for a little bit of time. Actually, it's been a lot of time in a sense for an OEM to stop manufacturing. But something similar has happened with an Asian OEM as well. That happened last year. So this is becoming more common, I think, in the automotive industry, unfortunately.

00:14:18 Zane Pelletier

Yeah, definitely. And I think you hit the nail on the head there. it's not always about, there's only so much you can do to prepare in terms of defense, right? also coming into play here is your ability to respond and the incident response, right, aspect of things. And, I know that they came out with this, they announced it at the end of August. Who knows really how long, I don't know if they know yet how long

00:14:47 Zane Pelletier

these attackers are in their system, right? They're still probably picking up the pieces right now and trying to figure that out, and I don't even know if they know yet. Usually, I think these things take quite a bit of time, especially with something of the scale, to figure out the full ramifications and scope of exactly what happened.

00:15:04 Zane Pelletier

But I think my takeaway from what you said is, it's having a game plan. It's being able to figure out if something is happening, how quickly can we respond? How quickly can we take certain segments of our network offline or disconnect certain things so that we can keep it from spreading? And how quickly can we rebuild systems and,

00:15:24 Zane Pelletier

be able to bring back configurations as they were, or basically come back to life with the manufacturing aspect of things, as well as the traditional IT systems. Yeah, it sounds like all of that's very, very important. And there's a lot of talk about that recently, but I don't think really anyone in the automotive space has one clear cut and dry answer to that. This is what you do X, Y, and Z, and this will help you be able to respond to something such as this.

00:15:53 Zane Pelletier

But I would say those are all fantastic suggestions. And I think being able to learn from incidents like this is the most critical thing. So something like this, either doesn't happen again or the effects on other manufacturers, other OEMs in the space, can be mitigated by kind of learning from the mistakes of those that were breached before them.

00:16:15 Zane Pelletier

So, I know you've done a lot of work also with ICS systems. I know, not necessarily in manufacturing, but do you have any particular kind of takeaways for working with industrial control systems and how that might be different than embedded devices? Because I know that...

00:16:34 Zane Pelletier

Some of these systems can be tangential with the types of technologies that they use, but the protocols seem to vary wildly, right? And you mentioned that some of these systems are a lot more legacy-based and might not be updated as frequently. And I think the biggest thing that I keep in mind when thinking about ICS versus traditional automotive embedded systems is that you're kind of...

00:16:59 Zane Pelletier

inverting the CIA triad. For a lot of these manufacturers, they care a lot more about the availability of a system rather than the confidentiality and integrity of those systems, which are also important, but I would argue are placed at kind of a lower level of priority. So yeah, I'm curious to hear your thoughts on what exactly your mindset has to be when you're working with those systems and maybe some of like the differences for someone who is looking at an ICS system versus looking at

00:17:28 Zane Pelletier

like a vehicle, for instance, from a security perspective?

00:17:31 Tiffany Rad

Sure. I can explain how I looked at this from coming from looking at embedded systems and looking at accessing things remotely, such as in the radio spectrum, and then switching to an ICS project. This was a long time ago in 2011, but we anticipated it would be a lot more difficult. I guess it's one of the things that my team of four people,

00:17:53 Tiffany Rad

So we kind of set a goal. We wanted to, we knew there were vulnerabilities in these systems. We knew they were in critical infrastructure. So that's one of the reasons we chose to do a research project on this, even right at zero day. So we thought this would be hard.

00:18:06 Tiffany Rad

harder. And in fact, it was not at all. So that's, in fact, as you mentioned, with the inverted CIA, it was like that. All you had to do was affect accessibility. And now you have a pretty critical vulnerability and exploit. And so it took our team not that long, about two weeks. And we were learning everything from ladder logic about how that worked to really delving into the program. And it was not too hard. What was a little interesting to us was

00:18:36 Tiffany Rad

when we were able to do the, find the vulnerability, do the exploitation, how many systems this actually affected. Everything from pharmaceutical manufacturing to brakes on trains, pipelines, it was everywhere. So we were a little bit shocked about that as we were doing our disclosures, responsible disclosures to manufacturers.

00:18:58 Tiffany Rad

and to the US government, talking with them about how big this was. So this was one of my team. I was the only one that had, well, actually two of us had some experience with industrial control systems, but we did think it was going to be a great deal more difficult. So that was 2011. And now you can go to DEF CON and you can go into the villages and they have one where you can do some exploitation of some of the same devices, more modern versions of it that I did

00:19:27 Tiffany Rad

a long time ago, but that goes to show that there still are vulnerabilities. And I don't know if I'd call it the low-hanging fruit anymore, because it was when we did this, and there have been a lot more design changes to how these work since then. But

00:19:42 Tiffany Rad

I still believe that this is a big concern, and it should be, because, as was, you talked about the Jaguar, the plant shutting down, and if it was, an industrial control system, specifically targeted attack, and we don't know that yet, but if it was, any company that has manufacturing and

00:20:02 Tiffany Rad

if you're making critical parts for, vehicles or for military systems, things like that, it should be a lesson to be learned about what will happen if that goes down and you have to take it down or it doesn't operate anymore, what types of backup systems you might have in place.

00:20:21 Tiffany Rad

So indeed, the incident response, I think, is going to be

00:20:25 Tiffany Rad

looked at in coming years about how Jaguar and Land Rover reacted and what their incident response procedures were.

00:20:32 Tiffany Rad

So maybe my cybersecurity classes will be studying that in the next couple of years once that information.

00:20:37 Tiffany Rad

So we'll learn from these.

00:20:39 Tiffany Rad

We'll learn from these.

00:20:40 Zane Pelletier

Definitely, yeah.

00:20:42 Zane Pelletier

Yeah, completely agree there.

00:20:43 Zane Pelletier

I have heard the comparison.

00:20:46 Zane Pelletier

IT is kind of the backbone.

00:20:48 Zane Pelletier

A lot of the information technology systems that are out there is kind of the backbone of communication between all of these networks.

00:20:55 Zane Pelletier

But the OT side of things, that's what really drives the real.

00:20:59 Zane Pelletier

the real mechanical devices with heavy consequences, right?

00:21:04 Zane Pelletier

I mean, I think I'm going to have to see if I can remember this correctly, but I was reading an article about a gentleman who worked in, I think it was a Tesla manufacturing plant, and he got hit over the head with a robotic arm.

00:21:14 Zane Pelletier

I don't think that was a hacking incident.

00:21:16 Zane Pelletier

I think it was a very basic

00:21:19 Zane Pelletier

operator error when it came to those kind of sending commands to those types of devices.

00:21:23 Zane Pelletier

But there are still humans on the manufacturing floor.

00:21:27 Zane Pelletier

You know, when you think about ICS devices in trains, monorails, you know, industries such as utilities, electrical power plants, right?

00:21:35 Zane Pelletier

Those types of things.

00:21:36 Zane Pelletier

I think that there's a lot that can go wrong when you combine mechanical force and humans and

00:21:44 Zane Pelletier

networks that can be accessed remotely, right?

00:21:48 Zane Pelletier

So I think that there is a lot at stake here, and this is definitely something that I don't think there are enough people looking at currently.

00:21:56 Zane Pelletier

I talk to a lot of the people in the industry that are responsible for these things, and my feeling is that everyone is kind of trying to figure out how to approach this, and there's not enough people, I think, looking specifically at

00:22:09 Zane Pelletier

the OT side, they think that all of the problems can be fixed on the IT side.

00:22:13 Zane Pelletier

And I think there might be a more nuanced approach that's required here, to be honest.

00:22:17 Zane Pelletier

I agree.

00:22:19 Zane Pelletier

Awesome.

00:22:19 Zane Pelletier

Well, I'm actually going to shift back a little bit.

00:22:22 Zane Pelletier

I did have a question for you regarding, because I know you've talked a little bit about, you know, remote access, wireless attack vectors against, you know, in this case, I do want to bring it back to Automas Vehicles, because I think a lot of our listeners are quite interested in the security that goes into making sure that

00:22:38 Zane Pelletier

you can't take over, let's say, a robo-taxi and kidnap someone, right, and drive them across town to a location of your choosing, right?

00:22:45 Zane Pelletier

Those types of wide-scale attacks, I think, are, at this point, to my knowledge, purely fictional.

00:22:50 Zane Pelletier

We haven't seen one of those in the wild yet.

00:22:52 Zane Pelletier

But I was reading that Tesla actually reportedly requested a permit from the FCC specifically to perform radio frequency and also cellular attacks against their fleet of robo-taxis

00:23:05 Zane Pelletier

prior to the launch of them in cities.

00:23:08 Zane Pelletier

And so to my knowledge, I think this is the first time that we've seen a company request approval from the FCC, at least that I've publicly seen to conduct electronic warfare style RF testing against autonomous systems.

00:23:21 Zane Pelletier

My question to you, do you think that this is an effective testing approach that Tesla is using here?

00:23:27 Zane Pelletier

I'm hoping that they're doing other kind of security checks to make sure that, for instance, the sensors that read information and go back to the modules that are responsible for actually steering the wheel, right, acceleration, braking, that they're checking those things as well and looking at that.

00:23:43 Zane Pelletier

But yeah, I guess, do you think this is an effective testing approach?

00:23:47 Zane Pelletier

And do you think that, assuming it's being paired with thorough testing of the internal

00:23:51 Zane Pelletier

Of the in-vehicle network that is present on the vehicle, that this is a good way to kind of approach this security aspect for autonomous vehicles from a high-level perspective.

00:24:02 Tiffany Rad

I think it's a great way.

00:24:03 Tiffany Rad

In fact, I'd be surprised if other manufacturers are not doing the same.

00:24:08 Tiffany Rad

I'd expect them to do this.

00:24:09 Tiffany Rad

So many years ago, I worked for a startup, and we did this.

00:24:15 Tiffany Rad

We did this on vehicles, and we did this on other types of communication devices as well.

00:24:20 Tiffany Rad

And we went through the process of getting the FCC license to be able to broadcast.

00:24:24 Tiffany Rad

Receiving is different, but when you're broadcasting,

00:24:27 Tiffany Rad

in those spectrums, you need to get licensed to do that.

00:24:31 Tiffany Rad

And we had a limited period of time.

00:24:33 Tiffany Rad

We put something in a skip, and we were, lots of companies do this.

00:24:36 Tiffany Rad

And it's very important because this is, it could be an effective way in which adversaries can disrupt autonomous vehicles.

00:24:47 Tiffany Rad

And I know that we're teaching students how to do this as well.

00:24:51 Tiffany Rad

So in safe environments that don't interfere with other types of communications, but we do this at the Cyber Auto Challenge, which I know is something that many of your organizations support.

00:25:03 Tiffany Rad

But we teach students about how can this happen is the way to describe it.

00:25:08 Tiffany Rad

And we actually, we do it.

00:25:09 Tiffany Rad

So we do it on a very small scale.

00:25:11 Tiffany Rad

We don't broadcast more than just a couple of feet, but we show them what it would look like if we were able to spoof

00:25:17 Tiffany Rad

GPS, for example.

00:25:18 Tiffany Rad

That's one of the things that we do.

00:25:20 Tiffany Rad

And it's very effective and confusing systems that rely upon this.

00:25:26 Tiffany Rad

So I am glad to see that Tesla's doing these kinds of tests.

00:25:30 Tiffany Rad

And I would expect that from a security team to know this, that this is an attack vector.

00:25:35 Tiffany Rad

But it is, as I enjoy doing research from looking at things remotely, remote access is sometimes more challenging, as I mentioned earlier, than doing local attacks on vehicles.

00:25:47 Tiffany Rad

and systems, but it does need to, it is very important.

00:25:50 Tiffany Rad

And as these vehicles are getting communications from the cellular networks and maybe even someday from satellite communications,

00:25:58 Tiffany Rad

being able to be sure that you've looked at all the attack vectors that adversaries could implement on particular vehicles being targeted, a fleet of vehicles being targeted, remote is really the place to be looking for a lot of that.

00:26:11 Tiffany Rad

So I'm glad to see this testing is being done, and I'm not surprised.

00:26:16 Tiffany Rad

It's, I think, expected when we're teaching students how to do these things, too, to protect, learn how the attacks work so they can design things to try to be more resilient to these attacks.

00:26:27 Tiffany Rad

I don't think it's ever

00:26:28 Tiffany Rad

Yeah, I don't think we're in security.

00:26:29 Tiffany Rad

I don't think it's ever possible to be impenetrable to all types of attacks.

00:26:34 Tiffany Rad

I mean, it was designed with access points, you know, things to communicate and work.

00:26:38 Tiffany Rad

They're going to be adversaries who are going to exploit those.

00:26:42 Tiffany Rad

So this is good to see.

00:26:43 Tiffany Rad

And I think many more manufacturers are doing this too.

00:26:48 Tiffany Rad

Perhaps it's not as publicized as Tesla's, but yeah, this is a good thing.

00:26:54 Zane Pelletier

Awesome.

00:26:55 Zane Pelletier

That's good to hear that.

00:26:57 Zane Pelletier

You're engaging students in this at such an early age, I would say, in their careers.

00:27:02 Zane Pelletier

I think that not a lot of people have the opportunity to get exposure to that, especially, I guess, back in the day, right, before the Cyber Auto Challenge was formed, right?

00:27:11 Zane Pelletier

I think it's more difficult to do that unless you have either the ability to control your RF spectrum within a certain band, control how far you're broadcasting, communicate with the FCC potentially.

00:27:24 Zane Pelletier

The only other option is for you to get a vehicle-sized anechoic

00:27:27 Zane Pelletier

chamber, right, and get it in there.

00:27:29 Zane Pelletier

And those are very hard to come by.

00:27:30 Zane Pelletier

They're also very expensive.

00:27:32 Zane Pelletier

So yeah, I would say that that's amazing to hear that the younger professionals getting into this that are able to get that hands-on experience so early.

00:27:40 Zane Pelletier

So I know that you kind of alluded to communication with vehicles, not just over cellular, but with potentially space systems, satellite and the like, right?

00:27:50 Zane Pelletier

I know that when you presented at SCAR, you also were talking about some of the work that you're getting into when it comes to practicing security research and offensive security on space systems.

00:28:02 Zane Pelletier

I think that for me personally, and probably a lot of other people that do embedded security in a practical sense, hacking space systems is

00:28:13 Zane Pelletier

It's very, very interesting and fascinating.

00:28:16 Zane Pelletier

And it also seems very far out of reach, right?

00:28:18 Zane Pelletier

It kind of seems like more of a sci-fi type of security research that is somewhat unattainable, right?

00:28:26 Zane Pelletier

But I think recently it's become more tangible, right?

00:28:29 Zane Pelletier

We've seen events such as like HackASad at DEF CON for the last few years.

00:28:33 Zane Pelletier

I know that there are a lot of satellite hacking groups that are kind of getting into this, both from ground systems and then also looking at the electronics that we're

00:28:43 Zane Pelletier

actually shipping into the outer atmosphere, right?

00:28:48 Zane Pelletier

I guess my question to you for this would be for anyone who is interested in or looking to do security research in that area, what kind of skill sets would you recommend for anybody who's trying to break into that, into aerospace offensive security?

00:29:06 Zane Pelletier

I have heard that a lot of space systems like use either CAN or automotive Ethernet, right, two-wire protocols because

00:29:12 Zane Pelletier

But when you're launching stuff into space, every gram counts, right?

00:29:17 Zane Pelletier

And having less copper in the networks that are actually connecting the components or even the boards, the chips on the boards that they're sending up can matter.

00:29:26 Zane Pelletier

So do you think that having a skill set such as being able to hack cars, do car hacking and working with vehicles can translate effectively to looking at embedded space systems?

00:29:37 Tiffany Rad

I absolutely do.

00:29:39 Tiffany Rad

And I'm glad you asked this question because the Cyber Auto Challenge has other challenges as well.

00:29:44 Tiffany Rad

They have one called Drone.

00:29:46 Tiffany Rad

And that's one where you take a look at, as I mentioned, GPS spoofing.

00:29:50 Tiffany Rad

What can you do to change the operation of a drone?

00:29:54 Tiffany Rad

And these are pretty big drones.

00:29:56 Tiffany Rad

These aren't little toy drones that you can buy.

00:29:58 Tiffany Rad

These are very large commercial ones as well.

00:30:01 Tiffany Rad

And so

00:30:03 Tiffany Rad

These challenges are great.

00:30:04 Tiffany Rad

So if you're a student and you're listening to this, check out the Cyber Auto Challenge, the Drone Challenge, and I'm working on helping them get one for space coming up pretty soon.

00:30:12 Tiffany Rad

We're hoping in the next couple of years, although.

00:30:15 Tiffany Rad

Now is the time to be learning about space systems.

00:30:18 Tiffany Rad

That industry is growing significantly.

00:30:21 Tiffany Rad

When I first started in automotive cybersecurity, I was early, I think, on the scene, a little more than 20 years ago, actually, at this point.

00:30:29 Tiffany Rad

And I remember going to a conference.

00:30:31 Tiffany Rad

I was working with someone.

00:30:32 Tiffany Rad

We gave a presentation at DEF CON.

00:30:34 Tiffany Rad

This is a very large conference.

00:30:35 Tiffany Rad

We had only three people there.

00:30:37 Tiffany Rad

And one of the questions we got is, who cares about securing cars?

00:30:43 Tiffany Rad

Who cares about learning about the networks and the embedded systems?

00:30:46 Tiffany Rad

Well, here we are many years later, and now we have the village at DevCon where you can go try these things out.

00:30:52 Tiffany Rad

So if you're interested in learning about space systems, I would say if you're a student, check out the CyberAuto Challenge, the Truck Challenge.

00:30:59 Tiffany Rad

There's one for tractors and drone.

00:31:01 Tiffany Rad

And they're coming up with one for critical infrastructure too, which will include ICS, Industrial Control Systems.

00:31:08 Tiffany Rad

All of these things will be useful if you want to work in space, cybersecurity, that kind of thing.

00:31:13 Tiffany Rad

Again, you'd be very early in the field.

00:31:15 Tiffany Rad

I know there's some people that do this now.

00:31:17 Tiffany Rad

It's still a little bit early.

00:31:19 Tiffany Rad

But that's a good time to get in and a good time to learn about these systems.

00:31:22 Tiffany Rad

And the way you can do that is automotive, as you mentioned, is very similar.

00:31:26 Tiffany Rad

So that's where I'm taking some expertise and thinking about this.

00:31:31 Tiffany Rad

about how that can be transferred over to space systems and space system cybersecurity.

00:31:37 Tiffany Rad

They face some pretty big challenges, too.

00:31:40 Tiffany Rad

There's a race now to get to the moon.

00:31:42 Tiffany Rad

And this week in particular, there has been some discussion about maybe the US will not be the first to get there.

00:31:49 Tiffany Rad

It's going to be really close between the US and China.

00:31:52 Tiffany Rad

And there's some concerns about this.

00:31:55 Tiffany Rad

And I don't think this is just like an ego type of, well, we need to get there first.

00:31:59 Tiffany Rad

There are resources on the moon.

00:32:01 Tiffany Rad

And the way a lot of the treaties work right now is if your country or your private company can get there, you can mine it.

00:32:08 Tiffany Rad

And it's going to change.

00:32:09 Tiffany Rad

It's really going to change the way that we look at industry moving off this planet to the moon and to Mars eventually.

00:32:18 Tiffany Rad

So the concern is not just first to get there, but the resources.

00:32:21 Tiffany Rad

And some of these resources are quite valuable here on Earth as well.

00:32:25 Tiffany Rad

So I do believe that there's an adversarial concern about insider threat is a big deal for these space companies as well.

00:32:33 Tiffany Rad

So concerns about, you know, just theoretically, if a country could set back another by even six months to a year, that country may not be the first one to get to the moon and to send miners to the moon.

00:32:45 Tiffany Rad

So private companies, not just NASA,

00:32:48 Tiffany Rad

have to, are concerned about this.

00:32:50 Tiffany Rad

So it's a security concern, but I do think cybersecurity is one of those as well, because one of these systems failing, not only could it be concern for life, for astronauts that are working and living in space, but it's also a concern for the vehicles, the launch vehicles, the rockets, and making sure that

00:33:10 Tiffany Rad

that, all the code that they put in is what they intended.

00:33:14 Tiffany Rad

Again, I'm concerned also about a lot of AI being used for these systems potentially and what is going into the things that make it to production.

00:33:23 Tiffany Rad

And do you know about, everything that's in there and how it functions?

00:33:27 Tiffany Rad

So cybersecurity is going to be very big for space systems.

00:33:31 Tiffany Rad

It is now.

00:33:32 Tiffany Rad

I mean, look how quickly these systems are going.

00:33:34 Tiffany Rad

I mean,

00:33:35 Tiffany Rad

I'm heading down to Florida this week, actually, to speak at a conference at Kennedy.

00:33:40 Tiffany Rad

And I'm talking about cybersecurity and education for space systems.

00:33:45 Tiffany Rad

So it's an education conference where a lot of university and even high school instructors are there learning about changing your curriculum, different types of resources we can use, and even putting up CubeSats so students can do something like HackASat outside of DEF CON.

00:34:01 Tiffany Rad

And university is putting these up for a hackable satellite.

00:34:04 Tiffany Rad

So I'm going to be pitching that.

00:34:06 Tiffany Rad

this weekend at the conference.

00:34:07 Tiffany Rad

But one of the importance of doing this is being sure that our critical infrastructure is protected.

00:34:14 Tiffany Rad

And I do believe that this should be considered, it is considered part of this as our critical infrastructure as the United States is putting great private resources and government resources into science and exploration and also mining and is going to be a pretty big business.

00:34:32 Tiffany Rad

in the future off of Earth.

00:34:34 Tiffany Rad

So I've gotten interested in this.

00:34:36 Tiffany Rad

So because of, I've always had an interest in this field.

00:34:41 Tiffany Rad

But when I realized how similar the embedded systems and the networks are, I realized this is great.

00:34:47 Tiffany Rad

This is my chance to pivot to a little bit.

00:34:50 Tiffany Rad

I'm not pivoting out of automotive, but doing a little bit of a pivot to learning a lot more about these systems and creating a curriculum that I'm going to offer to the two universities at which I teach.

00:34:59 Tiffany Rad

and other universities as well, but a cybersecurity for space systems.

00:35:03 Tiffany Rad

And we're going to be covering policy and law because I did this with automotive as well, is learning how far you can go with some types of research before you're either breaking criminal laws and understanding the policies associated with accessing systems, I think is important for when you're doing cybersecurity research or creating products for defense.

00:35:23 Zane Pelletier

Wow, it almost makes me want to go back to school just so I can take that class.

00:35:28 Zane Pelletier

That's

00:35:29 Zane Pelletier

I would sign up for that in a heartbeat.

00:35:31 Zane Pelletier

That's amazing.

00:35:33 Zane Pelletier

Well, that's...

00:35:34 Tiffany Rad

Excellent.

00:35:34 Tiffany Rad

Well, we might have a cyber auto challenge, something like that, but for a space challenge coming up.

00:35:39 Tiffany Rad

And so students, even on the graduate level, will get an opportunity to test some of these systems for free.

00:35:46 Tiffany Rad

That's the way the challenges work.

00:35:47 Tiffany Rad

You just got to get yourself to the location.

00:35:49 Tiffany Rad

And then it's a week of free, about like 12 hours a day of classes and then two days of hands-on.

00:35:55 Tiffany Rad

That's a big part of the program is hands-on hacking of these systems.

00:35:59 Tiffany Rad

And then at the end, you do a presentation on how you would recommend how the remediations might work.

00:36:04 Tiffany Rad

How would you design this differently, better to protect what you just exploited?

00:36:08 Tiffany Rad

So it's very exciting.

00:36:10 Tiffany Rad

Fantastic model for learning.

00:36:11 Zane Pelletier

Yeah, amazing.

00:36:12 Zane Pelletier

Just for general knowledge, I guess, is this, where physically is the drone challenge located?

00:36:17 Zane Pelletier

Is that also going to be in the same location or are they kind of dispersed?

00:36:22 Tiffany Rad

This is in a different location.

00:36:24 Tiffany Rad

The past two years, it's been in Michigan, but it's been on a military base.

00:36:29 Tiffany Rad

So I don't know about the plans for the future, but the last two were on a base and you're able to work on military components on that facility.

00:36:39 Tiffany Rad

So really, I mean, for a civilian, these are great opportunities that you don't often get.

00:36:46 Tiffany Rad

So Carl Heimer and his team have put together, and I was involved in the very first, like the planning of the Cyber Auto

00:36:52 Tiffany Rad

Challenge in 2012.

00:36:55 Tiffany Rad

But the team has really worked to create a very unique opportunity.

00:37:00 Tiffany Rad

We can't take as many students as we'd like to, but there are four or five challenges now that you can attend over the summers when school is out.

00:37:08 Tiffany Rad

So if you're a student, check out the Cyber Auto Challenge.

00:37:12 Tiffany Rad

And then if you're interested in trucks, that's one I'm looking at doing next summer.

00:37:17 Tiffany Rad

Those are part of critical infrastructure too.

00:37:19 Tiffany Rad

Very interesting program.

00:37:20 Zane Pelletier

Amazing.

00:37:21 Zane Pelletier

Wow.

00:37:21 Zane Pelletier

These are all fantastic opportunities.

00:37:23 Zane Pelletier

So yeah, for any of you listening who are students or looking to get into these types of things, I highly recommend checking that out.

00:37:31 Zane Pelletier

That's a, you know, I think this is one of the best opportunities out there to be able to get exposure to something like this.

00:37:38 Zane Pelletier

And these, you know, like you were saying, Tiffany,

00:37:42 Zane Pelletier

space systems, critical infrastructure, none of this is going away anytime soon, right?

00:37:49 Zane Pelletier

Even from a perspective of really, really interesting protocols and also equipment that you can get your hands on and start looking at how to break stuff.

00:37:58 Zane Pelletier

This is really, really an interesting area to be in.

00:38:02 Zane Pelletier

And I think over the next few years, we're going to see some really cool research being done and also probably some scary

00:38:10 Zane Pelletier

incidents happening, because like you said, I mean, you can try your best, but there's never going to be a complete 100% guaranteed security posture for any of these things.

00:38:21 Zane Pelletier

So it's really is an evolving battle, I think, on both sides.

00:38:26 Zane Pelletier

Well, thank you so much, Tiffany, for being with us today.

00:38:29 Zane Pelletier

I really appreciate the good conversation.

00:38:30 Zane Pelletier

I mean, we covered so much.

00:38:31 Zane Pelletier

We talked about vehicle hacking, actually doing testing against autonomous vehicles.

00:38:37 Zane Pelletier

We've talked about critical infrastructure, space systems, manufacturing, right?

00:38:42 Zane Pelletier

So thank you so much for being here.

00:38:43 Zane Pelletier

Do you have any closing thoughts that you have?

00:38:45 Zane Pelletier

Anything else that you wanted to share with us and our listeners?

00:38:49 Tiffany Rad

I just want to say thank you very much for having me.

00:38:51 Tiffany Rad

And I enjoy talking about these topics.

00:38:53 Tiffany Rad

And it's an ever-evolving field, as you mentioned.

00:38:57 Tiffany Rad

And there are a lot of job opportunities in this field, despite or even including AI.

00:39:03 Tiffany Rad

So I do think that this industry is still going to continue to grow.

00:39:07 Tiffany Rad

So thank you very much for having me.

00:39:09 Zane Pelletier

Yeah, of course.

00:39:09 Zane Pelletier

Of course.

00:39:10 Zane Pelletier

Thank you so much for being here.

00:39:12 Zane Pelletier

Well, to everybody listening, thank you so much for tuning in to this episode of Empowering Tomorrow's Automotive Software Podcast.

00:39:18 Zane Pelletier

We certainly hope that you found our discussion insightful and valuable.

00:39:23 Zane Pelletier

If you've enjoyed today's episode, don't forget to subscribe on Spotify, Apple Music, or wherever you get your podcasts.

00:39:28 Zane Pelletier

Feel free to share this episode with your network and leave us a review.

00:39:31 Zane Pelletier

We'd love to hear your feedback.

00:39:33 Zane Pelletier

This concludes our episode.

00:39:35 Zane Pelletier

Please check in again for another one soon.

00:39:40 Voiceover

Thank you for joining this episode of the Empowering Tomorrow's Automotive Software podcast.

00:39:45 Voiceover

Please leave a comment or review with your feedback

00:39:48 Voiceover

or what you'd like to hear in future episodes.

00:39:50 Voiceover

To learn more about Automotive Embedded Systems and ETAS's capabilities, visit our website at ETAS.

00:39:56 Voiceover

That's ETAS.com.