AAH #688 - Cybersecurity Is A Bigger Problem Than You Realize
Annotations will appear as you listen
0:00
63:10
LIVE
I'll online After Hours is brought to you by bridge Stone Tires Solutions for your journey, Gary John, how are you. I'm not sure I'm doing so
good because I think the first half of the show is going to scare us.
Yeah. I was going to say that we should be doing this around
Halloween because I agree one hundred percent with you. You know, they say
there's two kinds of people, those who have suffered a cyber security hack and those who will, and so we're going to learn about that from Jason Masker, who's the director of solutions Architecture at Upstream Security. Welcome to the show,
Thank you, thank you to be here. And we've got our friend
Mike Austin from guide House Insights. Glad to be back. How you been
doing well? Yeah? Good, good? All right. So I want
to start out with a scary thing. So, so you work for this
company that does cybersecurity software, and you guys recently put out a report looking at the landscape, and I want to read this from the report. And
if this doesn't scare people who are listening, I don't know what would.
Okay. In March twenty oh three, a team of French security researchers participating
in a hacking contest demonstrated an exploit that involved executing what is known as a time check to time of use attack on an ev OEM's Gateway energy management system that allowed them to remotely perform actions e g. Opened the front trunk or
door while the car was in motion. Despite the OEM's claims that this was
not possible, the researchers claim they could have remotely gained access to vehicle controls.
The researchers were rewarded by the OM with an EV and one hundred thousand dollars in cash, So I have a feeling that they probably were able to get access. So I mean, how is this possible? So obviously,
you know, the focus on as the technology evolves is always on the convenience, right on the ecosystem, on the things we can do, the things that cars are doing. Oh my gosh, I can I can take my
attention from the road a little bit. It's it's almost driving itself, you
know, these types of things. But the more connected things are, the
more surface area there is that's that's exposed, and the more potential there is there is for harm, So the more need there is for security and protection around those those elements. So when you say surface area, tell tell us
what you mean by that. It doesn't mean like sheet metal, right,
yeah, yeah, No, I think about surface area as you know, Upstream has this way of viewing it is in three different layers. You have
everything that's on the vehicle and all the technology that's involved in the vehicle.
Well, of course that's communicating up to the cloud somewhere on things like telemat X thing, you know, just there's updates coming down from the cloud to that vehicle. And there's also this other layer of APIs of where we have
applications on our phones, right that can remote start our vehicle in the winter it's very convenient, or or monitor how the battery is charging in the case of an EV. So that's what I mean by surface area. Every single
one of those elements that we add is sort of a new point that could be potentially exploited or attacked. So how many attacks take place? I mean,
and let's just talk about the automotive industry in fact, you know, since we're in the Detroit area, just focus on the Detroit area. How
many cyber attacks are there every single day? So what's what's interesting is is
in this report, you know, when we look at and we look at what's really different from reports in the past, it's it's the impact that's that's kind of staggering. I think, I think what we saw. You know,
we got started relatively early at upstream on this and and so we've been a part of this ecosystem and communicating like the new you know, what's what's going on, how's this how's this uh environment looking? And initially it was
it was a lot of researchers getting interested, right and trying different things.
Hey, can we drive a jeep Cherokee off the road? Can we do
that? Can we do this? Can we do that? In experimenting And
I think now what we've seen is that when you look at the report, more significant than the number that are happening is the impact. So I think
in this report, fifty percent of attacks that we see have the potential to impact thousands or millions of vehicles versus maybe more like twenty percent a few years ago or in the last couple of years when we're pushing this report. So
when you think about that, it's just kind of a tipping point there where Okay, now these attacks are getting very serious. So it's not so much
how many of them you have, it's that what's the potential impact that won the wrong one could have with the wrong intent and the wrong vulnerabilities and sort of that perfect storm of impact. Right, So if the attacks are getting
more intense and more impactful, that means the bad guys, the black hats, are getting better and better at this. Who are they? I mean,
who's launching all these attacks? Yeah, I mean there's all sorts of
incentive and and and that's probably the most diverse thing that we see right as the incentive. It can be anyway. It's car enthusiasts. Some people just
want their cars to go faster, right, and and who's who's keeping them back? They're gonna they're gonna hack their car to make it go faster.
There's there's fraud, obviously, there's there's insurance warranty fraud, things like that that are that are incentives, uh to make these attacks. And then there's
unfortunately the political landscape and actual what you know, some of them when you think about impacting thousands or millions of vehicles can become national security at a certain scale. Right. So there's there's all sorts of motives, all sorts of
uh kind of forces in play. And I think what's what the real lesson
is here is is now this has the attention, it's out there. It's
more than an experiment with a few niche security researchers, right, uh, and now the impact is is significant. So I've heard there's essentially three kinds
of black hats. There's the people who are doing it just for fun,
they want to be able to hack in and tell all their friends they were able to do it. Then there's people who were in it for money,
like you were talking insurance fraud and the like. And then there's state actors
governments that are doing it. Are you seeing state actors actively attacking the automotive
industry, cars or the companies? Yeah, I mean there's definitely. So
we do by the way, security around not just the automotive vehicles, but we're kind of in that entire IoT secure mobility space. So we'll we secure
the eb chargers, we secure the pretty much anything you can imagine mobility connected.
We have a aaim on securing that. So definitely we did see an
upswing, for example, with the wars with the Ukraine Russia, things going on in Russia or in Ukraine with these things that are impactful, right, So there's definitely some state sponsor, and there's things that factor into the national kind of conflicts that are going on. Okay, So you guys discovered ninety
five percent attacks are executed remotely and eighty five percent of them are long range.
So does this mean like some dude sitting in his basement and he's packing something on the other side of the country or the other side of the world, or yeah, I mean, basically, I think what we're trying to underscore there is the significance of kind of what we've done when we started with the idea of okay, it makes sense, right, give everybody an iPhone app or an Android app that can start their car, and why should we worry about if the radio is in range if there's a big piece of concrete
in between me and the car. You know, it makes perfect sense.
But when you take that on the flip side, it means that attacking those surfaces has no limit on range either. No longer are we worried about if
somebody's in radio range when we're unlocking on our car to copy the code.
Right, it's a whole different type of attack where it doesn't really matter where this attack is being launched from, it can still be successful. That's that's
just the reality of the way kind of the technologies were so just different.
Different type of technology requires different type of protections, and that's that's what we're here to do. So in terms of you're talking about the volume, but
in terms of severity, is there any trend on you know, these are attacks that are just you know, messing with people opening their trunks or maybe trying to steal personal identify information, or bricking the radio or even further to like disrupting you know ECU or critical system so that the car will see that error not move, Like, is there any trend in terms of the severity of the types of attacks or yeah, So I think I think one of the things in the report is that that acknowledgment of the potential impact isn't even
saying that the impact was that right, it's actually saying that whole you know, they got through this store if they really wanted to, this is the exposure that that could be. Because it's interesting you bring up, you know,
are they just unlocking doors or opening trunks. We do as part of
our VSACK monitoring and and part of our platform, we monitor things like that and have a distinction between things that are benign. You know, if cars
driving the road and you get an unlocked signal, doesn't make much sense, But just one by itself probably isn't a problem. Could be just a kid
in the back with the with the dongle, right. But when you start
to see that and it's a certain area, a certain model, a certain type of vehicle, now we raise an alert and we have you know, a security analyst kind of actively looking at that because maybe this is just the just the beginnings of you know, I'm doing some research here to see what I can impact before I go and do something a lot more damaging. When
you say VSACK, what do you mean, so VSACK, I should buy so sock. I think most people on the technology side would be familiar with
security Operation center we pine O, or the concept of a vehicle security operations center, and that's really just recognizing that there is expertise in the mobility space.
There's a certain level. It's a little bit different than just securing emails,
securing networks that we find on the IT side, we're securing a pretty heavy vehicle that could be moving down the road at a pretty fast paced right and there's all kinds of logistical things and just domain knowledge that goes into that.
So we provide a service, a managed VSOC to our customers that can range anything from what we completely manage that VSOC to we cooperate that with their security operations or do it in a build operate transfer transfer on model. So
you have a room somewhere full of screens and you're just like watching all these things happen, or yeah, absolutely, we have a couple of rooms like that. We've got we've got one over here in ann Arbor, and we've
we've got one over in near Tel Aviv, Israel. So round the clock,
you know, follow the sun kind of coverage for that sort of monitoring, and then also the ability to shift operations to less publicly known sites when we need to to keep things running. But yeah, yeah, absolutely this
kind of monitoring because there's people in process that become part of it too and understanding the significance of something that's happening. Now. Jason, how would you
write the automakers then, in terms of hardening their vehicles from from cyber attacks?
I mean they've been added for well over a decade. Now are they
getting better at it or what are your things? Yeah? Absolutely, I
think I think when you look at some of the initial you know, kind of eye opening attacks, they were relatively primitive. I mean it was it
was sort of a nobody was looking here before and now, okay, we've got to do some things to secure this. So absolutely, the sophistication is
increasing, but I think with you know, the challenge that we're trying to meet now is that the sophistication of the attacks is also increasing. So we're
all seeing you know, AI and generative AI impact across the board. It's
absolutely we're seeing that intach the attackers as well, and it's it's more trivial than ever to take take a vulnerability and take that to an exploit, take that to a jail break, take that to a targeted attack than it ever was before. So I think that's uh, you know, even even though
we can say that the defense game is increasing, sort of the pace of the whole arms race is increasing. So when when you mentioned AI, you
know, I think a lot of people think about chat, GPT and similar things like that, where they might be making up facts whole cloth, or you know, making a sentence that sounds correct but isn't in your case, I assume that's probably a little different. Maybe machine learning is a is a
better word for it. But can you explain how, how and why AI
in your case is a specific solution that's not going to like I said, make things up whole cloth, or like you know, have be fed bad inputs and then you know, come out with bad data on the other side.
Yeah, yeah, absolutely. I So when when specifically, when we're
thinking about the AI impact on the attackers, what we're concerned about is the generative capability. And the easiest way I can explain this is in the same
way you can, you know, now go to Microsoft or go to chat GPT right and type a paragraph description of an image you want to see, and it just draws it for you. Now, attackers are able to say,
okay, well, this is an interesting vulnerability or bug in the code.
Can you take this and adapt it to this specific model vehicle or this specific and those prompts and sort of that adaption. We do see it as
an accelerator. It is, it suffers from some of the same things that
it's It may not be perfect or it may be have but we're definitely seeing an impact of how that accelerates the adaption. And that's really you know,
bugs are announced all the time. It's the time to take that bug and
make an exploit. Then to make an exploit that I can do something with,
and then to make an exploit that I can impact a lot with.
Those are all the times that are shortening. I think with the generative aim,
you're using AI in a similar like on your side as well, right, yeah, absolutely in the product, so our you know, what are you going to do this is you know, you can't put a genie back into bottle. AI is here to stay, right, So we have a
strategy of matching agility with agility. If this is adding agility to the attackers,
we certainly want to take and give the security analysts some of that agility in their toolbox. So what we've developed is Ocean is our AI interface that
we've begun rolling out in our productice year with several customers in Beata, and we'll continue rolling it out throughout the product. But this is just a simple
human language interface that's all about taking all of the insights, all the alerting, everything that our platform is observing and seeing and making that accessible through sort of a human dialogue interface so that you can just ask a question, Hey, what are there any trends in the attacks we've been seeing? Uh?
This makes it you know, it takes sort of the siloed skill set of the security analysts or the data analysts and sort of relaxes that requirement. So
maybe the manager can ask a question or or the executives can't ask a question and get a straight answer out of out of the data ocean. AI then
is something that an OEM would buy. I mean it wouldn't be in Yeah,
this can car that he wouldn't be talking to. Yeah, So necessari
this is definitely a B two B not necessarily a consumer facing technology, but this is uh, this is our feature in the the upscreen uh cybersecurity product that yes, that the OEMs, the the autos would would then use in their in their security operations to interface and understand the threat landscape. You mentioned
trends. What are some of the trends that you're seeing? Uh? Yeah,
I mean they they they they vary all the time, right. So
the biggest the biggest things in the in the report is that that impact of just just the realization that, look, these are not necessarily local attacks anymore, makes it much more of a tool in the box for those those kind of state actors or or political agendas out there that hey, this isn't in my backyard. It's not where I live, right, so if I create
chaos over here, it's it's not as much of a concern. And then
and then the concerns of the impact, the concerns that you know, where it's not so much as I got a door code for one vehicle anymore, as you know, the codes I'm unlocking or the things I'm the security mechanisms I'm defeating unlock a thousand vehicles or a million vehicles, And what is the potential of that impact? So that's that's that's some of what's what's heavy on
our mind in upscaling the agility. So, I mean, is this something
that somebody gets the code and basically it's for you know, model XYZ vehicle, and there's lots of Model x y Z vehicles out on the road, and somebody would basically be able to say, this will be funny, I'll open all the doors on all the Model x y Z vehicles. I mean,
is that how about I pop all the trunks and everybody just looks off across an ocean of trunks popped in the parking letter. Or worse, what
if you brick every car on the four to ZHO five in Los Angeles and bring the city to a screeching halt. Well, certainly I think that.
I think that's the other thing that that we all get concerned that there was a Netflix film with some type that was you know, Tesla's piling into it, and so absolutely the I mean we've seen these types of attacks carried it out. Now the specifics change, right, the legist maybe it wasn't a
self driving Tesla, but it certainly was a taxi app that humans were following the instructions of and it certainly overwhelmed the city in Russia right when they're they built all the taxies to one location at the same time. Absolutely, and
so these things can be absolutely devastating to infrastructure to you know, you think about emergency services trying to get through there, things like that, right, they absolutely have significant impact. In fact, I think there was another one
in Russia again, I think between Moscow and Saint Petersburg where they shut down every EV charging state the EV's, yeah, and put put very unflattering statements about putin and and everything else on there. Right, So so it can
and then the way that the attacks are carried out, they tend to range like that from the benign. Now, this is going to be funny.
Somebody's going to laugh at this. To things that get us worries about EV's.
They're connected to the grid, right, and we know, you know, the grid cannot handle significant power surges. So the idea that these systems
are all connected and somebody could potentially fire them all up at once and cause greater problems on the electrical grid, you know, those types of things are in our mind as well. For sure. What about beyond vehicles then,
I mean, I got to believe all these companies are fending off all kinds of attacks on financial systems, purchasing systems. I don't know even what else
that could be. It's interesting. So we're starting in the areas of API
and IoT where we've realized that in specializing specifically on vehicles, you know, in a vehicle, in a lot of ways, you have the most complicated IoT device on the planet, right, it can't get more complicated. This
thing drives, it goes, you know, it can go one hundred miles an hour, it can self drive, it can do sort of all the stuff. Right, So we are securing a lot more IoT camera type companies
and devices. You think about drone companies, even thinking about specialized fleets and
specialized types of vehicles and operations, right Like you've got farm and mining equipment, and you know, we've all got our garbage pickup and things like that that have specialized equipment on the vehicles that are also connected and monitored and understood.
So so yeah, I think I think this this does, this trend does absolutely extend to those things you kind of think about this the sort of swarm capability of well what if I hack one, I heck them all?
It definitely applies to that IoT space in general. Is there any solution to
any of this on the horizon? I remember talking to a naval intelligence guy
who seemed to be suggesting that maybe nano computing could take care of this.
I mean, is that dreaming or is it realistic? Yeah? I mean
there's there's a there's a lot of different ways that this problem is being attached.
One of the biggest I think is in the shift left movement of we're going to make the programming language is more secure by default. We're going to
code things and build things that are just secure by default. That security is
thought through, and we like to think that the upstream platform helps quite a bit with that, right because we can see what's going on now, we can absolutely take action and mitigate that as we see it, and we can be you know, a stop gap while we kind of red circle these problems and give the OEMs the opportunity to shift left and have those dev cycles to go, go, make the code more secure, push out the OTA updates.
Tell us about upstream. What do you guys do? I mean,
I love the name upstream. I guess that's because you're catching things upstream.
Yeah. Yeah, So we specialize in that secure mobility space, and we
do that primarily. Our secret sauce or our key innovation is in building a
digital twin. So we sit at a point of observation where we can see
every remote command that's issued to a vehicle, as an example, every bit of telemetry that comes up from that vehicle. We can see everything that consumer
is doing in the app through the APIs, and we see all of that together, and we build these digital twins of the vehicle then specific to the vehicle, and also the massive computing power to track. I mean there's millions
and millions and millions of vehicles out there, right, can you track them all? Yeah? I mean we were trying over over twenty five million vehicles
on the upstream platform today that we monitor is roughly roughly ten percent of the connected vehicle market out there today. That's that's that's monitored through the platform.
So yeah, absolutely, we're trying. So every one of these vehicles is
being monitored in real time by you guys. Absolutely, yeah, yeah,
And can you like so let's say let's say the three of us have the same vehicle and it's being monitored, but John has just downloaded something to his phone from some site and he uploads it to his vehicle, and Mike and I are straight arrows and we don't have that problem. Are you going to
be able to see his car in our cars and know that his car's got the problem? Yeah? Absolutely, because we have we would have a digital
twin of each of your unique cars. Do you have a digital twin by
then? Yeah? Yeah, absolutely, by then, So that's a good.
So that's how you keep them all straight from you know, separate from Yeah, absolutely absolutely by the individual vehicle. So we would see that somethings
awry with his vehicle and that that you'reors are doing just fine. But the
same technology lets us also see, you know, the more significant impact of Okay, somebody's targeting a specific version of code on a vehicle, specific make and model. We're starting to see this impact across the fleet. So we
absolutely have that distinction and would raise that to the security analyst. Can you
inoculate those vehicles against whatever this bad stuff is? Yeah? I mean,
so the key way that that's done today is with the OEM's pushing pushing OTA updates to the vehicles. But we have a lot of partnerships we're discussing with
onboard technology to tighten that up and just make that even even more streamlined and routine. But yeah, absolutely, And this is what I mean when I
say we support that shift left right, is that we can be the stop gap. We can trigger some mitigations that they can take and maybe they have
the vehicle sending and receiving less or do some things to mitigate that while they update the code and are able to push those updates to make it more secure.
I know you're tracking this for cybersecurity, but I see huge potential in terms of monitoring a vehicle with a digital twin to anticipate potential problems that might affect warranty or recalls. Have you listened to that? So it's yeah,
absolutely, so recalls. It turns out that you know, you don't want
to recall at all costs, but if it's inevitable, if you're going to have a recall, it turns out that the best thing you can do is do that is early, and and and with as much information as you can have. So we absolutely are working with some of the OEMs on quality and
and those because when you're seeing all these signals, all the telemetry, everything else, obviously you make a lot more observations than just cybersecurity, right, So so we're going into those realms, into the realms of fraud. You
know, We've we've got the land of auto shops here in Detroit, right and not all of them are are OEM auto shops or deal the shops, that's right, And so so yeah, it's it's very interesting when you see things like like maybe mileage rollbacks and now and auto is going and having a transmission replaced under warranty. That's a big, big fraud kind of claim.
Right, So we absolutely see branching out. Let's go into because what you're
talking about is a car is out of warranty, somebody's transmission craps out, so they go to one of these shops and nefarious shops, they do digitally roll back the adometer looks like the cars under warranty, and they go get new transmission. Right yeah, and that just that just costs the OEM.
Right, so the more they can see and then I get back to my favorite, just the go fast market, right that these guys just went their cars to go. Well maybe they did make their car go faster, and
they did some sort of damage doing that. Well that probably shouldn't be an
OEM repair either, right, So things like that you see even you know, I think as cars evolve, it's it's much much more software defined.
We've seen that with Tesla, We're seeing that with with Blue Crews and fort Whether you have more of these like subscription style features that are going to become available on our vehicles. And as that trend continues, it becomes more important
to the OEMs to monitor you know, who's using these things without paying for them, right, So, yeah, we can observe all those types of things as well. So you have all of this data that you're collecting.
You know, you're saying where cars are, what, you know, what their current state is. The said twenty five million. This has been in
the news recently with automakers selling some of that data, much like cell phone companies do, and in general we've seen reports, you know, the user agreements with the automotive stuff is pretty gives them a lot of leeway. Are
you guys doing anything with that? You know, you say, okay,
we can, like like a lot of companies, you're saying, we can anonymize this and maybe you know, make some money from advertisers. Yeah,
yeah, so we we we have stayed out of the data ownership for now.
So for now, we make all the tooling and we bring the expertise, the mobility domain expertise for the operations component of that. But for the
most part, all of the OEMs, you know, will deploy into their automotive clouds, so they still own and they still control all of the data.
And we have had this because we do have a few insurance companies we work with, and every once in a while we get caught in the middle of somebody asking for someone else's data, and this is you know, you guys have to talk kind of thing. So but yeah, absolutely that as
that ecosystem evolves, you know, data and the gathering of data, the requirements for all that and what it can be used for that obviously, we've seen that grow over time, and we just try to support it. You
know, we're fully from a compliance perspective internationally, we're fully GDPR compliant, can support all of these you know, data management and control facilities that are required there. So we just try to support it in the in the best
way possible, realizing that none of the data ultimately is ours. We're the
protectors of the data. So if you're mad at someone selling your data,
we didn't sell your data. All right. Let me ask you a very
simple question. Okay, so what is it that individuals can do to protect
themselves from having their vehicles cyber attacked? Or can they do anything? You
know? The biggest thing I think about individuals is I just thought about this
the other day, because we you know, you swap out a lease you drive the car home, and you got certain things that are you know, my wife always wants the dark background for ex. You know, you have
the things you're changing. Well, one of those things these days is to
connect it to your home Wi Fi so that it can receive those updates.
And I would say that with these trends, and you guys you might agree now that this is probably more important than ever, go ahead and make that connection. You're probably you know, allowing the car to at least update itself
is probably better to have the latest software than stuff that's behind that. The
problem is there's a reason for those updates, right, So but maybe you should go and update your your password into your home router. Yeah, go
to the real strike. I mean, I mean, obviously making sure your
home now is here is a factor too. Or if you're very paranoid,
hey maybe just connected to Wi Fi once a month and check for updates and update to manually. Then. But that's uh. But yeah, I would
say, I would say, you know, we have to start thinking different the same way. I mean, I think everybody now we've kind of drilled
it in to the population, right, Windows updates are important. You got
to do that everyone, So while if you don't, oh my gosh, you're just asking for trouble. Well, we got to carry that on now
to to our more sophisticated technology in our in our vehicles. Obviously, you
know, safety is a concern when we're uh, when we're relying on these things to transport us and our families, so so we we want to make sure that those things are probably as critical as as Windows updates in some cases.
Right. Well, good, well, we're wrapping up this segment.
But Jason, thanks so much for coming on the show. Very interesting,
scary. Like I said, this is not good. We wish you guys
all the success in the world because we want you to stop the black hats.
Yeah. Absolutely, We're here to hopefully remove some of that fear and
scariness and work with the OEMs to let everybody know we do have it under You know, it's a concern, but we have eyes on it and are working to keep everyone safe. If if you got ten percent of the cars,
what about the other ninety percent? Yeah, I mean, so the
part of that is the the EV's have been much more connected right than in the past, So EV versus ICE, the connectivity of those is is quite a bit different, but yeah, quite a bit, quite a bit more more vehicles out there. I mean, I mean more and more connected every
day than we're before. So thanks a lot, well, good, thanks
so much for coming on the show. Yeah, great to be here.
We're going to take a quick commercial break and we'll be back to talk more about the latest news in the automotive industry. When the piece and quiet of
your morning commute is as comforting as your morning machiato, that's what really matters, Bridge down't Toronzo ev tires, less noise for more quiet comfort. All
right, we're back. So you got a tinfoil hat deal? Yeah?
Oh man, we need a Faraday cage around us here or something. You
know, it's unreal, all right, So he was he was mentioning evs.
So what's your take on Fisker, Boy, There's there's some some great deals. I see fourteen thousand dollars discount on an ocean Sport, eighteen thousand
on an Ocean Ultra, twenty four thousand dollars discount on a Ocean Extreme.
Well, and if you're lucky, they haven't even cast your check. That
was the other news that came out today was that they spend a lot of money and a lot of time trying to track on payments because they didn't have good tracking for that. That is unreal. I mean, that just tolds
me that I'm sorry to say, Henrik Fisker doesn't know how to run a car company. Come on, the most basic thing is is taking payment from
your customers. Yeah, I mean I think the least expensive one, though,
was knocked down the like twenty five thousand dollars. Yeah, but oh,
come on, Mike, it's not tempting at all. Well, who's
going to buy a car from a company that's on the brink of bankruptcy?
What do you think, Gary, Do I think anybody would buy it?
I think a lot of people will buy him. Really Yeah, well the
dice, Well, they only have to sell five thousand. I think he
can probably sell five thousand of anything. But God help the people who buy
those things. Okay, But what I want to know is why did it
come to this. I mean we talked, I mean early on. You
know, he had the asset light approach that he didn't have factories he needed to worry about. And here he is a guy who has designed vehicles his
entire life, and and you know, has a put together a solid team, and you think, Okay, the guy can't help but be successful.
Why is it not successful? Well, you know, there's some basic,
fundamental things that they just can't get done. So they built ten thousand cars
last year, right, they could not even deliver half of that to the customers. They've got five thousand cars just sitting there, which are the ones
that they're slashing the price on. I mean, this is kind of you
know, basic how you run a car company. You build a car,
then you make sure you can get it to the customer, and then you make sure you can get the money from them. I mean, to me,
this is just shows such a fundamental flaw in the company that they can't even do the basics. I think the light asset part of it worked.
I think outsourcing this all to Magna, and Magna's building the vehicles. Now
we know they've had horrific software issues and all kinds of other issues. But
like I said, if you cannot even deliver the vehicles and can't even cash the checks, what the hell are you in this business for? Yeah?
I think too. And the software I think is a big piece of that.
It's like it has a bunch of problems. That part was underdeveloped,
and I think a big piece of why the cars weren't you know, got terrible reviews. And in terms of buying one, that's the biggest risk,
right because it's not going to get fixed if the company goes under. I
think another piece too is just you mean, when the company goes on.
I think another piece too, though, is just you need It takes a lot of money. You know. You look at Lucid just did a funding
round. I think they have like four billion in cash and they're saying we're
going to need more cash Tesla after Elon Musk said Tesla's not going to have to go to the market for money. I think since then has raised you
know, something on the order of like twenty billion dollars. And it just
takes a lot of money to get off the ground. And you know,
when you start losing it, then the dominoes kind of start falling, like you can't get you know, you can't ship the cars out, or you can't afford your inventory, and then slowly slips away or sometimes it seems inconceivable to me. Okay, let's take the software. Put that aside, okay,
and that seems to me that that is a fixable problem. I mean,
if these guys are, you know, dealing with all kinds of cybersecurity issues, I have a feeling that there's some coders that would be able to help Hendrick and his people out in terms of getting the software. But I
mean, okay, delivery is basically logistics. Logistics is basically you get on
the phone and you call U haul if you have to, you know what, they come and they'll take it and they'll they'll deliver it. How hard
is that? I mean that takes people, you know, that's one thing
with Oh yeah, no. It gets back to what I've said, Jerry,
is you got to be able to deal with the basics of running a car company. And I think you know, Hendrick is a terrific, world
class designer. Everybody. Everybody knows that. But you know, he's designed
how many vehicles now do they have four or something like that. I mean,
it looks to me like he's spending his time designing instead of attacking the basics of how you get this company up and running, and it's all about bringing in revenue. He's not the only one either, I mean, this
is what all the startups that they want to, you know, instantly pop into huge companies in the shortest amount of time possible. And I think what
we're all learning out of this whole experience with all the EV startups is pick just one model, maybe maybe one platform with two top hats on it.
Get your sales to two hundred thousand a year, whatever it takes to do that out of one plant. And if you can do that, then talk
about the next model that you're going to bring out, the next platform that you're going to do, because and we've seen this with Tesla. Once it
got to selling two hundred thousand Model threes a year, it started minting money and it was everything was gravy after that. But it really struggled to get
to that point. And all these other startups, you know, they're talking
about, we're going to build this plant and do these models, and we're going to do no get one right, and then build on that. So,
Mike, what did you think of the discussion and that apparently Fisker head with Nissan that they would get together and and Nissan would become the factory for Fisker. I mean, is does does does that indicate that startups need a
legacy company. Yeah, I mean, I guess if you look at Fisker,
you know, first they were going to do the director distribution model, and then that didn't work because distribution centers cost millions of dollars. And if
you want again, if you're if you're not going to do what Tesla did, we're you know, we're going to start in a couple of population centers at very slow volume and you know eventually build up. If you're trying to
go really big, really fast, you need a bunch of money. So
in that sense, I think there is uh you know, yeah, it helps with the distribution, it helps the development, It definitely helps with with production because again you're Magna is making money off that car too. So that's
that's slicing a little bit out of the line. The main thing I took
from it was, and you we saw this with with Rivian when they were talking about all of the improvements in how much it cost to build. When
we're talking about the R two, the new model versus the first one is I think a lot of these startups. I think that the thing that Legacy
Iliams have is this fundamental understanding of here's how we make something affordable. So
my guess is the way that broke down was someone probably looked at it and said, can we fix this? And I said, it's going to take
too much time or money to make it turn to help it turn around, and I'm skeptical of that. There were talks with Nissan. My guess is
somebody called Nissan and said, hey, you know, we're looking at selling things. And Nissan said, yeah, we'll have a meeting. And I
think that's about as high a level as it got to. We'll have a
meeting, and they had a meeting in Nissan went, yeah, there's nothing here. They should have probably made a car call to a car hauler and
gotten some of those five thousand vehicles and they might have been better. Yeah.
I did the math on it. What was the number I came up
with, John, They're going to raise like one hundred and forty million dollars one hundred and sixty million. That money is going to go to the bankruptcy
lawyers. That's not going to save the company, all right. So,
speaking of Nissan and speaking of reducing costs as you just did, Mic, So, Nissan came out with its new ARC project and this is going to revolutionize Nissan, and Nissan plans to launch thirty new models over the next three years, of which sixteen will be electrified and fourteen will be ICE to meet the needs and markets around the world, and it plans to launch a total of thirty four electrified models from fiscal year twenty twenty four to twenty thirty to cover all segments, with the electrified mix being forty percent globally by fiscally year
twenty twenty six and sixty percent by the end of the decade. Of course
they're saying electrified and not electrics. We got to keep that in mind.
But this was very interesting and it goes to the point you're talking about.
So, according to Nissan, by developing evs and families, integrating powertrains, utilizing next generation modular manufacturing, group sourcing, and battery innovation, Nissan aims to reduce the cost of next generation evs by thirty percent compared to the current area crossover and achieve cross parity between EVS and ICE models by fiscal twenty twenty twenty thirty. So are they just throwing out numbers or do you think that's
conceivable. I mean a twenty thirty I think it's conceivable that you're just you
know, and I think if you look at the at the Chinese automakers like byd they've they're already on like you know, they're they're they're iterating very quickly, and they've found that, you know, those cost savings. It's one
of the reasons. There's a lot of reasons, and some of them are
that, you know, other other regions in the world aren't going to be able to get to that cost structure that that Chinese companies have. But part
of it is they're just doing those extra designs. So yeah, by twenty
thirty, you're on your third and fourth platforms hopefully, and you figured out a way to get costs out of that. But yeah, still there's a
little bit of like these are all numbers that are all you know, a nice round twenty thirty and a nice round forty percent, so you know, see how it actually plays out. So they're claiming that by developing being with
the family subsequent subsequent vehicles, the price can be costing be reduced by fifty percent, the variation of trim parts reduced by seventy percent, development lead time shortened by four months, and adopting modular manufacturing, vehicle production line will be shortened, reducing production time per vehicle by twenty percent. Is that enough,
John, twenty percent reduction time in production? Probably not. I mean,
if if this Tesla unboxed assembly process works, Nissan's not shooting nearly far enough.
So I don't know. You know, they're claiming they're going to sell
a million more cars. I got to see it to believe it. You
know, here, here's something interesting. I've been running these numbers on it.
You know you mentioned BYD last year they spent nineteen billion dollars on cap AX capital expenditures, new plants, and equipment. That's more than GM and
Ford put together. It's extraordinary. Last year, BYD broke into the top
ten list of car companies in the world. That pushed Mercedes Benz off the
list, outsold BMW. It's right on the heels of Nissan. So I
got to believe this is one reason why Nissan says it's got to sell a million more cars in the next few years. But my guess is probably this
year BYD will surpass Nissan. So this raises an interesting question. And I
was talking to someone earlier this week about the subject, and we were talking about the BYD Seagull and I know you've driven the car and that's the eleven thousand dollars ev that BYD is is selling. And Okay, if you think
about it, you know, tires cost, what tires cost, glass costs what glass costs. You know, seat materials, seat material da da da
da dad. So how are they able to get such an inexpensive vehicle?
And it seems that one else can do that. Well, there's probably some
other Chinese companies that are coming close. Number one, they've got scaled,
they've got volume, and they're adding to it, as I just said, with their capex expenditures. The other thing that I just learned this week is
that BYD operates with two engineering groups twelve hours a day each one. They
are on a twenty four hour constant. I've had suppliers say, we're doing
business with them, we can't keep up. We cannot keep up with them
because they're moving that fast. And they also just because you've got business with
BYD as a supplier doesn't mean you keep it. You know, if you're
a tire supplier, you mentioned tires, they'll go around to other tire suppliers and say, hey, here's what we're getting tires for right now, you want to beat that price. So they've got this complete feeding frenzy, no
loyalty to the supply base whatsoever, and they just keep driving costs down and down and down. And they're very good at what they do. They're they're
they're churning out very good cars. Is that sustainable? It would seem so
far that it is. I think the seagull too, if if I'm unless
I'm mistaken, if that's one of the cars that has the sodium ion battery.
The sodium ion it's a different chemistry, it's a little lower power density, and it can't charge quite as quickly, but it's really cheap and its China has a few factories that are building these batteries, a lot of it for stationary storage. But you know, there's there's talk of that being on
the order of like fifty bucks a kilo whate hour, you know, like like a third to half of what other batteries are. So that's a big
piece of it too, is you have a slightly smaller battery in that entry level model and you just have no battery cost. But okay, but let's
let's say that let's say that the car had an ice engine in it rather than an electrical or ev Okay, it would still be cheap. It'd be
cheaper, right, And again I get back to this question of whether could could General Motors build a car like that in the United States? Hell no,
especially not with UAW labor. So is it all the issue of labor
that No, no, no, no, it's not just labor. But
it's speed to market. It's you know, how quickly can you get You
know, if you're doing twenty four hour every single day product development and you can bring a car to the market far faster than your competitors, you've got an advantage. And if you can take half a year a year out of
the PD product development process, you've just saved a ton of money that way too. So, I mean it's a machine that the rest of the world
is not ready to compete with yet. Well, is it profitable at eleven
thousand or is this just saying, look, we want rapid expansion and we'll take a bit of it. So just to answer your question there now,
this is I can't speak specifically to a seagull or any of the other electrics.
But last year BYD posted a net profit of four point one billion dollars.
Ford posted a net profit of four point three billion, So they're making money now. Four had a bad year admittedly, but still it shows you
that this company is coming on like gangbusters and it's making money. You know.
We had Mickey Bli on last week, the head of Global power Train for Stilantis, and he mentioned that they've got engineering centers all around the world, so they're working twenty four hours a day. So BYD's not the only
one that's doing that. Yeah, but my guess is Mickey's got engineering centers
around the world that are working mostly on regional development. So as South American
teams working on South American stuff, is North America, North America year blah blah blah. Where it seems to me that BYD is it's all based in
China, and it's it's all working on one product line that is is just giving them a constant look. I heard today from a very senior executive here
in the Detroit area that he's heard BW ideas fifty thousand power train engineers.
The company has over seven hundred thousand employees. That's more than Toyota more than
Volkswagon. So, Mike, what is your sense of the possible popularity of
a vehicle from China in this market? I mean, I think if you
came in with something for twenty thousand dollars, I think, you know, as long as it holds together for a couple of years, I think people would would go for it. If you look at you know, the growth
right now with higher is so far in the beginning of the year, with higher interest rates and just rising prices, a lot of the growth is in those smaller price segments. And you know, frankly like a lot of automakers,
especially the domestic American ones, have kind of given up on making anything that sells for twenty five thousand dollars or less. They all have, you
know, one or two models and those are selling well, and I think the but yeah, I think if if a Chinese company came in with an ultra cheap model, my gut feeling is people would put aside any worries about where it comes from and just say, look, I can get a brand new car for not a lot of money. So John, would this then
cause the traditional manufacturers to say, we got to start building those two.
Well, you know, look there, you know, Gem's got some affordable cars. They all come from Korea. For It's got you know, the
Maverick, it's made in Mexico. You cannot make a cheap car if you
will, I would say, with uaw labor. The labor rates are just
substantially above, substantially above any low cost country rates. So I think they
are all keenly looking at this. You know, Ford's got this skunk works
program trying to come up with a cheap ev we know about that. GM's
got to be doing something Stillansas has got to be doing something that we don't know about yet, and Toyota and Honda and the rest of them. But
look, they're all scared silly about the emergence of these really good Chinese companies.
And you know, I just quoted you guys some of the facts and figures of BYD, which is at the top of the heat there. They're
scared of what's coming. But what I wonder about is is, okay,
you know, Mike, as you're suggesting that, you know, the the MC three, as our friend Joe White calls them, MotorCity three, right, has basically a focus on pickups in large SUVs because they make a lot of money there, and they're basically saying, you know, the lower end of the market, we don't get such good returns, so we're going to seed that market basically to the others. And uh, you know, you
had Kia come out with a with an attractive looking replacement for the Forte, calling it the K four. So they have a new nomenclature that it's K
and then numbers following it. And you know, so this is a you
know, comparably inexpensive car that looks looks fabulous, looks great, and I'm sure people are going to buy it like mad. The question that I have
is if by D builds this mysal mythical factory in Mexico and starts shipping cars over the border and and there isn't one hundred percent tariff on them, would the MC three basically say, you know what, we're doing really well with these pickup trucks and big SUVs and we're not gonna We're not going to be concerned about that. And no, I mean, I don't think they can
afford too because I think that you know, there's just enough erosion there and I think, you know, the big pickups do make them a ton of money, but they're largely a North American piece and you can't You're not going to be able to survive on just North American volume at the size that they are right now if they want long term you know, that long term existence.
And to me, it's also like this is just history repeating when the Japanese automakers came in, When the Korean automakers came in, it was they exploited this niche at the bottom of the market and saw growth, and then you know, the domestic automakers did scramble and say, wait, we got to respond, we got to have our version of it. I think I
think they will do that, but I also think like there will be damage if someone like Bid did build that Mexico plan and then got into the US market. The biggest ones that threat though, are the Japanese in the Koreans,
you know, to any incursion into the American market by low cost Chinese cars, because to your point, the Detroit three have largely abandoned that segment.
I mean, there's very few uaw US made vehicles priced under thirty thousand dollars. The base price might be you know, like twenty eight thousand,
they've largely walked away from that. So I mean, if cheap Chinese cars
come in, it's going to be Toyota, han Key, Hyundai that are going to be first impacted by it. But Mikey made a really good point.
That's how the Chinese would come in at the low end where they know that they can have a huge cost advantage, and then start to move up scale and threaten the MC three, maybe not with pickups and body on frame SUVs, but everything else. And you know too, it's like it's not
you know, again looking at the evolution of Japanese automakers in the US, like that's a twenty year time scale. It's not like they're going to come
in and wipe someone out in five years. If they did, that would
be you know, pretty astounding. But you know, that's the piece too,
is that I think that the automakers need to be alarmed now so that they're ready to respond because you could go, oh, it's no big deal, they only sold one hundred thousand cars. Ten years later when they've you
know, got up to a million or something, then you have a real problem that you haven't that you ignored and So I got a question for you.
So news came out this week of the twenty one hundred workers that make up the three work crews at the Rouge Electric Vehicle Center in Dearborn, they'll be seven hundred. Yeah, fourteen hundred are a going to be moved to
the truck plant making Broncos and rangers and some of people will basically take a buyout package and say goodbye to Ford. Okay, is someone going to get
in trouble in the Ford glasshouse for wildly overestimating the popularity of the F one fifty lightning? Good question, really good question. If somebody's going to get
in trouble for it. You know what it shows is if Ford had stuck
to its original plan with the lightning, everything would be hunky dory right now.
But remember they came out and they had this small all addition to the assembly plant and Deerborn that makes the F one fifty and say we're going to make lightnings on this. It was almost like a shuttle line, so they
could shuttle stuff off, put the batteries and everything, and shuttle it back in and then orders I remember they had what over two hundred men shot because you know they're burning up the right and so they said, hey, we're gonna double it. We're gonna double production of it. And then they doubled
it yet again, and then the buyers didn't show up. They ran out
of early adopters. And like I said, if they had just stuck to
their original plan, everything would be just because that's what they're they're shrinking down to, is their original plan. And they announced it this week and it's
as of April first. I mean, they're not wasting any time here.
It's just like basically, oh, you know, you used to drive to Deerborn. No, you're driving out to Wayne now. So was it?
What's your take on that night? I mean, I think Stillantis had some
layoffs too that they blamed on the EV transition. And I think some of
this is, you know, yeah, that's just a convenient narrative to say we're going to cut some jobs and see if the stock price goes up.
But I think the other piece too, is all these companies. I don't
know they you know, maybe they were like drunk on Tesla news or something, but they all thought that they were going to jump, you know, by the looking back, it was like they all thought they were going to see this explosive growth in evs and and again, if this is a long term play, it's it's going to play out over the next six to ten years. And and so you put all this money and like, surprise,
you weren't you know, you weren't seeing double you know, doubling your your sales every single year. You're still seeing strong growth, but like, no,
you're not going to switch over to ev in a three year span.
I think that's really the problem there is they just kind of forgot fundamentals.
If it was a new product in ice, just like a new segment or like you know, bringing the Bronco back or something, you know, they wouldn't have made those same kind of projections of those same kind of investments.
And so to me, it's like you forgot your fundamentals, and now people, you know, people are paying the price for it with their jobs, and people in a glasshouse probably you know, maybe aren't going to get affected.
You know, the Stilantis thing. I've been thinking this odd for a
couple of years now. It's easy to get rid of people in the United
States. It's really hard to get rid of people in Europe, really hard,
and really expensive. So if you're Carlos Taveres and you're thinking, look,
we need more synergy here, We've got to reduce headcount, kick them out of America because we can chop four hundred people like that without any warning, none whatsoever. You know, they had a mandatory work at home day
mandatory last Friday and then let four hundred people know you're out of a job.
It was just like, you could never do that in Europe. And
so I've been saying this for a while. If I was in a staff
job at Stilantis Finance h Are Legal, I would be real worried because those jobs can be taken over in Europe. You're just going to load up your
European workers on this. Well, now it's spread to engineering. They got
rid of a whole bunch of engineers too, And I think it was Automotive News that reported this. If in the United States you're going to get rid
of five hundred people, you've got to give them like sixty days notice.
If it's under that, you don't have to give them any notice. And
so it would seem I don't know this for a fact, but it would seem that Stillantis is gaming the system. Get rid of four hundred people at
a time. I think more cuts are coming, and it will be in
the United States, not in Europe, you know, Mike, I think it's interesting you were saying about how these companies have basically fumbled on the fundamentals, and earlier when we were talking about Fisker Fisker not having the fundamentals.
I'm wondering which is worse. I mean, obviously the MC three i'll stand
business insk or may not stand business because of its lack of understanding. But
I mean, doesn't this seem to indicate like the entire industry, whether you're a traditional or a startup, it's in such flux that you can't put your arms around it. Yeah. I mean, you know, it's easy to
sit here and say, oh, they forgot their fundamentals. It's like,
you know, well, yeah, I didn't. I don't have to make
any of these projections or make, you know, billion dollar bets that you know, could either make a company survive or go under. But yeah,
I mean, I guess it's it's probably better to have the fundamentals and miss them and be able to recover than Fisker having it. But I think there's
also just there is this overall pressure of like, you know, you've got to make the number go up. And you know, autoline is probably talked
about as a lot like automakers in general don't get the respect on Wall Street that they think they deserve based on their market cap versus the amount of money they bring in in their profit margins. But you know, there is also
this piece of like maybe autos are always going to be an un sexy segment, and you know, trying to do that with this big electrification push or a big self driving push like that might have been really tempting. But maybe
the lesson here is that, like, you know, you got to just keep doing what you're doing and even maybe just try to survive. What you
just said I think is profound. Seriously, what these car companies, the
legacies, the MC three have got to do is just accept what they are.
They're never going to be Tesla's, They're never going to have spectacular, you know, market capitalizations. But what's wrong what's selling five million cars a
year and making ten billion dollars in profit? What's wrong with that? And
and to try to think that you're going to do a whole lot better than that. To me is completely unrealistic. I I can't imagine that anyone in
Auburn Hills, Downtown Detroit, or Dearborn would accept that plight. I think
that they would. Oh, you know, we've got it all happening,
don't you know what don't you realize about you know, our fabulous technology and we just hired this guy from Apple, and you know, and we just hired some guy from PayPal. I mean, it's just well. And none
of the banks that have your institutional shareholders are going to like that either.
I know that they want to see, you know, we're we're in this constant growth almost sickness, right. I think reality will set in before the
end of the decade. And look, here's the big problem for the auto
industry, at least in the mature markets US, Europe, Japan, Korea, They're not growing. They are not growing, and so if you look
at their revenue on an inflation adjusted basis, most of these companies are smaller than they were a decade ago. Some are the exception Toyota. Toyota is
doing pretty good. Toyota is pretty impressive, but the rest of them are
either barely growing or shrinking. And so to think that you're going to get
these fantastic valuations I think is delusional. And that's a good point to end.
I hate to end out a sour doubt. But let's come back next
week and do another show Gary, and hopefully we'll find some really good news and we'll have Charlie chessbro of Cox Automotive. I'm telling us about how the
companies are doing in terms of sales, and yeah, some are doing fine, some are doing fine, but Cox just came out. Cox Automotive just
came out with their stuff. Ev sales are going to look very good by
the end of this year. By the by. Therefore, okay, I
know you disagree. I read their stuff and their statistics in their statistics,
so well, yeah, what's the old saying. There's liars, damn liars
and statistics. So we'll get to that next week. We were But Mike,
thanks so much for coming back on the show. Good having always glad
to be here. Yeah, okay, see y'all, thanks for having tuned
out online. After Hours is brought to you by Bridgestone Tires Solutions for your journey
About this episode
Cybersecurity in the automotive industry is becoming increasingly critical as vehicles become more connected. Jason Masker from Upstream Security discusses alarming trends in cyber attacks, revealing that 50% of attacks could potentially impact thousands of vehicles. The conversation dives into the motivations behind these attacks, the sophistication of hackers, and the importance of robust cybersecurity measures for OEMs. With the rise of AI in both offensive and defensive strategies, the episode underscores the need for constant vigilance and innovation in protecting vehicles from cyber threats.
Original notes
TOPIC: Cybersecurity PANEL: Jason Masker, Upstream; Mike Austin, Guidehouse Insights; Gary Vasilash, shinymetalboxes.net; John McElroy, Autoline.tv
Autoline After Hours
Autoline
0:00
63:10