Welcome, everyone, to the latest edition of our Reimagined Mobility podcast series. Here with Nir Hasson from Karamba Cybersecurity. Thank you for joining us and maybe for some of our listeners and viewers that don't know what Karamba does, maybe give us a two minute high level elevator speech of what you guys are doing in the cybersecurity space. Sounds good. So thank you. Stephan and Jeremiah for hosting me. So Karamba Security we've been around since 2016 from the company inception.
Our goal was to support provide cyber security solutions for vehicles and mobility in general.
The way we started, we saw today seven, seven years forward, we have a very comprehensive product and services portfolio that covers the development sides of the when you design a component vehicle, etc. from your from basic things like training, threat modeling, band testing and up to the post-production when you want to add it self-protection to your vehicle for critical for the critical component, as well as monitoring the operation of the vehicle until the cybersecurity end.
Today we are serving nice amount of OEMs globally in the US, Europe and Asia. We just had a press release earlier this week about protecting 1 million trucks in Europe, a large OEM there. We are based in Israel, but we have offices in the US and Detroit and San Fransisco Bay Area also in Europe and working with partners in Asia. Very good. So, yeah, I want to bring this up. The announcement you guys made that's with your GuardX product.
Yeah, our XGuard. Sorry. Tell us a little bit what what does this thing do for again, for those who are in cybersecurity for many years, but also for those who don't. Tell us a little bit what what specifically does this product of yours help the union with and what does it actually do? Yeah, So what do you think about it? Thinking about am thinking out of step back here to say that Let's say you want to protect a device connected. So a device is connected by default is risk level go goes up.
Another question is how are you going to what are you going to do about it? In many companies, many device companies, you know, connected device, company device can be a vehicle, it can be a medical device, etc.. They're very good in, you know, in what they're doing. So they're trying to solve some specific problem or create some value by creating a product that they we just with the relevant functional functionality and capabilities. And that's that's their core expertise.
And then comes cybersecurity. Now they are the landscape is changing. Now you need to do cyber security and most of them don't really have a strong cybersecurity capabilities in-house in in even in obviously tools as well. So our goal is to provide simple solutions and that you can add into your device. It can be a vehicle in order to make them more cybersecurity resilient, specifically XGuard. You can think about it like it simplified and say like we all have antivirus on our laptop.
It would be nice to have similar thing.
They will have self-protection on your well, the critical components in the vehicle and this specific example, they are in and they're connected models inside that into the truck that are the big clients of ours identify as being and possibly attack not exactly directly, but you know, just for the fact that it runs a very common OS and and there are some that start running in there and over the Internet and reaching its ex and it can create even even the position, even into the case , sorry, of
if someone is being able to steal the vehicle. So what we had there with XGuard essentially, as I mentioned, kind of the next Gen Antivirus and EDR for and for embedded devices. It provides self-protection. So even if you have vulnerability, not vulnerability on your on your device, X guard will render them useless because it will be able to detect the manipulation that attacker is trying to do and block it. From the get go. Well, interesting.
And I guess staying for that for a moment before we go a little bit more generic, do I assume correctly that your ex guards can regularly be updated if new threats and new vulnerability are detected or the bad guys, so to speak, find a way around it. You can update your ex guard over the year to make it even more robust. Is that a fair assessment or is that handled differently? That's a great question. So actually we took a different approach.
So when you think about antivirus, essentially you think about you can I need to update the signatures of a that identify bad software, etc.. Actually on the way to work, it essentially looks it looks down the design, the functionality. So when you for example, let's say you have an infotainment system, okay, does what it does during the build time, when the code is ready, the functionality well define. And that's where X-Guard actually got it's part of the build process.
So we automatically analyze the functionality and it adds cybersecurity checks just to make sure that the functionality, the flow of the software in is going to be kept during a runtime. Any deviation from that will be blocked. So one, one, one example can be simple example. If someone so you have your image of your infotainment system, someone the hacker was able to drop some malicious file into it, now he wants to execute it and well, we will identify that this thing is foreign.
It was not part of the the of the original code or any update that came after. And we will block it and not allow and will not allow it to run. So we can think about if someone's trying to inject a ransomware into the infotainment system to essentially turn your head unit into a brick. And unless you pay them and this thing will not be permitted. So let's say, though, that OEM again, truck OEM may be less likely than passenger.
But nevertheless, from a conceptual point of view, besides, hey, you know, the users, they want new features on the infotainment system, the example that you just use, and we're going to send an over-the-air update. How is your system then aware of the new functionality of the new software, so to speak, that's now flashed into the head unit? Is is it agnostic of that or has it is it part of that update as well? Or how does that work? Yeah, it's agnostic, the short answer. It's the agnostic.
Essentially what the what happens is that think about when when software. So it's not only agnostic, it's also transparent to the engineering. So the engineers will develop whatever they want. They will know, keep advancing the features and more capabilities the code will get into.
It's going to be built in in the toolchain you can think about X-Guard is like as another second compiler that sits after that, analyze the code, understand the functionality or the flow of the program, what kind of components are there and lock down this and and these capabilities and they let in, you know, and then you have a release of the software which these sort of security checks enable. Now, when you add when you let's see.
Okay. And you send an update you essentially building a new package. This package also will go through this process.
And we have a mechanism that identifies that there is a new package and that it needs to update the policy and what is allowed to be to run on the ECU For example, you can actually you added another another functionality to do a so the software we in our ECU, XGuard agent, we understand that there is a new functionality called “a” with its own libraries and will allow it to run in operate. Okay okay so maybe go near for for a second. Go a little more generic.
Where do you guys see the majority of cybersecurity activities going on as it relates to which market do you see the biggest demand for your solutions? Right. To protect vehicles. Let's call it a passenger and heavy duty trucks. Anything in between there? Is it is it in Asia? Is it in Europe? Is it in the U.S.? What are what are some of the trends? What do you see in mainly?
So, you know, the big blessing and blessing of what we had was the introduction of the ISO 21434, which essentially it's a well written standard. I would say very, very vividly what needs to happen and also kind of create standardization, kind of a global standardization that every market is following. So I would say that what we see is more like so we see demand across the board, I would say there, but there is different types of demand.
So you have all these emerging players, you know, like their followers or. Yes. So in and they, you know, they, they have a very aggressive timeline to where to produce cars. And at the same time, again, they don't have cybersecurity capabilities, at least not in the scale that they need. And so over there, we see a lot of a lot of requirements of in that.
And it can be the spectrum can be from helping them with the certification process up to an and helping them, you know, in terms of providing them something like a Cisco as a service is someone that will go inside the company, will help them to define their vehicle cybersecurity strategy and take it from there, and all the features and tools and so forth. And we have engagement in that level as well. So there's definitely the emerging EV.
We also see in traditional OEM that the ones you also see, they're always everything that they always need to help in terms of services. Event testing is a big thing. It became a tool, became a main thing. It's something that every, every company needs to do before they release their product. They're using vehicles. And so we see a lot of traction over there.
And yeah, so I would say the emerging EV definitely provides a lot of work, a lot of traction and but also the traditional one because of their scale and their maturity of alignment with the ISO. Or so you mentioned the ISO standard, which I agree and at least puts a common base that everybody can work off and that we, what we understand how to communicate between customers and OEMs and suppliers like in ours ourselves as well obviously.
Yeah. How, how much more important however do really get the push for cybersecurity to truly be implemented on our end may be much more diligent, much more serious level, if you can use that word is when when governments get involved. So let's say the EU has an active right cybersecurity mandates and regulations, for example, we don't necessarily have in the U.S..
How much more demand did you guys see for your solution based on that change as opposed to, again, ISO regulation that certainly also are used in the U.S., but were a actual government regulation, action and and certification, so to speak, is is missing or still missing may still come. How is this changing the dynamics of of demand for you.
Yeah so you know in Europe they the European market so the European regulation is always kind of setting the you know leading the way the regulation of sudden, you know, you have GDPR, etc. I think came up for a lot of Europe and but you see the same thing here where the case of Europe, they decide there being a new regulation and and all the companies globally are aligning into that because they don't want to maintain two different systems, especially when so in the beginning when we when ISO
started to gain traction, we thought, okay, maybe it will be more or the UNCR 155, maybe it will be more workable for our European customers. But what we saw in reality is that everyone is aligning to that because even if you are an OEM in the US, you're telling yourself, okay, I want to sell in Europe, I want to sell in Japan, and so I am not going to create two different platforms. So it's better to do everything at once in same on the same platform. Hmm.
So yeah, so it's very rare to see someone that for some reason keep their eyes on. I think we saw such an example.
And in the beginning there was we felt like maybe someone, some of our clients will not adhering to ISO, but eventually all of them are, you know so I think that what I heard from a large OEM is that if you are adhering to even if you're, you know, in the U.S. and selling only let's say selling your cars in the U.S., it's easier to defend yourself against there when you are interacting with ... when you show them that you are following the default. Yeah, you say, I did everything I can.
You know, I follow this this there this standard. And, you know, it just happened. Now very similar, very similar, very sorry, very similar to the approach that essentially U.S. OEMs are using with ISO 26266. It's a functional safety, right?
It's not necessarily a mandate, but everybody wants to use it because you can then highlight that you use the proper design practices that you did, your hazard and risk analysis when you design a component, a subsystem system, etc. It sounds like it's very similar in the cyber security space as well.
Yeah, and I would also add that there is beside the compliance and the compliance, you also want to hedge your risk if you're following the ISO, which which mandates, you know, best practices in terms of processes and so on. For cyber security, you are also producing a higher quality product that is more out there.
And I really thought thought number one priority, especially for companies that are, you know, rushing to the release of car is something that they think about and they definitely want to protect themselves and make sure that they are also providing quality product in here. That's their goal. So I've known of your company and work with with some of your coworkers for for many, many years. And it felt like at the beginning when you guys started, you said seven years ago right. Very exciting time.
Everybody talked about cybersecurity. But then, at least from my perspective, it felt like it it didn't get the lift off, Right? We were on the tarmac. We were ready to take off, but it didn't really take off. We're kind of like waiting, waiting, waiting. And now it seems to have have taken off. Why now? Or my seeing it wrong? Or if I see it right, why now? What what do you believe has changed this regulation?
Is it an acknowledgment that, no, this is really serious and some really bad things could happen both from a safety but also from a let's say, from a the amount of ransom, from an economic impact. And know OEM has, share a little bit of light from your perspective from there. Yes, that's definitely, definitely shift correctly. I think that there are maybe kind of three dimensions here for why things change.
First of all, on the you know, on the, let's say, market level, there is more maturity following the ISO and UNCR 155. I mean, today or since Q4 last year, you can't sell a new vehicle model in Europe unless it passes, I guess, which put cybersecurity in the same front row with safety, which is kind of amazing when you think about it. It's only it's only in the field today, it's only in the automotive, more automotive industry. Yeah, the markets are starting to catch up, but it's very unique.
So one thing is the maturity on that level. And yeah, many, many ways what we have to do one kind of, you know, now they're doing some firefighting because they heard about it, but maybe they didn't take it too seriously or budget. Now they're trying to ration and close the gap. That's one thing. The second thing is I think on on, to be frank on the company level, we started with XGard, which is a great solution, but it was, I would say, a little bit ahead of its time. Out of its time.
Yet, because when you look at the evolution of cybersecurity in automotive, for example, you you need to start from the basic stuff of the software. If we could do a software development lifecycle. So you need to do threat modeling, you need to do event testing and so on. So there's a big gap over there and it needs to be closed before you can think about, okay, I'm very good, very good over there. But now I want to go to the next level.
And so that was something that we were we were a little bit there. That's why we decided to at some point we understood that we actually need to help our clients. We need to help our market, the market so they have the skill gap, the knowledge gap and we started develop our is a cybersecurity consulting arm, which is very successful, very easy and start to open different labs in different locations.
And that 1 to 1 we have Michigan and that helped as researchers and help our clients to prevent this and so on. And we did that services and we also develop tools that automate some of the work that needs to do. They heavy lifting, the work that needs to happen in order to comply with the ISO and also to simplify what you're doing. And essentially also add address to address the issue here where you have, yeah, low, high demand for cybersecurity talent, but not enough people out there.
And so you want to, you want to use tool to do more with less. And that's where we also focusing with our vehicle platform. So we have an automatic directive. We can create a tower within minutes, which is kind of crazy.
And instead of weeks you can you have the binary analysis which and automation allows you to quickly understand your device system, your vehicle, cybersecurity posture, and also help you with that testing and also down the road managing your vulnerabilities once the vehicle , the ECU is in the field. So that will be, you know, kind of the second dimension that I mentioned is what happens, you know, in the in the market reality.
So last week there was an article in the Guardian talking were mentioning that ... talking about the class in class action lawsuit against the Kia and Hyundai know I don't know if you heard about it, but essentially what happened over there is that there was a in early 2021, there was a TikTok challenge of explaining how to break into a Hyundai and Kia car using a USB cable. And this thing kind of started to gain momentum.
And a year later, the Los Angeles official reported there was a spike in car theft of these specific models. They're talking about 9 million vehicles globally. And so the end result of that was that the Kia and Hyundai started a paid to spent $200 million to deal with all the aftermath of this failure. So yeah, $200 million. It's a not small amount and you have it in different places. But you know, these things are happening. There are things that are not public and that we are aware of now.
And so, yeah, so all these things are converging and eventually that's why we are here today. And probably it's going to continue like that in the future. So perfect lead into my next question is in here. We talked a little bit now again, what have you guys over the last seven years done at Karamba. What has the industry has industry come from with regulation technologies? Again, some stuff early ahead of its time. They have to change it around now. What's the demand this year?
What what do you see in the next five years when you look at cybersecurity, specifically what what you guys are doing right? Is it is it again, you mentioned you can do it tomorrow in threat and risk assessment in whatever, a minutes more before and maybe was days or weeks or months. Is it is it automation of pen testing that's going to really make the next leap in technology going forward?
Is it that that all the many functions that are going to be in the cloud and you become more or less protected in the cloud versus new vehicle? What is it? Just some ideas I threw out here. What do you see happening in the next five years? Yeah, so we start to see. So if you think about let's talk about numbers. We have, you know, connected vehicles there and the CVIO, the connected vehicles in operation, it's now so 85% of the vehicles now being sold are connected.
Yeah. And the numbers are going to grow to 400 million in 2025 and 600 million in 2028. And at the same time, you have the autonomous vehicle or semi-autonomous. And so doing fully autonomous vehicle is hard, still hard.
But if you look at the level three and above and which provides, you know, the ability to have some, if the vehicle can drive by itself under some conditions, most conditions of all conditions, the number we are seeing, I believe it's 8 million and then in two years from now, 8 million vehicles will be on the road with some types of level three and above capability.
So what we see over there is that we are being approached by our clients and we need to talk about how we improve what the autonomous or are we going to secure the autonomous capability. Okay. And we see some projects around that. And over there you have many challenges. Like you sensor fusion where, you know, the sensors of the vehicle can be controlled, you know, microwaves, video and so on. You know, are we fuzed together, know to create some kind of perception.
And but there are many ways that you can fool these devices with this example of one of our research of working with with the and it projected an Elon Musk image on the road in the Tesla car just saw and stopped it was on the road etc. So there are many examples like that. So how do you tackle that? Because this can also create, you know, some kind of an operational issue. So that's the one front and I think that's where we are.
We are now learning it and we are starting to think about how to provide solution to that. The cloud side of the vehicle, definitely a big there is a sizable amount of our businesses there. And we being, you know, in being invited to go and explore and help and advice on how to better to make sure that their cloud is resilient. And we also have collaborations with companies that are developing and vsocs of because our XGuard solution can provide.
So when you when you try to monitor a fleet and you today you're monitoring it from looking around the vehicle, so looking at the communication, etc., But the best way to end it is it creates a lot of noise and false positives. But the best way to do it, to really understand what's happened, what happens in the vehicle is to run something on the critical ECUs. That's where XGuard comes into play, because they also have this capability that we released two years ago.
So I would say, you know, autonomous is a big driver in the fact that there are many, many more connected vehicles and we start getting more and more the players joining the game, the sensors that are related to autonomous in general. Now to protect that functionality and and know also the cloud, the cloud side. Now we can be the part of the vehicle cloud.
So maybe the final question that I'm going to put you on the spot here maybe for a moment if you have to, with all the customers that you interact with, which is mainly U.S. customer, if you take a global approach and look at all your customers, OEM and suppliers in the mobility space, what is the one thing that maybe always surprises you again, that these companies and the people responsible, they are for protecting a vehicle like cybersecurity don't understand or don't seem to rate as as high
from a threat point or from a possibility as as you guys would crumble. Is there one thing that sort of sticks out that you always say again and I wish they would finally put more weight or more emphasis or more importance on this? Yes. So there are two things I think, that can that can help the industry. One is to create more awareness and training inside organizations.
So, you know, you always I guess, safety for of time that they say, well, they're you know, they made the company they're doing the right things. They're operating in the right way.
And you have the companies that are now not doing it very well on the cybersecurity side and even to the to the point where we have a cybersecurity researcher that they're working on some projects with the and they say, well, this car is amazing, but I probably will never buy it unless they're going to fix all the things that we found there because it's clear.
So definitely that you need to create winning an awareness because you see also in upper management that they are not really are not fully understand the magnitude of, you know, cybersecurity. There are so many examples in outside of the anti cyber security that you can see that lack of understanding created the very big issues down the road. So you can still see here something like, you know, what you're trying to protect never happened, which is okay, like they know they're like.
An insurance company or did you pay for something and hope that it never happens. But if it happens, you are protected. So. Exactly. So that's one thing. The second thing is we still see, even with companies that, you know, working with premium OEM for premium brands, etc., what they're very good cybersecurity. You see that the distilled ones still have lack of cybersecurity quality and I think that Darren bent testing etc. and we come in, we help them to clean up what what happened there.
And I think that one thing, one thing they need to do is definitely use more automation, more tools. Still, the usage of tools and and the reliance on manual and reliance on the minor work is still prevalent, which is something that definitely needs to be and definitely needs to be fixed. So I would say, you know, more training, more education, increasing the awareness because not everyone understands in the organization what exactly is happens.
And the second thing is to learn more information tools. They're very, very great tools out there and definitely it takes time and money, mind when you do that. No good points. So make sure before I buy my next car, I'll I'll check with you and the experts at Karumba to make sure that whatever car I'm choosing is also seems to drive so I good never. Thank you very much. I appreciate it. Thanks for joining us and thanks for your great insight. Thank you. Always great to have you.
Thanks for listening. To Reimagine Mobility Podcast. If you like this episode, please subscribe and tell a friend.
