Kamel Ghali on what's 'theoretically possible' in car hacking

Kamel Ghali has spent his career thinking about what happens when a car stops being a car. A veteran “white hat” car hacker and penetration tester, the Japan-based Ghali has trained engineers and regulators in the United States, Japan, and the Middle East on how to spot and fix the kinds of flaws that can turn a vehicle into a rolling vulnerability.

He is the chief operating officer of Kage Corporation and director of automotive cybersecurity at AKATSUKI, a Japan-based nonprofit devoted to cyber education. He’s also a board member of the Car Hacking Village and a regular presence at DEF CON. 

As legacy automakers race to act more like tech companies — pushing remote software updates to tweak performance, patch infotainment systems and add new features — Ghali argues they are being forced to confront security questions that Silicon Valley already has grappled with for years. 

Ghali says the industry has made significant progress after some early, high-profile missteps. But as more software gets loaded into cars, new weaknesses emerge just as quickly. The Click Here podcast talked to him about that. The interview has been edited for length and clarity.

CLICK HERE: Do you remember the first car you ever hacked?

KAMEL GHALI: I worked as a vehicle penetration tester for about three years when I first moved to Japan in 2020, so I did a lot of hacking on earlier Tesla Model 3s. The reverse engineering process is a big part of cybersecurity for cars, so I spent time learning which messages corresponded to what parts of the car and making applications that interact with the car through those network protocols. So the Tesla Model 3 is one that I'm definitely pretty comfortable with.

CH: And when you say you were hacking Teslas, were you working on whole cars or pieces of it — certain systems?

KG: When you're actually testing on behalf of a client — an automotive manufacturer or one of its suppliers — it’s very rare that you're testing a whole car at once. It's much more common that you'll test one component or one subsystem of a vehicle, because they'll do this testing during development before the full car is ready. So during those three years, I actually never did a full vehicle penetration test. We’d receive a system and we would be given a scope of attacks to perform, and we’d essentially analyze the system and report any vulnerabilities that we find and give the customer recommendations on how they can be remediated. Since those days, I haven't done as much hands-on car hacking with newer cars, just as a matter of the way my career has changed.  I got into management and I don't do as much hands-on stuff as I should anymore.

CH: So we can’t say, “Kamel cut his teeth on Tesla Model 3s and now he’s hacking Cybertrucks”? [laughs]

KG: I mean, you could say I moved on to paperwork, but that's not so interesting. 

CH: No, that definitely doesn’t sound as cool. But you’re still poking at cars, just in different places?

KG: Yeah, I’ve lost my edge — although lately, I've been getting back into it and looking more at EV chargers and EV charging infrastructure as opposed to just the cars themselves. It’s all connected and there are vulnerabilities that go back and forth between them. 

CH: Let me ask this directly: How worried should drivers be that someone with malicious intent could develop the same hacking skills you have?

KG: There’s good news and there's bad news. The bad news is that there is a lot of damage that can be done through reverse engineering the software in these vehicles, finding vulnerabilities, and then developing exploits. And there are many different damage scenarios that you can put into effect as an attacker, like eavesdropping or taking pictures of someone's home, or stealing their contacts from the head unit.

The absolute worst-case scenario is that, God forbid, someone hacks a car, or multiple cars, and causes them to crash into a building, or commits an act of terrorism or an assassination, God forbid. These are theoretically very real possibilities. Practically very difficult, but still theoretical. But, I would say most criminals aren't interested in hurting people. A lot of cybercrime especially is done for financial gain. People want to make money. They're not as interested in hurting someone they don't know right now.

Kamel Ghali. Image: Recorded Future News

But the nature of the science that is cybersecurity is that people discover vulnerabilities in software and libraries and systems every day. They publish them, and we do our best to repair them. Cybersecurity operations are such a huge part of the automotive industry now because the industry is taking it very seriously. And the other piece of good news is that, to this day, there really has not been a lot of automotive cybercrime.

Now, to be fair, ransomware of a vehicle is a very real threat. When it becomes possible, it'll probably happen at least once, and it has potentially really severe consequences, as I'm sure you can imagine. What if all the ambulances or police cars in the city got ransomware, and couldn't drive unless you paid 200 bitcoin? But at least until now, there have been no confirmed reported incidents of a car being hacked to cause damage to someone's life or property. The examples of cyber crime, or the intelligent systems in vehicles being targeted, are mostly related to vehicle theft. Like the Kia Boyz – they're not interested in hurting someone. 

But the reality is that, yeah, these things are theoretically possible when you have a smart system that is connected to the world around it and is also connected to the safety-critical controls of your vehicle. That theoretical reality can never be ignored.

CH: We’ve heard safety advocates argue for stronger air gaps — clearer separations between safety-critical systems and the “fun stuff,” like your Bluetooth and touchscreen. Does that hold up in practice?

KG: I agree 100 percent. And I think that the change has been a little bit slow, it's taken some time, but over the last few years the automotive industry has come around to sharing that same sentiment.

If you think about traditional cybersecurity from an IT or enterprise perspective, network segmentation is one of the most fundamental security practices you can implement to mitigate the potential damage or the impact that any compromise can lead to. And when you think about things like zero trust, and making sure that even if something is compromised, you're able to limit the damage — the same principle exists of separating critical networks from those that are exposed to the outside. 

So, the infotainment system being the user-facing navigation system, with all the cool Bluetooth, WiFi, 4G wireless and cellular connected over the backend — you don't want that to be directly in contact with your brakes, or your steering wheel, or your throttle or your engine, right? So there's definitely a bit of urgency on that. 

The automotive cybersecurity industry is still very much new, but it is a lot better off than it was about 10 years ago, and you're starting to see that network segmentation of the in vehicle networks is now pretty much considered standard best practice for cybersecurity for vehicles. 

CH: Europe and Japan now require things like incident-response plans and software support for the life of a car. Are automakers leaning into these regulations, or resisting them?

KG: The automotive industry has really led the way in supporting legislation that makes it a legal requirement to perform cybersecurity testing, and for manufacturers to have what we call a cybersecurity management system. This is the organizational procedures that are in place for an organization to manage cybersecurity for their products throughout its entire lifecycle.

If you think about how long a car is in use for, being bought and sold by three, four different people – maybe it’s 10, 15 years? There's an expectation now that you have to be responsible for this vehicle's cybersecurity and updating its software.

And this will be different from country to country, based on the laws. But there are laws now that are saying automakers have to invest time and money into making this happen. In Europe and Japan, for example, these are enforced by law. In America, not yet, but we might get there someday. 

CH: How did you end up in this line of work, hacking cars in Japan?

KG: So in 2017, I actually wanted to be a doctor. I was studying Computer Engineering at the University of Michigan-Dearborn. My plan was to graduate, go to medical school, and then work in robotic prosthetics. And one day we had a new dean of the Computer and Electrical Engineering Department, and he held a get-together for the students to talk about his plans to change the curriculum, things about accreditation, all this stuff – kind of boring, not gonna lie – but they were giving away free pizza.  So I went. 

And I'm sitting there enjoying some cheese pizza in the front row, and the dean is talking about how graduates from our school go into work in all sorts of places around the world. And one of my underclassmen raises his hand, and says “Yeah, actually right now I'm interning with a company and they sent me to Japan.”

 I was studying Japanese as my minor, and I really wanted to be able to work in Japan in the future, so I turned around and said, “Hey, that sounds really cool.” And he tells me that he’s working for a startup specializing in cybersecurity for the automotive industry, making technology that helps prevent cars from being hacked.

My brain just kind of like exploded. I was like, what do you mean hacking cars? That doesn't make any sense. And then it all just kind of clicked. I was like, wait – that's horrifying! I was like, “Oh my goodness. What happens if the computer controlling the car gets hacked?”

 And I do some research and find out that a year and a half earlier, two dudes published some research in which they spent a year reverse engineering the different systems and technologies and wireless networks used in a Jeep Cherokee. And showed they were able to kill the engine on it remotely from a couple hundred kilometers away. That particular incident was basically ground zero for automotive cybersecurity. It was the turning point when they forced the public to pay attention, because it could have happened to someone.

It just blew my mind. And I was totally out of my depth, but I basically begged this company to give me an internship and they did. I had decided, yeah, med school is not happening. This is what I want to do. So, that year, I began volunteering at the Car Hacking Village at DEF CON, and it’s really thanks to that community and all the people I met there that I've stuck with it this long. If it wasn't this much fun, I wouldn't be doing it still.

CH: So you go looking for free pizza, and end up discovering automotive cybersecurity. That’s quite a pivot.

KG: I suspect the kid who got me that job was also there for the free pizza.