When any hacker with a laptop and coding skills could potentially hack into a car and control the steering wheel, brakes, and acceleration – it’s cause for alarm.
All systems in a car that are connected to an external network – such as GPS or infotainment – represent a security risk. With 90 percent of cars predicted to become connected by 2020, according to a report by Ernst & Young, the need for advanced protection is more pressing than ever.
Karamba Security, an Israeli startup, says it has the solution. The company prevents hackers from accessing a car’s control system using a software that seals off the most critical Electronic Control Units (ECUs) in the car. Any attempt to access the ECUs that does not align with the car’s original factory settings is blocked.
Earlier this year, the company announced a partnership with VEDECOM, which will make Karamba Security one of the first cyber-security companies to integrate technology into commercially available autonomous cars. The cars are due to be released in 2017 and 2018 in France, Germany, Italy, Portugal, and the Netherlands. In the meantime, Karamba’s patent-pending technology is being tested by 17 automotive companies.
A connected car is essentially a network of electronic control units – one car can have anywhere between 50 to 150 ECUs. They manage elements such as the infotainment system, the engine, windows and doors, and are connected to each other as part of the Controller Area Network (CAN). While it’s convenient to have everything managed by computers, it leaves the cars open to threats: a hacker only needs to breach one attack surface, like the infotainment system, and they can access the entire network.
Most cyber-security companies, such as Palo Alto Networks and Check Point, specialize in network security. They monitor the internal network, sending security patches through the cloud when they detect a breach, and they learn from previous hacks to make the network more secure. Karamba Security, however, focuses on endpoint security: it protects the ECUs, which serve as access points to the internal network.
Karamba Security’s founders were motivated to enter the industry when they discovered the flaws of using network security in the automotive industry. If the car loses connection briefly – when it drives through a tunnel, for example – it cannot send data or receive security patches. More importantly, trying to patch up each attack and learn from what hackers have done in the past leaves room for false positives. In cars, false positives are dangerous; you can’t afford to stop the brakes from functioning if the legitimate brake command is interpreted as a threat.
“Direct risk to people’s lives”
“In the enterprise, you can lose the whole database, but you still go home at 6 pm,” Karamba’s CEO Ami Dotan tells NoCamels. “Not so in the car. One mistake, one false positive – when an airbag needs to be operated or brakes need to be activated and it doesn’t happen – that’s a direct risk to people’s lives,” reveals Dotan.
By preventing anything that deviates from factory settings from accessing the ECUs, Karamba Security doesn’t require connectivity and claims to produce zero false positives.
The risk of connectivity
The risk related to connected cars is significant, and often underestimated. Cars have about 100 million lines of code powering the ECUs, according to a report by McKinsey & Co. In every 1,600-1,800 lines, there is an embedded bug, 8 percent of which are security vulnerabilities, Dotan explains. Even one of these security vulnerabilities would be cause for a recall.
The case of the recent Jeep Cherokee hack is an apt example. By exploiting a vulnerability in the car model, two hackers were able to control the accelerator, brakes, and steering; the discovery led to the recall of 1.4 million cars.
Other companies, such as the Israeli cyber-security company Argus, are now beginning to focus on securing ECUs. Karamba Security, however, claims to have the advantage of a head start.
Securing the future
Founded in 2015, the company has so far raised $17 million in three investment rounds, from Fontinalis Partners, GlenRock Israel, Liberty Mutual Strategic Ventures, Paladin Capital Group, Presidio Ventures, and YL Ventures. The budding startups employs 25 people in Israel, the US, and Europe. The founding team – consisting of Dotan, Tal Ben David, Assaf Harel, and David Barzilai – has decades of experience in cyber-security, venture capital, and business development.
Fortunately, the scenario of fleets of cars being attacked and controlled by hackers has not yet become a reality; with Karamba Security’s solution, we might manage to avoid this dystopian risk.