With cars becoming more connected and autonomous, cybersecurity is a constant worry for automakers. They dread the likelihood of intrusions into the connected car from hackers, terrorists, extortionists, and thieves (see “Your Future Self-Driving Car Will Be Way More Hackable”)—not to mention the random 12-year-old with mischief in mind.
Apprehensions about automotive cybersecurity came to a head when a pair of white-hat hackers broke into a Jeep Cherokee in 2015, leading to the recall of 1.4 million vehicles by Chrysler Fiat to fix a software bug in the Uconnect infotainment system (see “Carmakers Accelerate Security Efforts after Hacking Stunts”).
Cars represent a fundamentally different sort of security challenge from laptops, servers, or mobile phones, in which corruption or theft of data is the hacker’s objective. A cyber-attack on a moving vehicle may create a deadly safety hazard, and conventional antihacking software could be too slow or ineffective to avert an incident.
“Dealing with consumer safety, and not just with data security, requires different security methods to protect our cars, in contrast to technologies that protect servers and enterprise networks,” says David Barzilai, executive chairman and cofounder of Karamba Security, a two-year-old startup based in Hod HaSharon, Israel, with an office in metropolitan Detroit.
“Using machine learning and artificial intelligence to identify malware after hackers infiltrate the car is too late,” he says. “The approach must be to prevent an attack when hackers attempt to hack.”
The field of automotive cybersecurity is small but expanding rapidly as new threats are discovered to emerging technologies such as vehicle-to-vehicle wireless communication. Harman International, maker of the Uconnect system in the hacked Jeep, acquired TowerSec, an Israeli cybersecurity firm, in early 2016. Argus Cyber Security, another Israeli competitor, recently discovered and demonstrated a way to penetrate a car’s electronics with a “dongle,” an innocent-looking piece of hardware resembling a flash drive that operates software via a car’s USB or other port. Tesla and Fiat Chrysler both offer monetary “bug bounty” rewards for hobbyists and amateur hackers who find and report software vulnerabilities.
Given the skill, motivation, and creativity of hackers, it is unclear that any one approach can comprehensively block their entry to a vehicle’s electronic architecture. “Vulnerabilities will be inadvertently designed into systems,” says Sam Abuelsamid, a senior analyst for Navigant, a marketing research firm based in Boulder, Colorado.
A premium car may come equipped with a hundred or more electronic control units, or ECUs (in actuality, small computers), connected to one another as part of the vehicle’s electronic architecture. Only a handful, such as the infotainment system and the remote keyless entry, are connected wirelessly to the outside world, offering openings for attackers. Karamba focuses on blocking intrusion at these points, as one critical layer of a larger security design.
Karamba’s antihacking software is embedded in an ECU when it is manufactured, so it is incorporated into the device’s factory settings and not subject to change. Its role is to block spurious code at the point of intrusion, sealing the ECU and denying entry to any code that does not comply explicitly with the factory settings.
Using software monitoring programs to find and destroy malware, Barzilai maintains, is too slow and requires constant updates by developers; that can promote an arms race with hackers, who try to outwit security programs as they grow more sophisticated. Such programs can also generate false positives, he says, which are dangerous in cars because they may impede safe operation.
Glen De Vos, chief technical officer for the automotive parts maker Delphi Automotive, says that layers of security beyond what Karamba is proposing will become necessary as cars develop more connected properties, including autonomous driving, and therefore transmit more data wirelessly both to the cloud and to one another.
“You have to think of the car like you think of an Xbox or PlayStation or a mobile phone,” De Vos says. “You have software and data that are resident on the device, but also in the cloud. Increasingly, we have to think beyond the sheet metal to the entire enterprise. What Karamba does is an important component, but it’s not the whole thing.”
Karamba’s four founders are all veterans of Israel’s high-tech electronics and software industry, and two of them served in the Israel Defense Forces’ 8200, a renowned intelligence unit specializing in cyberwarfare that has a long list of startup founders among its alumni.
The company was founded after Ami Dotan, now its chief executive officer and a former vice president of R&D for a leading Israeli defense contractor, learned in a casual conversation that an automotive supplier had recently lost a contract for a vehicle infotainment system because of inadequate protection against cyber-attack. Astonished that cars weren’t already better protected, Dotan contacted Barzilai to suggest a startup.
Because automotive cybersecurity is relatively new field of specialization, Karamba thinks there is room to make its software part of the electronic architecture for vehicles that are in development or yet to be designed. This May, the company announced $12 million in Series B funding, bringing the total amount invested to $17 million. Among investors is Fontinalis Partners, cofounded by Bill Ford Jr., the executive chairman of Ford Motor. Karamba says it has had 16 “engagements” with suppliers and automakers in the past year, but so far it has yet to announce a contract.