Carmakers Must Stack Cyber-Security in Their Favor, Says Karamba

Cyber threats are one of the biggest dangers of connected and self-driving vehicles.

The now-infamous Jeep hack revealed vulnerabilities that most, not even Fiat Chrysler Automobiles (FCA), knew existed. They were discovered by white hat hackers, who informed the automaker of the problem before something more nefarious occurred.

Regardless, the fear of a more malicious hack remains and it is likely to intensify in the years ahead as cars become more autonomous. “With AVs, there is no man in the middle,” said Ami Dotan, co-founder and CEO of Karamba Security. “At Level 4, the car is already driving and can be hacked and literally taken for a ride. That is the biggest fear. When that happens, what do you do?”

Dotan is a firm believer that if a car’s factory settings are sealed, it will be possible to detect any attempt before an attack actually occurs. That’s Karamba’s strategy for stopping attacks but, with hackers eager to break any and all barriers, automakers must stay vigilant. “Incentive-wise, it’s people who really want to cause harm, the other is people who want to make money,” said Dotan, referencing ransomware. He also warned that buffer overflow attacks, which bombard memory with too much data and are common in many devices, could become a problem for automobiles.

“That’s the biggest headache for everyone in the industry,” he explained. “Why? Because the hackers found a way. This is where they get into the memory stack and alter what we call ‘calling graph’ or ‘commands order and sequence’. It is common, and it’s not just automotive. Everybody is worried about it. Mobile phones, airplanes, robotics, medical devices – it can affect any critical system. They are all more susceptible, vulnerable, because it’s very difficult to protect against.”

Another threat could come when drivers upgrade their vehicles via software. Dotan speculated that automakers might offer horsepower improvements and other enhancements for a fee. In doing so, consumers would likely download the upgrade, just as they would an app on a phone.

“You need to make sure all these updates, for the sake of upgrade, are secure and safe,” Dotan insisted. “It’s more than just autonomous vehicles. We believe TaaS, transportation as a service, is going to be a majority part in the next decade – a majority part where automakers will start selling services instead of selling parts. Fewer cars will be produced but the car will return on investment for many years to come on the same infrastructure.”

The cars of tomorrow will remain in operation for several years, probably across several owners or ride-sharers. Unlike PCs and smartphones, which can force upgrades by slowly decreasing their security updates, automobiles will need to remain secure for many years, even decades, after they’re produced. This is going to present a host of other challenges as automakers attempt to stay ahead of everything hackers can throw at them long after a vehicle has run its course.

Overall, Dotan is pleased with the auto industry’s response to cyber-security. He said that most industry players, particularly US automakers, have hired experts after realizing the importance of cyber-security. That may not be true for all of the Tier 1s, however. “Some believe they have their own in-house capabilities,” said Dotan. “We find it hard to see how an infotainment or V2X company, with their particular expertise, also have expertise in cyber-security. It would be like us attempting to do an IVI system when we started out with cyber-security. So it’s somewhat disappointing when their approach is, ‘We think we can handle it’ and there are those who say, ‘We’ll do detection only and we are in the learning stage’.”

Despite that, Dotan stressed that the “majority of automakers are very much aware and even doing a better job than just following the better practices advocated by NHTSA”. He has even seen automakers improve their specs to meet new cyber-security requirements before handing them off to a supplier. “They understand the full implications and they look at it over lifecycle cost, liability, safety,” he said. “That’s encouraging. The automotive industry is known to be slow-moving. I think we see a little bit faster pace with some.”

If there’s one bit of advice Dotan would like to give automakers, it’s the necessity to develop cars with security in mind – not just from the point of assembly but from day one. Without this mentality, automakers run the risk of falling behind as malicious threat actors attempt to find every exploit imaginable. At the very least they could become more vulnerable as hackers target the low-hanging fruit over automakers that might be more difficult to breach.

“It’s always going to be a cat and mouse chase,” said Dotan. “‘Oh, we found a vulnerability, let’s patch it’ – that strategy cannot sustain 80 million new cars every year with 1.2 billion cars roaming the roads.”

Leave a comment

Your email address will not be published. Required fields are marked *