Startup Upstream Looks at Data Flows to Secure Connected Cars

A connected car is a vulnerable car, so understanding everything it’s connected to is crucial to preventing cyber attacks, an Israel-based security startup believes.

Upstream, founded two years ago, focuses on what happens outside the vehicle instead of onboard. By studying data that flows between cars, apps, services and data centers, it determines what’s normal and identifies aberrations that might signal attacks.

“The solution is not in the car, it’s in the data,” Upstream Vice President of Product Dan Sahar said at a Silicon Valley conference hosted by Western Automotive Journalists earlier this month. That data lives in several places, so Upstream monitors it and offers protection through software-as-a-service (SaaS). It doesn’t sell any hardware or software for use in a vehicle.

Today’s automotive security is in many ways a recipe for disaster, Sahar said. Onboard software has millions of lines of code to begin with, which raises the possibility of vulnerabilities, and connecting cars to outside services only increases the complexity and danger of attacks.

Automotive programmers also lag behind their counterparts coding enterprise and cloud software, he said.

“Things that on the IT side we’ve not seen for many years, we still see,” Sahar said, citing unencrypted data transfers as one example. In addition, vehicles stay on the road for years and are difficult to update. “Things are definitely improving, but you still have code in cars that is very old.”

To defend their cars, some automakers build hardware firewalls built into the vehicle, but that takes too long to keep up with a rapidly changing security landscape, he said.

The major threat isn’t from close-proximity cyber attacks — most hackers will want to act remotely over the Internet, especially to attack entire fleets or all cars of a certain model, Sahar said.

Most hackers will want to act remotely over the Internet, especially to attack entire fleets or all cars of a certain model, he said.

Convenience features offered through mobile apps, such as remote unlocking and ignition, might provide that opportunity. “If you can do it, a hacker can do it as well,” Sahar said.

Some automakers, such as Cadillac, already offer remote unlocking and starting through smartphones apps. It’s emerging as a way to make car rental easier, and several manufacturers are pushing for an industry standard for transferring digital keys to mobile devices. The standard may allow for biometric or passcode protection.

Upstream’s customers include car manufacturers and telematics service providers. Its cloud service monitors the network traffic to and from a set of cars to gauge how particular models, apps, services and carrier networks tend to behave. Based on this and knowledge about threats, the company provides the customer with an SaaS product to detect abnormal and suspicious behaviors.

Those may include communications that don’t make sense, such as remote commands sent to many cars simultaneously in the middle of the night. Hackers may also be able to implement features that are written into a car’s software but disabled because they’re illegal in a given country, such as a command to shut off the engine at high speed, Sahar said.

Building the service forced Upstream to create a “universal dictionary” for vehicle communications, because each automaker and service provider still has a proprietary language, he said.

The company doesn’t use any personally identifiable data such as vehicle identification numbers, he said. Information about a customer’s cars is kept by itself, but Upstream can make metadata available to different customers for the greater good, because several may use the same third-party components in their cars, Sahar said.

Editor’s NoteThis article was updated to clarify how attackers might target connected and autonomous vehicles.

— Stephen Lawson is a freelance writer based in San Francisco. Follow him on Twitter @sdlawsonmedia.

Leave a comment

Your email address will not be published. Required fields are marked *