The more advanced technology the auto industry stuffs into a vehicle, the more opportunities hackers have to cause harmful mayhem by remotely taking control.
The risk becomes especially acute with autonomous vehicles where computers run the entire show. But one cybersecurity company believes it has a way to foil hackers using technology it claims is more effective than current methods.
“Autonomous vehicles are becoming quite a monster of software,” said Karamba Security Executive Chairman and co-founder David Barzilai in a phone interview.
How big a monster? Autonomous vehicles contain between 300 million to 500 million lines of software code, compared to a Boeing 787 Dreamliner commercial jet with 15 million and 100 million lines of code in a premium car such as a Mercedes C-class, said Barzilai.
“As rich as the autonomous vehicle is in terms of software and features it’s also quite rich in terms of the number of security vulnerabilities and as such it can be hacked in order to take control of the vehicle or fleets of vehicles,” he said.
In effect, said Barzilai, automakers are treating vehicles as “data centers” sending security updates over the air which aggressive hackers are able to defeat.
Instead, Karamba, with offices in the U.S, Israel and Germany, is creating what it calls the “self defending car” by building security into a vehicle’s electronic control unit, or ECU. Instead of relying on periodic security updates, Karamba’s system causes the vehicle to reject commands that do not match software code built into it by the automaker.
“Any change to factory settings not delivered by the automaker would be practically detected,” said Barzilai, It also provides a level of confidence, he claims is a flaw in other cybersecurity systems, explaining “the problem with such solutions is that statistics are not always right. Sometimes you get an anomaly that reflects the legitimate configuration leading to false positives, false alerts.”
In other words, hackers are able to fool some cybersecurity systems into processing their commands as legitimate.
“Such false positives or false alerts could risk our lives,” warns Barzilai. “Users would not get alerts they’re entitled to receive.”
He said the Karamba system will go into production at the end of 2021, but is not able yet to reveal with which automakers will use it.
The most dramatic demonstration of just how vulnerable a vehicle can be to a cyberattack was revealed in a 2015 story in Wired magazine, which hired two hackers to take control of a Jeep Cherokee while a reporter was behind the wheel. The hackers remotely took control of the Cherokee’s air conditioning, windshield wipers, and transmission.
But Barzilai points out actual cyber attacks such as one in China where a small fleet of trucks was caused to stall by hackers who only relinquished control after the company paid a ransom.
“We do not have to wait for autonomy in order to be vulnerable,” he said.
Barzilai says his company has analyzed many such cyberattacks, applying the Karamba system, and claims “we would prevent all of them.”
A group of automakers, along with the Society of Automotive Engineers has established the Automated Vehicle Safety Consortium (AVSC) to look into this very issue as the industry steps up development of so-called Level and Level 5 self-driving vehicles.
Joining the SAE in the consortium are General Motors Corp., Ford Motor Co. and Toyota Motor Corporation. Still in its early stages, the AVSC is not only involved with developing a set of safety principles for Level 4 and 5 autonomous vehicles, but, “data collection, protection and sharing required to reconstruct certain events,” according to its website.
The truth, however, is hackers determined to defeat a cybersecurity system will often find ways to do so, making it extremely difficult to create a vehicle completely invulnerable to such attacks.
Difficult but not impossible said, Barzilai, who advised, “because hacking requires effort, time and money invested, what you need to do is raise the bar to your device much more complicated than your peer group.”