Software Company Launches Car Cybersecurity Software Based on Factory Settings
With cybersecurity a growing threat to both connected and autonomous vehicles, Karamba Security announced security software for the connected car Tuesday that “seals” a vehicle’s electronic control units (ECUs) by automatically creating security policies based on factory settings. Karamba’s Carwall detects and prevents anything not explicitly allowed to load or run on an ECU in real time, including in-memory attacks, said the company. The software enables car manufacturers to "immediately address security bugs in existing or new code and eliminate an attacker’s way into a connected car,” said CEO Ami Dotan.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Connected vehicles link to the internet in three ways: through (1) an infotainment system via a wireless network, (2) a GPS system or (3) a diagnostic port, Executive Chairman David Barzilai told us in a phone interview. “Every hack starts with the hacker looking for a security bug in the software of the system,” said Barzilai. The hacker exploits the bug “to penetrate into the system and then take action,” which could be controlling brakes, airbags or the engine, he said. Barzilai described a car as a “significant network on wheels” made up of more than 100 ECUs. “If I get a foothold onto one of those ECUs, all the others are open to me … and I can manipulate them to do what I want."
Barzilai attributed coding bugs to “human error,” saying for every 1,600 lines of code, there’s a bug, and 8 percent of those are security bugs. “The hackers know that and all they do is look for those mistakes,” which they exploit and hack, he said. Cars have “enormous amounts” of coding, he said, comparing a Ford GT mid-size car with 10 million lines of code to an F-22 fighter jet with 2 million lines of code. A premium car, such as the Mercedes-Benz C-Class, can have 100 million lines, he said. Cars on the road today have between “hundreds and thousands” of vulnerable security bugs. “It’s a question of time” before they're exposed, he said.
Carwall is complementary to other security systems for vehicles, said Barzilai. Solutions such as TowerSec, owned by Harman, are on the car’s network where they look for anomalies in the data traffic pattern “after the fact,” said Barzilai. “We catch them when they try to hack because we are on the gate to the car,” he said, comparing the software to a bouncer at a bar that can block those with malicious intent from entering. “You also need to have someone behind us in case that they came to the pub through the window and not the gate,” he said. “It’s not one instead of the other,” he said of the two types of solutions.
Security models that are based on deviations from statistics can produce “false positives,” said Barzilai. That makes them useful for detecting issues but not for preventing issues, which could lead to a blocking of data traffic that’s actually safe, he said. “If they think a command to open an airbag is malicious, they’re going to block it,” he said, citing a 5 percent false positive rate. With Carwall’s solution, “either you’re part of the factory settings, or you’re not,” he said. “We have no false positives.”
Carwall revenue comes from licensing fees to tier one software providers that sell to OEMs, from “negligible” royalties per ECU and from fees for detection and alerts, said Barzilai. “It takes months” to find a software bug and exploit it, he said. Carwall “sees” all the attempts in real time, he said. “We see abnormal action coming from somewhere and we tell you so you know you can close the loop,” he said of OEMs. On whether those costs would be passed on to consumers, Barzilai played down that business model and said the mission is for car owners not to know about the technology inside. “Our goal is to secure the car in a way that nobody knows,” he said.