Karamba brings cybersecurity to the automotive market for connected cars  

White hat hackers proved that it's possible to attack a car in motion. Karamba Security has an embedded security solution that prevents tampering

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

If you happen to be driving around California roads this summer, don't be surprised if a car with no driver pulls up next to you at an intersection. Google expects to be road-testing its prototype of a driverless car soon. If all goes well with this and other tests, BI Intelligence believes there could be 10 million cars with self-driving features on our roads by 2020.

Fully autonomous cars – those that don't need any interaction at all from a driver, like Google's – still seem futuristic to most of us, but there are plenty of semi-autonomous cars sharing our roads today. This latter category includes all sorts of features to increase safety and convenience, everything from lane-keeping assist systems designed to keep a car in an open lane, to adaptive cruise control that matches the car's speed to that of the vehicle ahead,

automatic braking systems to slow or stop the car as conditions dictate, and parking assist to do that tricky parallel parking task.

We typically think of these features being in expensive high-end cars, and they are, but Honda is offering a connected car with some self-driving capabilities for about $20,000. Soon these features will be commonplace.

Whether a car is fully or semi-autonomous, it must have connectivity to information (called informatics in the automotive industry) outside of the vehicle itself. For example, a car would need a GPS and access to satellite data in order to direct itself from Point A to Point B. These types of cars are also loaded with cameras to observe other vehicles and obstacles around them, as well as computers to process all the informatics and make decisions for the car.

The in-car computers are known as electronic control units, or ECUs. An ECU is typically responsible for a very limited set of functionalities. These controllers manage the telematics (sensors, instrumentation, navigation, etc.), infotainment (radio, head unit, etc.) and on-board diagnostics (OBD) of the vehicle. An ECU includes an operating system and the software necessary to control the unit's specific functionality. All of the ECUs are connected via the car's Controller Area Network (CAN) Bus.

Some ECUs can be accessed externally so the vehicle can receive external data. Essentially they are part of the Internet of Things. This puts them at risk for hacking and malicious behavior. White hat hackers have already proven they can get into a vehicle's CAN Bus via the infotainment system.

Last year, Charlie Miller and Chris Valasek wanted to prove a point: that vehicles' electronic systems are vulnerable to hacking. While Andy Greenberg, a writer with WIRED magazine, was driving a Jeep at highway speeds, Miller and Valasek sent commends to the car wirelessly over the Internet through the on-board infotainment system. From there the external commands directed other embedded systems to turn on the air conditioning, fuss with the radio settings, turn on the windshield wipers, and worst of all, apply the brakes while Greenberg was driving 70 miles per hour, bringing the car to a complete stop on a highway.

This demonstration was enough to provoke Fiat Chrysler to issue a safety recall for 1.4 million U.S. cars and trucks. The recall involved a software update to patch the vulnerability.

The FBI’s recent warning has highlighted the cybersecurity risks of the increasingly connected car. Analysts estimate that 20% of vehicles sold worldwide in 2015 included some form of embedded connectivity. Gartner predicts that by 2020 the number of connected cars sold globally will be 250 million. Something must be done to close the vulnerabilities to ensure the safety of vehicle operation.

Karamba Security is a new company aiming to protect the connected car. Karamba is co-founded, in part, by cybersecurity experts that managed Check Point Software Technologies’ endpoint security research and development teams. Their expertise is helping Karamba develop solutions to harden the connected ECUs within automobiles to protect them from cyber attacks and ensure the car’s safe, ongoing operations. 

With Karamba, automotive companies can embed security detection and enforcement capabilities directly on the ECU to ensure only explicitly allowed code and applications can be loaded and run on the controller. The ECUs expect certain protocols and certain behaviors, so if any foreign code attempts to enter from the outside – regardless of how it enters: via the internet, USB drive, service port, etc. – Karamba says it can block it. This prevents an attack from infiltrating the car’s CAN Bus.

Karamba sells its solution to the Tier 1 system suppliers that provide self-contained systems to the auto manufacturers; systems such as telematics, airbags and infotainment. This solution can also be retrofitted into vehicles that are already on the road. Automobile manufacturers can retrofit the cars on the road now, as part of the ECU software update, whenever the car comes into the dealer for regular maintenance.

Done right, the average car buyer would never know the Karamba protection is there. But knowing what could happen if the ECUs are left unprotected, people might be hesitant to share the road with connected cars, whether they are self-driving or not.

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Related:
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.