Israeli startup Karamba Security today announced a new product for securing the electronic control units (ECUs) of connected and self-driving vehicles that it said could have prevented a recent Tesla hack.
Karamba's Carwall software uses a vehicle's factory software settings to discover noncompliant code in a car's ECUs and automatically creates security policies in real time to block the code.
Karamba also announced a $2.5 million second series funding round from venture capital firm Fontinalis Partners.
A modern car has dozens of computers, known as electronic control units (ECUs) with as much as 100 million lines of code. For every 1,000 lines of code, there are as many as 15 bugs that are potential doors for would-be hackers.
In real time, Carwall detects and prevents anything not explicitly allowed to load or run on an ECU, including in-memory attacks, according to David Barzilai, Karamba's executive chairman and co-founder.
Karamba claims its software is incapable of ambiguity that could result in false alarms, or could fail in detecting and preventing attackers who try to exploit vulnerabilities and get into the car's network.
"With our autonomous security, when we learn the factory settings of ECUs, we also learn function sequence," Barzilai said.
For example, a sensor may detect an object in a roadway, which would begin a series of sub-second actions across a vehicle's BUS that would result in the brakes being applied.
"When functions are called, we check them to ensure they're in the right sequence. If it's the wrong sequence, we know someone's manipulating the process," Barzilai said. "So we abort the process and the hack is wiped from memory."
Last week, researchers from China's Keen Security Lab demonstrated what they said were multiple security vulnerabilities in a Tesla Model S that allowed them to remotely control the sedan in parking and driving mode. From up to 12 miles away, the security experts were able to wirelessly access the vehicle's systems through the control area network (CAN) by using a web browser.
A vehicle's CAN enables various ECUs to communicate with each other. For example, a CAN would connect a vehicle's exterior cameras or sensors with the automatic braking system or the backup camera to the infotainment screen.
The Tesla hack, Barzilai said, was a form of "in-memory attack", a more sophisticated attack vector where hackers manipulate operations that only run in an ECU's memory.
In park mode, the Tesla's security holes allowed the researchers to open the vehicle's door and sunroof, adjust the seat positions, control the infotainment system and find destinations on the car's GPS. In driving mode, the researchers were able to control the windshield wipers, fold-in side mirrors, open the hatchback and engage the vehicle's brakes.
"We pwned Tesla Model S remotely (no physical contact) with a complex exploit chain," Keen Lab wrote on Twitter last week. "It is worth to note that we used an unmodified car with latest firmware."
Tesla CEO Elon Musk responded with his own tweet announcing his company had patched the security holes and the breach could only work if the car's driver was logged in to a "malicious hotspot and used a browser."
"No customers were hacked," Musk wrote.
Keen Lab shot back on Musk's comment thread: "Not agree the mal-hotspot part. If you agree, we can disclose now, and let community judge."
The Keen Lab hack occurred on the same day the Obama administration rolled out security policies for self-driving vehicles. The policies include a checklist for carmakers developing new models, as well as guidelines for states on regulating the new technologies.
According to Navigant Research, there will be 188 million connected vehicles with built-in telematics on roads by 2020. By 2025, completely autonomous cars will account for 15% of all cars shipped globally each year, and 70% of all shipped cars will have level 2 or higher autonomous capability.
Gartner predicts that 220 million connected vehicles will be on the roads by 2020.
Securing vehicles from cyberattacks is becoming a big business.
For example, Argus offers an intrusion detection and prevention module that ties into a vehicle's CAN. TowerSec offers software that is embedded in existing ECUs.
Barzilai said the main difference from Karamba's the first version of its software to its new product is the in-memory protection.
"It doesn’t just create... a white list of all legitimate binaries that can run on the ECU. It also maps all legitimate function calling sequences and checks in runtime if functions are called correctly," he said in an email to <i>Computerworld</i>. "Both mechanisms are deterministic. The latter is – as far as we know – is the industry-only solution that protects against in-memory attacks."