Security bugs in the connected vehicle
In A hacker’s guide to fixing automotive cybersecurity, Charlie Miller puts in perspective which cyber security challenges exist for the automotive industry. The article’s conclusion is that all software -even the most reliable- contains security bugs. Even the ones coming from software mammoths such as Microsoft, Google and Apple. The ramifications of these vulnerabilities in cars, evidently, can be severe.
Charlie proposes adding components to the CAN bus behaving as firewalls to filter traffic between car (Electronic Control Units (ECUs). Or adding authentication or encryption layers on top of the CAN bus protocol. The drawback to these type of solutions is that they require redesigning the way vehicle ECUs communicate with each other, either structurally or architecturally.
We agree with Charlie, but we’ll add one more important point: fixing the problem in cars is complex. Many components in cars cannot be interchanged – adding further to the security practitioner’s dilemma. Furthermore, All the proposed solutions are based on a heuristic approach (which are prone to false positives and false negatives) and what it takes to solve this problem is a deterministic approach.
What is the Karamba solution to this dilemma?
Karamba Security’s software Carwall® automatically hardens the ECU (Electronic Control Units) according to its factory settings, and verifies its operations in runtime. Should an operation not comply with factory settings it indicates that a hacker is trying to exploit a security bug, which is deterministically blocked by Carwall.
Moreover, as Carwall is embedded within the ECU’s software, it does not only block attack attempts, but also reports detailed forensic information on the processes and functions being attacked.
In fact, the benefit of Karamba Security’s approach is that not only hackers are blocked outside of the car, they are giving away their knowledge on current vulnerabilities, allowing Karamba to prevent the attack attempts and to give a full report to carmakers on what to fix in their software.
Same Observation Opposite Conclusions
While Karamba Security agrees that vulnerabilities will always be in any code. Current heuristic ideas will not solve the issue at hand. So, Karamba Security Autonomous software takes advantage of the fact that vehicle ECUs are not user changeable. This advantage allows to harden the ECUs according to factory settings, providing “zero day” protection against hackers attempts to exploit the inevitable security bugs.