If hackers infiltrate a government database, they might take somebody’s Social Security number. If they were to infiltrate a self-driving car, they might take a person’s life.
That idea is still very much an obstacle in the way of autonomous vehicles, even as manufacturers boast of improving technology and four-year deployment deadlines. It’s the subject of a legislative push in Congress, and it was a big sticking point in March when a Senate committee met with companies trying to develop self-driving cars.
But one startup thinks it’s found the solution.
Karamba Security, an American-Israeli startup, announced April 7 that it’s raised $2.5 million in seed funding from the private equity firms YL Ventures and GlenRock. The company’s approach is based on endpoint security, meaning its software is designed to prevent hackers from ever gaining access to a car’s computers.
Essentially, said Co-founder David Barzilai, the company’s software is built with a white list of acceptable code, and anything that isn’t on the list isn’t allowed to operate. Simple as that.
“We learn during the coding process of the electronic control unit [ECU] … we learn all of the valid objects and the valid software that can run on these ECUs,” Barzilai said.
So far, he said, the software has stood up to testing. Much in the spirit of white-hat hacking that’s exposed security vulnerabilities in several models of vehicles already on the road, Karamba tested its product on cars by asking people to try to get through it.
“We ask the customer to leave a door open to the ECU so hackers can hack through it,” he said. “And every time a hacker tries to do something that is not allowed, it is blocked by our software.”
The thing about automotive cybersecurity is that it’s only going to become more important as time goes on. Hacking into a car today might allow a hacker to turn on the windshield wipers or kill the engine. But there’s a whole industry materializing around the concept that in the future, cars will be connected to other cars and infrastructure, and will increasingly be capable of driving themselves. A hacker, then, could conceivably drive a car into a wall.
“Unfortunately we have this experience from the enterprise [network security industry], the more the enterprise became connected, the more you started to see an industry of hackers and malware,” Barzilai said. “Today on the Internet you can buy libraries we call the droppers … it’s sort of like software that allows you to exploit the vulnerabilities in software.”
But there is a key difference between network security and automotive security that Barzilai thinks will make it much easier to protect cars. Computers and networks generally need to be flexible in order to be valuable to their users, and that means frequent updates and tweaks. If cybersecurity software takes an endpoint-based approach, it often means users trying to make simple changes to their systems come up against frustrating, rigorous, multi-level authentication processes to make sure they aren’t hackers.
“The difference here is that in the car, the environment is far more static,” Barzilai said. “There are some changes, but they are in the realm of something you can accommodate.”
He doesn’t think new innovations in vehicle connectivity will change that, either. Though it’s entirely possible — likely, even — that new vehicle-to-vehicle and vehicle-to-infrastructure devices will gain popularity in the future, Barzilai said his company’s approach should still allow the vehicle to interface with those systems. That’s because the white list on which the software is based will learn about all things the car is capable of interfacing with.
And before the average car ever connects with them, Barzilai said it’s important to demonstrate to consumers that it’s safe to do so.
“If there are problems here, then the industry as a whole could suffer,” he said.
Barzilai said he expects the software to be ready for a full launch by the end of 2016.