Israeli startup says its new software would have prevented Tesla hack

Karamba raised another $2.5M in a series A1 funding round

Israeli startup Karamba Security today announced a new product for securing the electronic control units (ECUs) of connected and self-driving vehicles that it said could have prevented a recent Tesla hack.

Karamba's Carwall software uses a vehicle's factory software settings to discover noncompliant code in a car's ECUs and automatically creates security policies in real time to block the code.

Karamba also announced a $2.5 million second series funding round from venture capital firm Fontinalis Partners.

A modern car has dozens of computers, known as electronic control units (ECUs) with as much as 100 million lines of code. For every 1,000 lines of code, there are as many as 15 bugs that are potential doors for would-be hackers.

In real time, Carwall detects and prevents anything not explicitly allowed to load or run on an ECU, including in-memory attacks, according to David Barzilai, Karamba's executive chairman and co-founder.

Karamba claims its software is incapable of ambiguity that could result in false alarms, or could fail in detecting and preventing attackers who try to exploit vulnerabilities and get into the car's network.

"With our autonomous security, when we learn the factory settings of ECUs, we also learn function sequence," Barzilai said.

For example, a sensor may detect an object in a roadway, which would begin a series of sub-second actions across a vehicle's BUS that would result in the brakes being applied.

"When functions are called, we check them to ensure they're in the right sequence. If it's the wrong sequence, we know someone's manipulating the process," Barzilai said. "So we abort the process and the hack is wiped from memory."

karamba autonomous security chart Navigant Research

Last week, researchers from China's Keen Security Lab demonstrated what they said were multiple security vulnerabilities in a Tesla Model S that allowed them to remotely control the sedan in parking and driving mode. From up to 12 miles away, the security experts were able to wirelessly access the vehicle's systems through the control area network (CAN) by using a web browser.

A vehicle's CAN enables various ECUs to communicate with each other. For example, a CAN would connect a vehicle's exterior cameras or sensors with the automatic braking system or the backup camera to the infotainment screen.

The Tesla hack, Barzilai said, was a form of "in-memory attack", a more sophisticated attack vector where hackers manipulate operations that only run in an ECU's memory.

In park mode, the Tesla's security holes allowed the researchers to open the vehicle's door and sunroof, adjust the seat positions, control the infotainment system and find destinations on the car's GPS. In driving mode, the researchers were able to control the windshield wipers, fold-in side mirrors, open the hatchback and engage the vehicle's brakes.

"We pwned Tesla Model S remotely (no physical contact) with a complex exploit chain," Keen Lab wrote on Twitter last week. "It is worth to note that we used an unmodified car with latest firmware."

Keen Security Lab autonomous Tesla S Keen Security Lab

Researchers from Keen Security Lab demonstrated what they said were multiple security vulnerabilities in a Tesla Model S that allowed them to remotely control everything from the sunroof to the brakes. Here, the security experts show how they're able to lock out the vehicle's infotainment system.

Tesla CEO Elon Musk responded with his own tweet announcing his company had patched the security holes and the breach could only work if the car's driver was logged in to a "malicious hotspot and used a browser."

"No customers were hacked," Musk wrote.

Keen Lab shot back on Musk's comment thread: "Not agree the mal-hotspot part. If you agree, we can disclose now, and let community judge."

The Keen Lab hack occurred on the same day the Obama administration rolled out security policies for self-driving vehicles. The policies include a checklist for carmakers developing new models, as well as guidelines for states on regulating the new technologies.

According to Navigant Research, there will be 188 million connected vehicles with built-in telematics on roads by 2020. By 2025, completely autonomous cars will account for 15% of all cars shipped globally each year, and 70% of all shipped cars will have level 2 or higher autonomous capability.

Gartner predicts that 220 million connected vehicles will be on the roads by 2020.

adas self-driving autonomous cars ABI Research

Securing vehicles from cyberattacks is becoming a big business.

Along with Karamba, a flurry of companies have sprung up in Israel, including Argus Cyber Security and TowerSec. But not every company is taking the same approach to securing vehicles.

For example, Argus offers an intrusion detection and prevention module that ties into a vehicle's CAN. TowerSec offers software that is embedded in existing ECUs.

Karamba's previous software used heuristic scanning of a vehicle's data traffic, rather than the traditional antivirus approach, where it's looking for virus signatures, according to Sam Abuelsamid, an analyst with Navigant Research.

The new software relies not only knowledge of a manufacturer's factory settings but it also focuses on systems open to external, wireless attacks, such as a vehicle's telematics or global positioning system (GPS).

"When hackers look for ways to hack into cars, their only way is through is one of the externally connected controllers," Barzilai said. "Our software allows an ECU to detect the hack itself locally, and it's not dependent on the cloud."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Automotive

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucas Mearian

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?