Risk of hacking a car is much higher than a cell phone, Karamba Security says

David Barzilai is Karamba Security VP for sales and marketing. Credit: Karamba Security

Vehicle cybersecurity has become more likely at stake as cars enable connectivity. Karamba Security, an Israel-based startup, offers end-to-end solutions covering product security from design to vulnerability management. The company has acquired investments and partnerships with multiple Asian enterprises, looking for more opportunities in Southeast Asia.

Karamba was founded in 2016 by Ami Dotan, David Barzilai, Tal Ben-David and Assaf Harel. Besides the automotive and electric vehicle (EV) industry, the startup’s software supports enterprise edge and consumer IoT.

Barzilai, Karamba’s VP for sales and marketing, said the risk of hacking a car is much higher than a cell phone or server security breach because it potentially affects lives and can create colossal damage to society.

At a time when EV adoption is growing and autonomous vehicles (AV) development is picking up momentum, whether OEMs and their suppliers correctly handle cybersecurity issues has become more vital. However, Barzilai said OEMS, such as Tesla, use the same mindset as cell phone manufacturers when dealing with automotive cybersecurity.

For example, a 19-year-old German security researcher revealed in January that he hacked more than 25 Teslas in 15 countries through TeslaMate, a third-party data logger. According to Business Insider, the researcher was able to unlock the car doors and windows remotely and even access the keyless driving feature.

Barzilai said while the vulnerability was found in the third-party application, Tesla was also responsible for the issue. The company exposed its car’s API to third-party application developers and enabled low-quality, high-risk, third-party applications, similar to the mobile phone ecosystem. Therefore, the vehicles were exposed to cyber attacks. He said OEMs must verify third-party security quality before approving them to be offered to end customers.

As for an EV’s weak point, the onboard charger and battery management systems are highly exposed to hacks. Barzilai said an onboard charger is vulnerable because it is open to communication with a WiFi connection. It is also very close to batteries, enabling hackers to control the EV speed and bring it to a halt remotely.

Deterministic solutions for single-purpose devices

According to Barzilai, the automotive industry tends to rely on legacy hardware and software libraries. The strategy decreases the need to change and is less possible to affect business plans or profitability. Therefore, Karamba’s business started by enabling OEMs and suppliers to protect their vehicles and devices without affecting the R&D process and the supply chain, both of which are costly.

Over the years, the company has developed an end-to-end portfolio of products and services that begins with analyzing product specification against cyber exposure, continuing with penetration testing and vulnerability management.

Barzilai said Karamba utilizes deterministic algorithms to extract and decode binaries from software to understand what a device does.

“You can put checkpoints to make sure that if the device does not behave as it should, it’s clearly a hack. Deterministic nature of the device like ECU (electronic control unit) enables us to automatically lock the device to unauthorized (access),” the VP said.

The approach is different from a heuristic model, common in mobile phone solutions. Barzilai said heuristics are based on a statistical model of what is normal. Therefore, a deviation from the model is suspected of a hack attempt.

Because people use cell phones to do a variety of things, the gadgets have to be open platforms and are suitable for heuristic cybersecurity solutions. But a single purpose-use device like an ECU needs deterministic solutions to receive enhanced protection.

Presence in the Asian market

In December 2021, Karamba and Winbond Electronics, a Taiwan-based semiconductor memory producer, announced a collaborative cybersecurity solution tailored for automotive and IoT needs.

Barzilai said the solution offers a device embedding Winbond memory out-of-the-box security for over the air (OTA) updates, which has been the direction the automotive industry is heading.

Besides Winbond, Karamba has built relationships with many Asia-based companies. For instance, its solutions support vehicles made by VinFast, a Vietnamese automotive company. VinFast also jonied the company’s latest funding round in December 2021. Moreover, Samsung SDS has selected Karamba as the IoT endpoint security solutions provider and offered it a strategic investment.

Barzilai said the Asian market is very important to Karamba, especially the ones in Southeast and East Asia. Many IoT and automotive product manufacturers with high-quality standards and cutting-edge technologies gather in the region. They would need to meet the regulations that mandate them to protect products’ cybersecurity. Karamba would be able to help manufacturers to reach the goal without creating costly changes to R&D, validation and manufacturing processes.

In response to the growing concern about vehicle cybersecurity, industry standards and regulations such as ISO/SAE 21434 or UN Regulation 155 that requires cybersecurity management system were released last year.

Barzilai suggested automotive suppliers check with their OEMs to see if there is any requirement to meet. In addition, they should do a gap analysis to see what cybersecurity issues they need to prioritize.

Because automotive design and implementation cycles could take a few years, Barzilai said, suppliers should respond to the requirements early to avoid delays in production and higher expense.