An over-the-airwaves hack conducted for Wired magazine in July required no physical access to a Jeep Cherokee to shut it down. Two security experts broke into the Jeep’s Uconnect system from miles away, hijacking basic functions and even stopping the car’s transmission while a reporter was driving on a U.S. highway with an 18-wheeler truck bearing down on him.
The highly-publicized hack forced Fiat Chrysler Automobiles to recall 1.4 million vehicles and ask Sprint, whose network it used, to issue a temporary fix.
Connected Cars Are Vulnerable
Nine days later security researcher Samy Kamkar posted a YouTube video of a homemade device, called OwnStar, made from a Raspberry Pi and some wireless adapters, which he claimed enabled him to monitor and intercept communications between General Motors’ OnStar RemoteLink mobile app and any of 30 GM vehicle models that are OnStar-equipped. In the video Kamkar was able to issue commands, finding a car’s location, unlocking the doors and even starting the engine (although he was not able to drive off without the key). Since the problem was with the app and not with the OnStar system itself, GM was able to issue an update to the app on the iOS platform and disable all versions of RemoteLink susceptible to the hack.
But days later Kamkar tweeted that he had updated OwnStar to also unlock and attack BMW Remote, Mercedes-Benz mbrace and Chrysler Uconnect.
The summertime hacks drive home the fact that connected cars are becoming just as vulnerable as computers and smartphones, with greater and potentially graver consequences.
Gartner forecasts that about one in five vehicles on the road worldwide will have some form of wireless network connection by 2020, amounting to more than 250 million connected vehicles.
Yet “so far there is not one car on the road that is equipped with cyber security,” says Tom Bar Av, marketing director at Argus Cyber Security, one of four Israeli cyber security start-ups that see a market opportunity and specialize in preventing cars from being hacked.
“We believe our system could have played a pivotal role in preventing such attacks,” says Bar Av. It is one thing if someone hacks a car’s entertainment system and changes the playlist, he says. “The risk is hackers gaining access to things like the brakes and steering.”
Israeli Defense Forces Key Role
Argus’s co-founders and the majority of its staff served in Israeli Defense Forces (IDF) unit 8200, the Israeli intelligence corps that is comparable to the U.S.’s National Security Agency. LaVern Sula, the head of Argus’s North American unit, has three decades of experience in the automotive industry and until recently served as GM’s Global Engineering Director, Vehicle Cyber-Security. Argus’s technology has already been tested by the U.S. Department of Transportation.
“Our core technology has superior algorithms for threat detection,” says Bar Av. “We believe this is something unique to us, a real-time cyber dashboard that we are providing customers to give them an overview of their fleets and the ability to give a quick response to cyber attacks.”
TowerSec, which is headquartered in Ann Arbor, Michigan, with an R&D Center in Israel, was founded in 2012 by Israelis with experience in cyber security and embedded systems and is chaired by Bruce Coventry, who has 35 years’ experience in the automotive industry, working for General Motors, Ford and Chrysler. The company was named the “Hottest Start-up in 2015” at the North American International Auto Show for its work on automotive cyber security. Its technology requires a single installation and offers real-time “double perimeter” prevention and detection, says CEO Saar Dickman.
Security In Motion, which started up just six months ago, offers an anti-malware detection engine which scans and isolates malicious software installed within native programs or in any application or software added later to a car’s entertainment system. Using device fingerprinting, it ensures that all mobile devices connected to the car are recognized and identified at any time. It also listens to messages originated in the infotainment system and send alerts if something seems amiss and promises to deliver updates and features to cars securely. CEO and co-founder Sharon Farber formerly worked at CA Technologies while co-founder and CTO Dror Shalev previously headed the SmartDefense Research Center at Israeli IT security company Check Point Technologies. The company was recently named a finalist in a global cyber security competition organized by Russia’s Kaspersky Labs.
Legislation Could Be Coming
Arilou Technologies has been working on developing a cyber security system for car networks since 2012, says CEO Ziv Levi. The company has been using feedback from the car industry to steadily improve its product, giving it an advantage over younger rivals, he says. Its three founders come from an IDF unit dedicated to developing cyber security for mission-critical systems and its technology is currently being tested by two car makers.
“A system like ours, even though it does not exist in any car today, will be a must in any car you see three to four years down the road,” says Levi. “It won’t be added, it will just be a part of the car to ensure safety.”
Already U.S. legislators are discussing a bill that’s designed to require cars sold in the U.S. to meet standards of protection against digital attacks and privacy.
With the recent proliferation of high-profile hacks, all four Israeli start-ups are betting automakers won’t wait too long to start integrating their technologies into cars rather than risk paying a heavy toll.