The rise of autonomous and smart connected vehicles on our highways has put a spotlight on the instances of auto cybercrime, and the relevance of suitable regulations in the industry. FreightWaves recently discussed the impact of these regulations on civil liability in detail, and as a continuation to that segment, spoke with David Barzilai, the Executive Chairman of Karamba Security, an Israeli company that focuses on securing automotive controllers from hackers via its software solution.
“We looked into this problem of automotive cybersecurity back in 2015, and we spent a whole year on evaluating this market and understanding it,” said Barzilai. “Unfortunately, the cyber security solutions that were provided in the automotive industry were data center solutions that were modified to run in the vehicle. In essence, the companies looked at the vehicle as a mini data center on wheels, while taking the technologies that proved effective in the data center and making them run on the vehicle like they did in the enterprise network.”
However, Barzilai believed this line of thought had caveats. Typically, technologies that concern enterprise protection and network security, predominantly address the loss of data and the ways through which it could be plugged. But then within the automotive space, the more significant issue is the risk to lives on the road caused due to cybercrime activities.
“There are things that are very common in the data center technologies that are unacceptable in the automotive world. These things are called false positive or false alerts,” said Barzilai. “Technologies that are provided by most of the vendors are statistical. This means that they build a model of normal traffic and once they detect a statistical anomaly to that model, they consider it to be an attack. But the problem is that statistics are not always right. Sometimes you have statistical mistakes that alert on the anomaly as a suspected attack, when it actually is not.”
For instance, imagine a person working from Germany using his login credentials on his enterprise platform. He then takes off to Thailand on an official trip, and tries logging in on his laptop from Thailand. Though it is the same person, the system can register different behavior as the login attempt comes in from a foreign network. This could be viewed as a statistical anomaly, preventing the user from logging in.
Though this could be considered an inconvenience, it is not a life-altering choice as it could be in the transportation ecosystem. “In the automotive world, if such statistical mistakes happen, they may make airbags to not open or brakes to not engage, and that means loss of lives,” said Barzilai. “That was the most fundamental problem that we saw in technologies that are trying to replicate network security into the vehicle.”
Barzilai insisted that the approach should be to make sure the underlying factory settings are never accessed by anyone other than the car manufacturer itself, and in the scenario where someone is meddling with it, the person could be zeroed in to be a hacker.
In the future, the fine line separating liability from a car driver and the OEM company would blur, as autonomous vehicles would potentially revolutionize the industry. “Autonomous driving is supposed to change not just the technology, but also the economics of the car. With autonomous driving the ownership model will be different, because the car will be provided as a service,” said Barzilai. “It means that you and I would probably not own a car, but we can ask for a vehicle to drive us from point to point in a certain time.”
The liability to a car accident on the road falls on the driver today, but with the advent of autonomous cars, the scales would tilt towards the car owner or the OEM company that manufactured the vehicle. This leaves the latter in a spot of bother, as a quantum of cybersecurity lapses fall on the manufacturer, which is generally not the case with cybersecurity in electronic devices like phones or computers - where the owners are expected to cyberproof their devices with antivirus programs. Autonomous vehicles would drastically increase the liabilities on car companies, both in terms of car accidents and cyber attacks.
This is an unfortunate repetitive pattern, with hacking being a relevant part of all connected systems - especially when big ransom money is at play to incentivize hackers to attack vehicles on the road. A few years back, a Jeep Cherokee was at a receiving end of one such attack where a security bug in its infotainment system was exploited by hackers to make the car stop in the middle of a highway. This led to Chrysler recalling 1.4 million vehicles of the same series, as they all held the same bug and could potentially end up being hacked similarly.
Such snags or malware could provide hackers immense leverage, as it could be used to blackmail OEM companies and extort money - as the alternative would be millions in liabilities and a fall in consumer trust - both of which could be the death knell for a manufacturer.
Barzilai concluded by saying that the crucial thing is to perceive how to prevent false alerts from occurring and condition the system to identify hackers before they cause damage. “This is the mission of the industry, and we are very hopeful that the industry will be much faster than the bad guys in finding a solution to prevent attacks from happening,” he said.