Caramba! Dude, where's my hacked car?
Neighbour sick of you parking in his driveway? You'd better hack-proof your car
Car security startup Karamba Security has emerged from stealth with $2.5m in funding and a plan to revamp in-car security. Karamba has developed a technology that hardens the externally-facing electronic control unit (ECU) of cars in order to defend against hack attacks. The software is designed to protect a car's externally …
COMMENTS
-
-
Thursday 7th April 2016 14:04 GMT NoneSuch
We're sorry
You have failed to enter a correct password three times and have been denied entry to your vehicle. You will be unable to try again for twenty minutes. The car sensors recognize the parking lot is experiencing high winds and driving rain so the car will play Top 40 hits for you to listen to while the timer counts down.
Thank you for your patience.
-
Thursday 7th April 2016 14:29 GMT Fatman
Re: We're sorry
<quote>You have failed to enter a correct password three times and have been denied entry to your vehicle. </quote>
BTDT - in a slightly different way. I once owned a Cadillac which I bought USED that was equipped with VATS, a very primitive anti-theft system. (if you never heard of VATS, then Google is your friend.)
ONE of VATS more annoying idiosyncrasies was its intermittent failure to start, lighting up the SECURITY light on the dashboard. It can be a real pain in the ass to be stuck somewhere isolated with a car that will not start because the fucking anti-theft system has "gone out to lunch". After the third time I got stuck out in the boonies, I had that piece of shit bypassed. Because it was a VERY primitive setup, by passing it was easy, and there was two basic way to go about it:
1) permanently wire in the correct resistor value to the circuit, this would allow the key properly cut at a hardware store to work (no need for that expensive dealer made key) It does have one drawback - if the module that "decodes" the resistor value and produces the "OK to start engine" signal to the ignition goes bad, you are still stuck. OR
2) replace the module with another module that provides the correct "OK to start engine" signal to the ignition system.
Both choices leave your vehicle more vulnerable to theft. But at the time I didn't care, that beast was at least 15 years old.
I don't even like to consider that people could be locked out of their cars by a hacker, a malicious government, a corrupt business, etc. All one needs to "get it" is to read about those people who dropped their cash for a Revolv home hub, who are about to get fucked.
Caveat Emptor!
-
-
-
Thursday 7th April 2016 13:37 GMT Shadow Systems
He won't do it for long...
I will ask politely Once, a little less so on the Second happening, & not at all on the Third. After that I will reach for the sledgehammer. It won't happen a Fifth time. MUH Hahahahahaha.
I'll get my coat, it's the one with the safety gloves & goggles in the pocket.
-
Thursday 7th April 2016 13:38 GMT theOtherJT
Sticking with classic cars...
...until auto manufacturers start taking network security seriously.
I'm glad someone's doing it, but really it's pretty poor that this is required in the first place. As soon as internet connected things started going into cars there should have been requirements that they were properly isolated from anything that managed the actual driving, and those requirements should have been laid down in law as important public safety concerns.
-
Thursday 7th April 2016 13:58 GMT Immenseness
Re: Sticking with classic cars...
Agree totally.
"designed to block attacks from ever infiltrating the car's controller area network (CAN Bus). The technology ensures that only explicitly allowed code and applications can be loaded and run on the controller,"
I can hardly bring myself to ask the question about who thought it was a good idea to allow any old code and applications to run there, or to allow commands from anything other than the other core safety components of the car design in the first place. Oh wait, I think I answered my own question.
-
Thursday 7th April 2016 14:19 GMT chivo243
Re: Sticking with classic cars...
Finding and maintaining these classic cars will be a big business. I'm also thinking maintaining older appliances and TV's will be big business. Some people don't want everything accessible from anywhere...
My cousin bought a truck a few years back, and wanted manual locks, manual windows and manual transmission for a myriad of reasons. He had to wait many weeks extra for that vehicle to be delivered..
-
-
-
Thursday 7th April 2016 16:22 GMT Anonymous Coward
Re: Reminds me of something...
It does indeed seem to be taking an insecure system, and adding another system to it to try to protect it...
When the sensible solution would be to ask the correct questions when building the initial system...
Q) Does the car need to accept inbound connection requests from world+dog?
A) I would suspect not...
In fact apart from the remote locking system, I can't see why any connection to the car's internals would need to be inbound with no warning...
-
-
-
This post has been deleted by its author
-
-
Thursday 7th April 2016 14:05 GMT Steve Davies 3
how long before the car makers ...
Start legal action using the DMCA. After all the shit state of the networking/security on the CAN in most cars is far too embarrassing to be ket out into the wild...
nice idea but thes behmoths don't like being told that they have problems. look how long it takes them to issue recalls even after prople have lost their lives.
Sticking with my old Motorbike. No fancy electrics on that. Joe Lucas didn't know what the term fancy was,
-
-
This post has been deleted by its author
-
Thursday 7th April 2016 14:55 GMT Anonymous Coward
"Karamba's unique endpoint security protects externally connected ECUs from attacks. Karamba enables ECUs and system providers to define factory settings for each ECU, generating a policy that creates whitelists of all ECUs' permitted program binaries, processes, scripts, network behavior, etc. This policy is embedded within the externally connected ECU to ensure that only explicitly allowed code and behaviour may run on it."
This makes no sense whatsover in the context of the way vehicle ECUs and the CAN bus actually operate. As far as I can tell it's nothing more than marketing bullshit in order to secure the all-important VC funding.
-
Thursday 7th April 2016 16:15 GMT Starace
My thoughts exactly.
A scheduler, application partitioning and signed code on a secured SOC with a fixed and validated ICD with key handshaking doesnt leave much room for what they're selling.
On the other hand there have been a few muppets recently using a full operating system on an embedded computer to build entertainment systems plus at least one well known manufacturer who seem to think Linux and bog standard ethernet is a good platform for their electric car.
But mostly it sounds like marketing bullshit that no OEM would touch, or if they did it would be via their existing RTOS supplier adding what was actually needed.
-
-
Thursday 7th April 2016 19:43 GMT Cardinal
'ello, 'ello (again!)
"Karamba's founders are Ami Dotan, Tal Ben David, David Barzilai and Assaf Harel. Ben David and Harel cut their teeth managing Check Point's endpoint security research and development teams."
.
Weren't CheckPoint the outfit that bought a neat little free Firewall called 'Zone Alarm' a few years ago and turned it into a bloated useless mess that didn't work properly for bloody weeks? I gave up on it in the end, so don't know HOW long it took them to get it working properly again - IF indeed they ever did!
Not sure I'd fancy them working on MY car's security.
-
Saturday 9th April 2016 00:02 GMT Michael Wojcik
Re: 'ello, 'ello (again!)
Yes. On the other hand, the research arm of Check Point has done some good security research work. I haven't looked at the track record of the people named in the article in particular, but I think the former relationship with Check Point doesn't tell us much either way. They could be good security researchers, or lousy software developers, or neither.
-
-
Thursday 7th April 2016 22:13 GMT EveryTime
I'm with the other posters that thinks this sounds like a meaningless jumble of technical words.
This company might be doing something useful, but from the description it comes across as a scam.
They claim to be OS agnostic. Security isn't OS agnostic. You can do stupid things at any level, including inside the OS, as Microsoft proved in the 1990s. Don't execute picture files as programs. Don't allow active email messages. Don't gateway unchecked external communication onto the car network.
-
Saturday 9th April 2016 00:03 GMT Michael Wojcik
Security isn't OS agnostic. You can do stupid things at any level, including inside the OS, as Microsoft proved in the 1990s. Don't execute picture files as programs. Don't allow active email messages. Don't gateway unchecked external communication onto the car network.
Everything in your list is OS-agnostic. None of those vulnerabilities are specific to an OS - they can be introduced in any OS that doesn't (correctly) implement a sufficiently strict security model.
-
-
-
Saturday 9th April 2016 00:07 GMT Michael Wojcik
Re: Thank You!
Pfft. I could have moved the article at lot faster than that. Just takes an HTTP 301.
Seriously, I've never heard of this "neighbor parks in your driveway" syndrome being a problem before. I've always managed to be on good terms with my neighbors, but if I weren't, I'd just call a towing company and have them towed. In every US jurisdiction where I've lived, that's perfectly legal - someone parks on my property, I can have the vehicle removed at owner's expense. I take it that's not the case where you live.
-
-
Friday 8th April 2016 04:53 GMT Long John Brass
So what you're telling me is ...
That I now need an Anti Virus and Intrusion Detection System for my car
And how will the updates be delivered?
Ahhh from the Authorised dealers only, should have known
*sobs*
Kinda lost for words now ... The will to live failing ... The *rage* building ...
<coat> Mines the one with the tickets off this damned rock in it </coat>