back to article Neighbour sick of you parking in his driveway? You'd better hack-proof your car

Car security startup Karamba Security has emerged from stealth with $2.5m in funding and a plan to revamp in-car security. Karamba has developed a technology that hardens the externally-facing electronic control unit (ECU) of cars in order to defend against hack attacks. The software is designed to protect a car's externally …

  1. Anonymous South African Coward Bronze badge

    Caramba! Dude, where's my hacked car?

    1. NoneSuch Silver badge
      Black Helicopters

      We're sorry

      You have failed to enter a correct password three times and have been denied entry to your vehicle. You will be unable to try again for twenty minutes. The car sensors recognize the parking lot is experiencing high winds and driving rain so the car will play Top 40 hits for you to listen to while the timer counts down.

      Thank you for your patience.

      1. Fatman

        Re: We're sorry

        <quote>You have failed to enter a correct password three times and have been denied entry to your vehicle. </quote>

        BTDT - in a slightly different way. I once owned a Cadillac which I bought USED that was equipped with VATS, a very primitive anti-theft system. (if you never heard of VATS, then Google is your friend.)

        ONE of VATS more annoying idiosyncrasies was its intermittent failure to start, lighting up the SECURITY light on the dashboard. It can be a real pain in the ass to be stuck somewhere isolated with a car that will not start because the fucking anti-theft system has "gone out to lunch". After the third time I got stuck out in the boonies, I had that piece of shit bypassed. Because it was a VERY primitive setup, by passing it was easy, and there was two basic way to go about it:

        1) permanently wire in the correct resistor value to the circuit, this would allow the key properly cut at a hardware store to work (no need for that expensive dealer made key) It does have one drawback - if the module that "decodes" the resistor value and produces the "OK to start engine" signal to the ignition goes bad, you are still stuck. OR

        2) replace the module with another module that provides the correct "OK to start engine" signal to the ignition system.

        Both choices leave your vehicle more vulnerable to theft. But at the time I didn't care, that beast was at least 15 years old.

        I don't even like to consider that people could be locked out of their cars by a hacker, a malicious government, a corrupt business, etc. All one needs to "get it" is to read about those people who dropped their cash for a Revolv home hub, who are about to get fucked.

        Caveat Emptor!

  2. lurker

    You think that of me? I am the one who hacks.

    Roll on driverless car tech, and the glorious day when the typical demographic of this site (ageing nerds) can relocate our neighbours' inconsiderately parked drive blockers armed only with our smartphones.

    1. Captain DaFt

      "can relocate our neighbours' inconsiderately parked drive blockers armed only with our smartphones."

      Why just relocate?

      There'll probably be an app to show you where all the other hacked cars are being sent for a rousing round of demolition derby!

  3. Shadow Systems

    He won't do it for long...

    I will ask politely Once, a little less so on the Second happening, & not at all on the Third. After that I will reach for the sledgehammer. It won't happen a Fifth time. MUH Hahahahahaha.

    I'll get my coat, it's the one with the safety gloves & goggles in the pocket.

  4. theOtherJT Silver badge

    Sticking with classic cars...

    ...until auto manufacturers start taking network security seriously.

    I'm glad someone's doing it, but really it's pretty poor that this is required in the first place. As soon as internet connected things started going into cars there should have been requirements that they were properly isolated from anything that managed the actual driving, and those requirements should have been laid down in law as important public safety concerns.

    1. Immenseness

      Re: Sticking with classic cars...

      Agree totally.

      "designed to block attacks from ever infiltrating the car's controller area network (CAN Bus). The technology ensures that only explicitly allowed code and applications can be loaded and run on the controller,"

      I can hardly bring myself to ask the question about who thought it was a good idea to allow any old code and applications to run there, or to allow commands from anything other than the other core safety components of the car design in the first place. Oh wait, I think I answered my own question.

    2. chivo243 Silver badge
      Thumb Up

      Re: Sticking with classic cars...

      Finding and maintaining these classic cars will be a big business. I'm also thinking maintaining older appliances and TV's will be big business. Some people don't want everything accessible from anywhere...

      My cousin bought a truck a few years back, and wanted manual locks, manual windows and manual transmission for a myriad of reasons. He had to wait many weeks extra for that vehicle to be delivered..

      1. Alan W. Rateliff, II

        Re: Sticking with classic cars...

        My first car was a 1979 Chevy Monza. God, how I miss that thing.

        1. chivo243 Silver badge

          Re: Sticking with classic cars...

          Damn, riding in style... Was it red? I don't recall ever seeing another color... my buddy's mom had a red one.

  5. Anonymous Coward
    Anonymous Coward

    Reminds me of something...

    Develop something with software inside it...

    sell it...

    it's not safe, so you need to buy something else to protect it...

    ...with software inside it...

    ...it's not safe...

    1. Anonymous Coward
      Anonymous Coward

      Re: Reminds me of something...

      It does indeed seem to be taking an insecure system, and adding another system to it to try to protect it...

      When the sensible solution would be to ask the correct questions when building the initial system...

      Q) Does the car need to accept inbound connection requests from world+dog?

      A) I would suspect not...

      In fact apart from the remote locking system, I can't see why any connection to the car's internals would need to be inbound with no warning...

  6. Pascal Monett Silver badge

    Karamba !

    A value to check on the stock market.

    Because they're going to make a mint, that's for sure.

    1. This post has been deleted by its author

  7. Steve Davies 3 Silver badge

    how long before the car makers ...

    Start legal action using the DMCA. After all the shit state of the networking/security on the CAN in most cars is far too embarrassing to be ket out into the wild...

    nice idea but thes behmoths don't like being told that they have problems. look how long it takes them to issue recalls even after prople have lost their lives.

    Sticking with my old Motorbike. No fancy electrics on that. Joe Lucas didn't know what the term fancy was,

    1. Chloe Cresswell Silver badge

      Re: how long before the car makers ...

      To be fair, the term "electrics" seemed to be a little vague as well to him.. ;)

    2. Gene Cash Silver badge

      Re: how long before the car makers ...

      They've already started:

      https://www.yahoo.com/autos/s/gm-ford-others-want-working-own-car-illegal-160000229.html

      1. MJI Silver badge

        Re: how long before the car makers ...

        Hmm does make staying at a 2003 model more sensible than ever.

  8. Putters

    Lucas Electrics

    Not for nothing has Lucas been referred to before now as the Prince of Darkness (of the dashboard) in the classic car world ...

    1. Solmyr ibn Wali Barad

      Re: Lucas Electrics

      Lights were pretty advanced, though, with no less than three modes of operation - off, dim, and flickering.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lucas Electrics

        "Lights were pretty advanced, though"

        And the ignition, which protected you from driving in unsafe conditions (basically anything other than bright sunshine on dry roads) by shorting itself.

    2. This post has been deleted by its author

  9. Anonymous Coward
    Anonymous Coward

    "Karamba's unique endpoint security protects externally connected ECUs from attacks. Karamba enables ECUs and system providers to define factory settings for each ECU, generating a policy that creates whitelists of all ECUs' permitted program binaries, processes, scripts, network behavior, etc. This policy is embedded within the externally connected ECU to ensure that only explicitly allowed code and behaviour may run on it."

    This makes no sense whatsover in the context of the way vehicle ECUs and the CAN bus actually operate. As far as I can tell it's nothing more than marketing bullshit in order to secure the all-important VC funding.

    1. Starace

      My thoughts exactly.

      A scheduler, application partitioning and signed code on a secured SOC with a fixed and validated ICD with key handshaking doesnt leave much room for what they're selling.

      On the other hand there have been a few muppets recently using a full operating system on an embedded computer to build entertainment systems plus at least one well known manufacturer who seem to think Linux and bog standard ethernet is a good platform for their electric car.

      But mostly it sounds like marketing bullshit that no OEM would touch, or if they did it would be via their existing RTOS supplier adding what was actually needed.

  10. Anonymous Coward
    Anonymous Coward

    More like oem's buy our technology we need to stop customers and garages from hacking our systems to have servicing and modifications that don't involve us getting more profit...

  11. Cardinal

    'ello, 'ello (again!)

    "Karamba's founders are Ami Dotan, Tal Ben David, David Barzilai and Assaf Harel. Ben David and Harel cut their teeth managing Check Point's endpoint security research and development teams."

    .

    Weren't CheckPoint the outfit that bought a neat little free Firewall called 'Zone Alarm' a few years ago and turned it into a bloated useless mess that didn't work properly for bloody weeks? I gave up on it in the end, so don't know HOW long it took them to get it working properly again - IF indeed they ever did!

    Not sure I'd fancy them working on MY car's security.

    1. Michael Wojcik Silver badge

      Re: 'ello, 'ello (again!)

      Yes. On the other hand, the research arm of Check Point has done some good security research work. I haven't looked at the track record of the people named in the article in particular, but I think the former relationship with Check Point doesn't tell us much either way. They could be good security researchers, or lousy software developers, or neither.

  12. EveryTime

    I'm with the other posters that thinks this sounds like a meaningless jumble of technical words.

    This company might be doing something useful, but from the description it comes across as a scam.

    They claim to be OS agnostic. Security isn't OS agnostic. You can do stupid things at any level, including inside the OS, as Microsoft proved in the 1990s. Don't execute picture files as programs. Don't allow active email messages. Don't gateway unchecked external communication onto the car network.

    1. Michael Wojcik Silver badge

      Security isn't OS agnostic. You can do stupid things at any level, including inside the OS, as Microsoft proved in the 1990s. Don't execute picture files as programs. Don't allow active email messages. Don't gateway unchecked external communication onto the car network.

      Everything in your list is OS-agnostic. None of those vulnerabilities are specific to an OS - they can be introduced in any OS that doesn't (correctly) implement a sufficiently strict security model.

  13. YetAnotherJoeBlow
    Happy

    Thank You!

    I sent this article to my neighbor - within 20 minutes he moved it. I think he figured out what I do for a living.

    1. Michael Wojcik Silver badge

      Re: Thank You!

      Pfft. I could have moved the article at lot faster than that. Just takes an HTTP 301.

      Seriously, I've never heard of this "neighbor parks in your driveway" syndrome being a problem before. I've always managed to be on good terms with my neighbors, but if I weren't, I'd just call a towing company and have them towed. In every US jurisdiction where I've lived, that's perfectly legal - someone parks on my property, I can have the vehicle removed at owner's expense. I take it that's not the case where you live.

  14. x 7

    so how do I tell if my car has an outward facing network connection? nothing shows up on wireless network scans

  15. Long John Brass
    Coat

    So what you're telling me is ...

    That I now need an Anti Virus and Intrusion Detection System for my car

    And how will the updates be delivered?

    Ahhh from the Authorised dealers only, should have known

    *sobs*

    Kinda lost for words now ... The will to live failing ... The *rage* building ...

    <coat> Mines the one with the tickets off this damned rock in it </coat>

  16. I am the liquor

    Cost saving

    "The tech is pitched as a way for car companies to avoid the costs of recalls, or lost future sales as the result of their vehicles being compromised."

    I expect it will also handily save them the cost and inconvenience of engineering their systems to be secure by design.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like