Autonomous vehicles will use hundreds of millions of lines of code
A Karamba illustration of vulnerable systems
A Karamba illustration of finding bugs
Researchers hacked into a Jeep Cherokee through its infotainment system
Autonomous cars will provide hackers with hundreds of thousands of security risks to take advantage of because of the masses of code needed to run their systems.
According to David Barzilai, founder and chairman of coding expert Karamba Security, the first truly autonomous vehicles will run using hundreds of millions of lines of code. This will leave hackers with masses of vulnerable software that can be hacked into in order to take control.
Barzilai explained that current top-end luxury vehicles with partial autonomous technology, such as the BMW 7 Series and Volvo XC90, already have about one hundred million lines of code. As this technology advances, so too will the number of opportunities for hackers and criminals to break into digital systems.
“The automotive market is a big risk [to hacking] because of its sheer scale,” said Barzilai. “Recently Chrysler had to recall 1.4 million cars because of a security risk, showing that just one hack can affect more than one million cars. That’s quite astonishing.”
Chrysler’s recall came after two security researchers managed to hack into the system of a Jeep Cherokee (pictured below) that featured the brand’s Uconnect infotainment system. They were able to work their way through the code to eventually take over the dashboard functions, gearbox and even the steering and brakes.
While the Chrysler incident was an isolated one and involved researchers who aim to iron out these risks, it served to emphasise the level of danger mass-produced models can face from hackers.
“As autonomous cars get more sophisticated and as more human functions move to the car, like looking around and steering, the danger increases,” continued Barzilai. “Hackers can hack into a car through its [internet] connected features such as the infotainment, and once in, they can work their way into the rest of the car’s controls.”
Barzilai’s company specialises in real-time time sealing and protecting code running in vehicle control units, according to factory settings, to reduce the chances of this happening. He likens the company’s work to weather proofing a home.
“If you live in a house, sometimes there are storms and the water looks for cracks to get into your house. We seal those cracks and protect the house while keeping the factory settings to keep things simple.
“By automatically hardening the code in the ECU in run time, bugs can’t be exploited. We do it in a way that the car manufacturer doesn’t need to change any software or hardware themselves.”
Karamba has only been around since 2015, but already the firm is engaging with global manufacturers. While no names can be revealed at this stage, Barzilai suggested that Karamba-hardened code could make it into production models in a couple of years.
Autonomous vehicle ECU security looks like it will become an increasingly important industry. However, Barzilai doesn’t believe the car industry will follow suit of the security industry for computers, for example, where aftermarket anti-virus protection is sold.
Instead, he expects the job of protecting car code to remain the responsibility of manufacturers.
“The solution won’t come to the end user like with computers,” he explained. “I believe it will be delivered by the manufacturers. Car managers and security managers are the ones to protect from bugs, not the end user.”
The battle won’t be won as soon as a car is sold, however, because hackers and criminal organisations wanting to take control of vehicles might attack a model’s systems long after it makes it to market.
Barzilai therefore thinks manufactures will make use of over-the-air technology, which can securely apply wireless software updates to vehicles, to keep up protection over a vehicle’s lifetime. If a new security risk is found, the car maker can issue a fix to all models running that software.
“The car industry tends to move slowly in this area, but the threat from hackers, criminals and terrorists is real,” continued Barzilai. “The US National Highway Traffic Safety Administration has said a couple of times that this is now a main concern. So I think there will be some new regulations to make sure car manufacturers block these risks before they are found.”