Cyberproofing the modern-day connected car

Imagine driving down a highway, listening to your favorite song playing on your car’s high-end in-vehicle entertainment system – then suddenly, you lose control over the steering – someone else has taken control of your car. This isn’t a scene from an action movie but a potential threat to cars with the latest on-board electronics. According to European think-tank IDATE, by 2018 the number of connected cars will rise to 420 million from 45 million in 2013.

These cars could potentially come under cyber-attacks. Taking note of these lacunae, a group of ex-Israeli intelligence officers from the elite Unit 8200 started Argus Cyber Security Ltd. The Tel-Aviv-based firm is a security pioneer in the automotive industry. Argus incorporates both innovative security methods and proven communication networks practices into comprehensive solutions, enabling OEMs to keep up with ever advancing automotive connectivity without compromising on security. Argus focuses on multiple aspects in its solutions, detecting unauthorized access, securing remote connectivity, reporting irregularities and keeping up with new threats as they emerge.

According to Argus, initial cyber invasions into a vehicle can take on many forms. For example, an attacker can take advantage of a vulnerability in a vehicle’s infotainment system or exploit the telematics system and wirelessly compromise the vehicle. Once inside, an attacker can utilize the vehicle’s internal communication bus and take control of additional modules inside the vehicle, including safety critical systems like the ABS and Engine Electronic Control Units (ECUs). As demonstrated by a recent DARPA funded research, an attacker can take control of the vehicle – affect the steering wheel, accelerate the vehicle, activate the brakes, turn off the engine, and a lot more. It is even possible for an attacker to reflash modules, override hard coded safety measures and install Trojan horses. Even if the network is segmented, the gateways can be compromised and influenced to allow malicious messages to pass.

Argus helps the automotive industry promote innovation and vehicle connectivity by mitigating the rising risk to human lives and property. Argus provides carmakers a unique Intrusion Prevention System (IPS) which prevents a vehicle’s critical components from being hacked in real-time.
It also generates reports and alerts for remote monitoring of a vehicle’s cyber health.

Malicious attacks are identified by utilizing Argus patent-pending Deep Packet Inspection (DPI) algorithms. This unique technology scans all traffic in a vehicle’s network, identifies abnormal transmissions and enables real-time response to threats. The Argus IPS provides security managers a comprehensive overview of cyber-attacks and irregularities, allowing OEMs to identify unauthorized attempts to tune or change an ECU behavior. As cyber threats are dynamic in nature, the Argus research team constantly updates deployed systems, using Argus Secure Cloud servers and real-time Over-The-Air (OTA) updates.

This November, Argus reported a security vulnerability in the South-Carolina-based Zubie, Inc’s device. As part of its ongoing research, Argus found that Zubie’s product was vulnerable to a wireless remote takeover. If left unaddressed, this gap would have enabled the installation of a malicious malware that could potentially influence a vehicle’s critical systems.

“Argus’ mission is to promote car connectivity with zero compromise on safety and security,” said Ofer Ben-Noon, co-founder and CEO at Argus. “Once we detected Zubie’s security gap we duly notified Zubie with full details of our findings as required by our responsible disclosure policy. I was pleased to see both companies view customers’ safety a top priority, as evident by Zubie’s immediate action to fix the problem.”

Zubie has gone through system-wide security testing to protect the safety of both its customers and products. Since learning about the report from Argus, Zubie made the appropriate changes to its development process in order to further strengthen its overall security practices.

“We take security very seriously and pride ourselves on continuing to bolster our cyber safety programs with ongoing security testing and monitoring, and we have no evidence that any customers’ vehicles were compromised,” said Tim Kelly, CEO of Zubie. “We fully endorse responsible disclosure policies and appreciate Argus coming directly to Zubie to address this issue, as it helps the company achieve its mission of making driving safer for everyone.”

Argus’ technology has sparked interest in investors. A few months back, the company managed to raise USD 4 million from a group which includes Magma Venture Partners, Vertex Venture Capital and co-founder of the RAD Group, Zohar Zisapel. “In a world of connected cars, car-hacking is an unavoidable hazard said Ben-Noon, in a press statement. “Argus helps the automotive industry keep passengers’ safety a top priority and comply with emerging cyber-security regulatory requirements. As demand and market opportunity grow fast we will use the funds invested to expand our product offering and market reach.”

Automotive Industries spoke to Ofer Ben-Noon, Co-Founder & CEO, Argus Cyber Security Ltd.

AI: How seriously do automotive manufacturers take the threat of cyber-attacks on vehicles?

If up to a few months ago I would have replied that this issue was not receiving the proper attention it should have, I think that recently there is a positive shift in the right direction, awareness to the seriousness of the threat has risen. A good example for that is GM’s recent appointment of its first cybersecurity chief.

AI: Would you rate the threat to vehicles higher from thieves or would you say terrorist attacks are a bigger risk?

Actually, I would not get into the motivations of why people would hack cars – these are infinite and can range from hacktivism through criminal activity to terrorism through hackers seeking reputation or even simply pranks by people with an agenda. What is important in my view is the possible risk and what measures should be taken in order to make sure that people are safe and that connected cars are secure.

AI: How easy is it for hackers to break into a car’s systems from overseas?

Actually, geographical location has no meaning when the hack is done through internet connectivity, and these are becoming more and more prevalent in the age of Internet of Cars.

AI: What are some of the systems that are particularly vulnerable to attack?

Connected systems such as telematics and infotainment units are more prone to attack, but also BlueTooth, V2V, WiFi and other systems which are connected to the outer world. In most vehicles, from there, the hacker will be able to influence the mission critical systems.

AI: How do you think car makers will factor in cyber security into the overall cost of manufacturing – the margins of which are already under pressure?

I believe that cyber security will become a basic safety prerequisite in cars in a few years – so cost will be a non-issue in manner of speaking. Would you imagine driving a car without airbags? Airbags were probably futuristic three decades ago but today no car will be sold without them.

AI: Will consumers expect car OEMs to have their own in-built cyber security rather than outsource this service to companies like Argus?

This is a difficult question to answer, as I am most probably biased. But, I do believe that consumers will expect OEMs to provide them with a complete cyber security suite. I do believe there is added value to specialist companies like Argus, as cyber security is our bread and butter so to speak. If we make an analogy to cyber security in the world of IT, we can see that the large OEMs there – Dell, Lenovo, HP and others counting on the services of outsourcers like Symantec and MacAfee to provide cyber protection to their products.  

AI: Tell us why your cyber security for cars is superior to others’ solutions.

Argus’ solution is unique in its holistic approach to the problem and in its ability to constantly stay up-to-date with current and future cyber threats. I am confident that our innovative yet robust technology is well positioned to face hazards which are dynamic and ever-changing in their nature.