If Keen Calls, Pick Up, Cybersecurity Expert Says

TRAVERSE CITY, MI – Ami Dotan has a message for automakers: if an upstart Chinese outfit by the name of Keen Security Labs calls, pick up on the first ring.

As BMW and Tesla recently learned, Keen was able to hack their vehicles to demonstrate vulnerabilities such as remote braking that could be disastrous in the wrong hands. Lucky for BMW and Tesla, Keen is a white-hat, or one of the good guys, and now also a key partner for both automakers.

“They had to partner with them. Keen found the vulnerabilities,” Dotan, CEO of automotive cybersecurity supplier Karamba Security, tells a session of the CAR Management Briefing Seminars here.

In the case of BMW, Keen found 14 vulnerabilities within its X1, i-, 5- and 7-Series models. BMW and Tesla are not alone, either. Keen and other white-hatters have hacked vehicles from Volkswagen, Mazda, Toyota and Fiat Chrysler dating back to 2015.

Dotan says vehicles are vulnerable because they are the most complex form of transportation. The driverless cars of the future, he notes, will run 30 million lines of code. A Boeing 787 today runs a comparatively miniscule 15 million.

“This is a problem, because there are bugs,” he says.

Dotan estimates there would be 15,000 security vulnerabilities in an autonomous vehicle.

“This is something the industry is trying to cope with, but in our view not enough has been done,” he says.

One problem: automakers design and validate to specification standards. Hackers find their way in through those standards. “They poke the car, the poke the design, they poke the software, each and any way they can,” Dotan says.

Bluetooth, Wi-Fi, cellular and on-board diagnostics are among the pathways hackers can take to a car’s three or four electronic control units, which are the real driver’s seat to any vehicle. Dotan says network separation, where, for example, automakers seal off the infotainment system ECU from advanced driver-assistance system ECUs, is not the solution.

In the case of BMW, Keen hacked the infotainment system to access the telematics unit and then the central gateway module, which is the gateway for all data coming into the vehicle.

“Are these (automakers) victims?” he asks. “We don’t think so. There is a lot of offense going on.”

Key cybersecurity concerns for automakers include relying on Tier 1 and Tier 2 suppliers’ software quality, and the attack-and-response methodology of the data lab does not work in the automotive environment because any patch sent to the field requires certification.

“You cannot patch in a number of hours, not in days,” he says. “It takes time. What do you do with the car in the meantime? It’s a big problem, a big concern.”

Automaker must think not just about corrective measures to protect their products but preventive measures, as well.

Karamba itself illustrates the rise in vulnerabilities. In the two years since its launch, Karamba, with offices in Israel and metro Detroit, has raised $27 million in equity funding and works with 17 OEMs and Tier 1 suppliers. TU Detroit, a leading connectivity conference, has awarded Karamba its best cybersecurity product/service two years’ running.

As far as Keen Security, Dotan closes by saying the outfit’s standard operating procedure is, “Don’t call us. We’ll call you.”