We Hack a Car (It’s Way Easier than You Might Think)

The cars may have been scale models, but the experience made clear the need for strong countermeasures.

Cybersecurity is a phrase that carries a ton of buzz in the automotive world right now, and for good reason. According to industry reports, 98 percent of new vehicles will be connected through cellular networks by 2020, making the automotive industry a leading user of such networks and hosting about one-third of all cellular devices.

With so many components of our vehicles running on and communicating via networked, cloud-based systems, and with an exponential number more on the horizon as cars begin to link to each other via vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), and vehicle-to-whatever-else (V2X) technology, we need to make sure that our individual vehicles are protected from theft or interference, and that the entire connected web of vehicles will not be turned into a plaything for hackers, used as battering rams robbing banks, or simply turned off and left to snarl your city’s already snarled roadways by nefarious groups or individuals exploiting egregious lines of poorly written code. This is not a frivolous risk from a superhero movie; indeed, in addition to the regulatory, indemnificatory, technological, behavioral, and consumer-acceptance challenges facing the autonomous future, security vulnerabilities are viewed as one of the core barriers to self-driving cars. So much so that a new industry standard requires enhanced cybersecurity be implemented in all new cars starting in February of this year.

“There’s a consistent pattern. When systems become connected, they get hacked,” says David Barzilai, the chairman and co-founder of three-year-old Israeli cybersecurity firm Karamba, which has grown exponentially since its founding to service 17 Tier 1 suppliers and two OEMs. “Security bugs and vulnerabilities to hackers [increase] with direct relation to lines of code. A Boeing Dreamliner has 15 million lines. A contemporary premium car has 100 million. An autonomous car has more than 300 million. So there are going to be hack attempts.”

Karamba is one of the industry leaders in creating behavior profiling and anomaly-detection technologies capable of deterministically sensing and neutralizing a hacking threat. The company’s genius was determining that the risk in a car was not like the risk to a bank or credit-card database. “A car is not a data center on wheels,” Barzilai says. “It’s more like an Internet of Things device on wheels. We realized that security has only to check and make sure that the devices are sealed and working according to factory settings during run time. They’re not something a consumer ever needs to change. So [that means] if there’s a change, it’s an attack, and we note it, block it, and report it.” All of this protective tech is built right in during development. Karamba works directly with OEMs in producing the ECUs and other connected vehicular tech devices.


Russian black hats are not trying to steal the number of the credit card you’ve connected to your GrubHub account, in order to fund social-media bots aimed at destroying our democracy. Rather, since every model with the same connected system has the same vulnerabilities, organized crime and terrorists may attempt to take over huge fleets of like vehicles and hold them hostage to garner ransoms or other rewards from governments or OEMs, or simply to wreak havoc—the very definition of terrorism.

In order to make this threat clear, our friends from Karamba were kind enough to demonstrate the functionality of their system live at CES. Using a touchscreen tablet and a model of an infinity-shaped smart city around which a trio of autonomous RC cars were circling, we identified a set of cars we wanted to hack, located a vulnerability, and then took control of them with a few taps. We were able to make them speed up, stop, or reverse, wreaking the aforementioned havoc on the other autonomous cars attempting to go about their little autonomous-car business. This was bad. (Although we’re a bit bummed we didn’t leave with a ransom.) With Karamba’s protections active, the hack was detected and averted, and the OEM was immediately notified so an over the air fix to the vulnerability could be implemented.


All of this leads us to a few conclusions. First, fully driverless autonomous cars are further off than the hyperbolic prognosticators in the industry have been suggesting. Second, we are very glad that there are anti-hackers tackling the problem. “Are we all doomed?” Barzilai asks rhetorically. “Yes. There’s no cybersecurity that’s one hundred percent resilient. What we want to do is to make it difficult enough to hack cars that the hackers will turn their attention to something else, like a connected bread maker or a connected camera. Something that is not life-threatening. We try to take a pragmatic approach.” Comforting, that.