A chilling demonstration of hackers taking control of a moving vehicle draws attention to Argus
BY David Shamah / TimesOfIsrael.com
Remote-controlled car hacking has arrived — and with it, an important opportunity for Argus, an Israeli cyber-security start-up that currently has the world’s only effective system to detect and prevent the kind of attack demonstrated recently, when a pair of hackers took control of a Jeep Cherokee driving in St. Louis.
“Argus’s mission is to promote car connectivity without compromising on security,” said Tom Bar Av, a spokesperson for the company. “In the Jeep case, as well as in other hacking attempts that have been demonstrated over the past year, our solutions could have played a pivotal role in successfully preventing such attacks from affecting a vehicle’s systems.”
The frightening incident was outlined in an article and accompanying video in Wired magazine, which describes how “white-hat” hackers Charlie Miller and Chris Valasek took control of a Jeep vehicle being driven at top speed by Wired journalist Andy Greenberg. Miller and Valasek turned the radio on full-blast, ran the air conditioner, and even took control of the accelerator — scaring Greenberg to the point where he was forced to “drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop.”
The demonstration was an extension of an attack the two hackers undertook in 2013 when they took control of the braking system of a Ford Escape and Toyota Prius – but with laptops connected to the cars’ computers.
In their latest escapade, the two relied entirely on the Jeep’s wifi connection, exploiting a weakness in Chrysler’s Uconnect software, which allows connection to the Internet in hundreds of thousands of Chrysler and Fiat vehicles already on the road. All a hacker has to do is identify a vehicle’s IP address – it has to have one, of course, in order to access the Internet – and the rest is by-the-book scripting, similar to taking control of a remote computer, smartphone, or any other Internet-connected device.
Coincidentally, the attack came on the same day that U.S. Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the The Security and Privacy in Your Car (SPY Car) Act, requiring the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure cars and protect drivers’ privacy.
The Act would also establish a rating system — or “cyber dashboard” — to inform consumers how well the vehicle protects drivers’ security and privacy beyond those minimum standards, similar to the “green” ratings that rank vehicles on how their emissions impact the environment.
“Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data-trackers,” Blumenthal said. “This common-sense legislation protects the public against cybercriminals who exploit exciting advances in technology like self-driving and wireless-connected cars.”
If the bill becomes law, chances are that at least some car companies will be knocking on the door of Israeli cyber-security start-up Argus, which is developing its Intrusion Prevention System (IPS) system to detect and prevent real-time hacking of connected cars.
As cars become connected to the Internet and to external devices such as smartphones, smart keys, diagnostic tools, and other vehicles, they are more vulnerable to cyber-attacks, according to Bar Av. With a bit of effort, hackers would even be able to access a vehicle’s Electronic Control Units (ECUs), allowing manipulation of a car’s engine, brakes, airbags, and other safety systems or vehicle components, the company said.
To prevent this, Argus has designed a system that does a thorough analysis of the communication packets (the segments of data) that come into and go out of the vehicle. Because the range of communications in a vehicle’s infrastructure is limited – it’s only supposed to be sending or receiving specific kinds of communication, to specific IP addresses – the analysis can quickly determine if anything is amiss, preventing a vehicle’s critical components from being hacked in real time. The system can be integrated into any vehicle production line, to ensure that it is not tampered with. The system can also generate reports and alerts for remote monitoring of a vehicle’s “cyber health.” The company has R&D facilities in Israel and a center in Michigan to be near the business center of the American automotive industry.
The Argus system, said Bar Av, has gotten a thumbs-up from the U.S. Department of Transportation – the only mobile cyber-security system to have gotten such approval so far. “Argus solutions are ready-to-embed and provide car manufacturers with a real-time Cyber Dashboard, providing them with real-time overview of their fleet’s cyber health and with the ability to detect new threats and quickly respond to cyber attacks,” said Bar Av.