Press

Karamba Security Publishes its Annual Automotive Vulnerabilities Report

The report is based on analyzing hundreds of ECUs’ firmware images, and pen testing dozens of ECUs and vehicle types

HOD HASHARON, Israel, April 30, 2024 – Karamba Security, the world leader in end-to-end product security, has made available its 2023 Automotive Threat Landscape and Vulnerabilities report.

The report delivers an analysis of the current state of cybersecurity in the automotive industry, based on Karamba Security’s catering to OEMs and Tier-1 suppliers in their compliance and efforts to stay resilient. The analysis is based upon pen-testing results of dozens of ECUs, and VCode scanning hundreds of ECU images.

The report presents distinct findings from Rich-OS (Linux & Android) and from AUTOSAR devices. The findings are described along with actionable guidance on meeting the automotive cybersecurity UN R155 regulation and the ISO/SAE 21434 standard by improving the vehicle architecture security posture.

Some of VCode binary scanning results are:

• All scanned ECUs with Rich-OS contained at least 20 risky tools (such as permission handling utilities, debuggers, compilers, source code editors, and remote connectivity tools), with 60% of the ECUs containing 30 to 40 of such tools.
• With these Rich-OS ECUs, VCode has identified ten common libraries that are accountable to most high/critical vulnerabilities exist; those libraries were found in 66% of the tested ECUs.
• Significant numbers of ECUs were found to contain binaries which lack basic or essential security features on the binary level, such as stack canaries.
• In AUTOSAR-based images VCode has identified repeated compliance issues, and CWEs that indicate ECUs’ vulnerabilities.

In pen testing AUTOSAR/RTOS images, the Unified Diagnostic Service (UDS) configuration was found to be the area most prone to risks. UDS vulnerabilities enable hackers to reset the ECU and create other safety risks. The second most common category, accounting for more than half of the ECUs tested, was findings around Keys Management and Certificates Storage. Other findings were related to Security Access issues, which may involve unauthorized access or control of vehicle ECUs and sub-systems.

The 2023 report underscores the importance of continuous improvement in cybersecurity strategies and the adoption of robust Cybersecurity Management Systems (CSMS) across the entire supply chain. You can download the report here.

On May 28, 2024 Karamba will hold a webinar to describe the findings and how to remediate them. You can register for the webinar here.

About Karamba Security

Karamba Security is the world leader in End-to-End security for IoT products. IoT product manufacturers in automotive, medical devices, renewable energy, and enterprise edge rely on Karamba’s products and services to seamlessly protect their connected devices against cyberattacks and comply with industry regulations. With more than 120 successful engagements with Fortune 100, and Global 500 companies, automotive and IoT product manufacturers trust Karamba’s award-winning solutions for compliance and brand competitiveness when protecting their customers against cyber threats.

More information is available at www.karambasecurity.com and follow us on LinkedIn at www.linkedin.com/company/karamba-security.

Media Contact:

Montner Tech PR
Deb Montner
[email protected]

Recent Press Releases

• Karamba Security Publishes its Annual Automotive Vulnerabilities Report
• Karamba Security Releases XGuard 3.0 to Extend the Depth of Its IoT Product Security Suite
• FAQ Video Channel: Automotive Cybersecurity Knowledge Library
• VCode 3.1: Vulnerability Scanning for Continuous Security