This article is more than 1 year old
Israeli ex-spies want to help you defend your car from cybercrooks
Who needs a lock pick when you've got an electronic key?
Car cyber-security is a growing field, oddly enough
Argus, which was established a year ago, has ambitions to become the "Symantec of automotive security” after raising $4m in finding from Israeli venture capitalists back in May. Staff at the Israeli startup are mostly IDF veterans but it also employs automotive experts.
Defeating security: Here's how to do it the old-fashioned way
Potential competitors in the nascent field of automative security include TowerSec and Arilou, two other Israeli firms. "There's five or six firms worldwide," according to Heilbronn.
Ken Munro, a partner at Pen Test Partners, who recently uncovered security issues in systems that pair the latest generation of BMWs with owners' mobiles, reckon there's merit to Argus's defence-in-depth approach.
"The attack surface for a vehicle is probably too great to have 100 per cent security assurance at the manufacturer level," Munro told El Reg. "The electronics in a car are brought together from multiple manufacturers and software suppliers, so we have to accept that given the complexity and level of interest in auto security, more vulnerabilities will be found."
"That attack surface is only going to increase as we see more and more connectivity being brought in to cars. The functionality that is only today available on high-end cars like the Tesla, BMW i3 and others will quickly filter down in to rep-mobiles and SUVs," he added.
Miller and Valasek’s research showed security controls (where present) can sometimes be defeated or worked around, "so having the automotive equivalent of an IPS can’t be a bad thing," Munro told El Reg.
Yet manufacturers should not rely on this as an excuse not to apply their own security controls, Munro argues. He said that a car IPS doesn't do away with the need for secure vehicle design, just as using a web application firewall doesn't get away from the need to avoid writing a flaky web application. "The WAF does not remove the need to secure the application, it just helps," he said. ®
Biting the hand that feeds IT
