> He said that a car IPS doesn't do away with the need for secure vehicle design,
But a secure vehicle design does away with the need for an IPS.
Security shortcomings in new cars could nurture a new branch of the infosec industry in much the same way that Windows' security failings gave rise to the antivirus industry 20 or so years ago, auto-security pioneers hope. Former members of Unit 8200, the signals intelligence unit of the Israel Defense Forces, have banded …
But a secure vehicle design does away with the need for an IPS.
That's like saying, "A secure house design does away with the need for a household security system." Vehicles literally have a lot of moving parts. Because of this, the complexity makes eliminating all problems highly unlikely. To illustrate this, I invite you to do a search for "recall" paired with the make of the vehicle you drive. Having a layered approach to security would seem to be important in the automotive world, too.
Yes. I have one.
But I also have (and expect in future to have) a modern car.
Maybe we should look at changing manufacturer perceptions regarding security in ALL areas where IT is becoming an issue. TVs, Fridges, electricity meters, home security systems etc etc
Whilst generally legislation applied to tech tends, even if done with the best of intentions, to fail as laws stagnate and tech (usually) doesn't, this might be one area where some broad principles could perhaps be laid down, with manufacturers being subject to penalties if they dont secure things so that joe bloggs buying on the street doesnt have to be an IT expert.
Keys are currently the weak-point in vehicle security, which is why they are either being cloned or stolen from your house.
The advent of always connected vehicles will change that. Some vehicle manufacturers are already testing delivering software upgrades over the air remotely, without the need for the car to be switched on, it just needs the battery connected. Next time you start the car you'll get an egg-timer with 'Please wait, installing upgrades....60 minutes to go...'
So there will definitely be a route in for remote hackers. I can't see why a hacker would want to attack one car (other than a terrorist wanting to take control of the Prime Minister's car and drive it into the Thames, for instance) but if they can infect tens of thousands in one go, then there is a definite incentive for them to start trying, and probably some money in being the next Symantec and try to stop them.
When I needed a couple of new keys for my 2003 Hyundai Terracan even the franchise dealer was totally unable to get the immobiliser to accept the new keys - security against theft (or even use by the legal owner) doesn't get any better than that!
In the end a locksmith had to install duplicate responders in the new keys to match the one existing key.
Mass produced devices of any type have a weakness - MASS.
All to takes is a criminal sharpy to hack a mass anything and the device is often defenceless.
A language student of mine is a car electronics technician and we use the service manuals, carefully presented in English, for an American designed automobile that is manufactured in China.
We ploughed through the boring suspension, engine and body manual sections and then we hit the electronics! In this manual were all the details needed to bypass, eliminate, all manner of electronic security ... for maintenance purposes only.
If I, albeit an electronics technician, can fathom the devices what can a dedicated, thieving, hacker do?
Even the good old cylinder locks are open book since there is a device you insert into a lock and, using induced frequency testing, can determine the lock characteristics in seconds. What hope is there?
My high-end TaiWan made motorcycle has a convenient multi-pin connector behind the rear number plate. This is used in production test and circumvents all the security provisions. Naturally I inserted switches in the power pin lines and the test connector is ineffective unless switched on - after removing the seat mounting storage box.
I also installed a 15 second timer in the fuel pump line which, unless a concealed contact is touched, stops fuel delivery to the engine. I also have a very noisy alarm which is triggered by motion and is loud enough to awaken any sleeping parking lot attendant.
Neither of these devices would have value except for the fact they are unique. THIS is what is missing from mass produced security devices.