[jon-wood]

It feels like this should be manageable without completely removing CAN interfaces from peripheral systems by having multiple busses that are interconnected to each other. Things like lights and wing mirrors can sit on a low security peripheral network, with the controller rejecting any commands that aren't whitelisted, it's not like you need to be able to plug arbitrary devices into your headlight socket.

[TheLoafOfBread]

You know that it actually is whitelisted by its CAN ID, but ECU can't tell where the command came from.

[jon-wood]

It can if you have actually isolated busses feeding into what I will, for lack of knowledge of a better term, a CAN router. Maybe it exists, but I'm imagining a device with multiple CAN inputs that makes decisions on what messages to pass on to other busses.

[TheLoafOfBread]

That what gateway is doing and that's the reason why they are going for headlights (which are sharing bus with immobilizer I suppose) and won't go for door locks or TPMS.

[closeparen]

>which are sharing bus with immobilizer I suppose

I think the proposal is to, uh, not do that.