[kjkjadksj]

A stupid requirement.

Consider this. Almost every car on the road today has an unsecured bus going back to like the 1980s. However you need to actually access the car to do something malicious so the threat vector is zero; since if you have access to the car you can also just cut brakes or put in a pipe bomb.

The only reason why this paradigm changes in the EV era is because the insistence on having EVs phone home. Now you can concievably hack all EVs of this model at once and that is now realistic and even attractive to do. But again not a necessity for running a car. Just something that modern software focused companies want to see that leads to a host of expensive security issues that didn’t exist before. The car could be airgapped with the dealer network used to flash software updates like they do with most other cars before EV era.

[cibyr]

The threat is not exactly zero. In some cases, thieves can get physical access to the bus from outside the car, and then inject messages to unlock it, start the engine, and drive away: https://kentindell.github.io/2023/04/03/can-injection/

Sure someone in that situation could also "just cut brakes or put in a pipe bomb" but car theft is a lot more common than assassination, at least where I live.

[kjkjadksj]

There are plenty of cars on the road today where theft is as easy as splicing two wires together. And yet grand theft auto isn’t very common at all even with all of these cars capable of being stolen in 10 seconds are being parked unsupervised on just about every block. Seems there are other filters in the overall system of society that are effective in keeping these unsecured cars from getting stolen today.

[fn-mote]

> Almost every car on the road today has an unsecured bus going back to like the 1980s. However you need to actually access the car to do something malicious

See [1] from 2023, where popping the headlight gives access to the bus. Lack of internal security then gives a way to steal the car.

The threat just isn't the same as the one you are modeling.

Security will come eventually, if only to prevent bad publicity.

[1]: https://arstechnica.com/information-technology/2023/04/crook...

ETA: Just as the sibling says...

[kjkjadksj]

It begs to ask why a headlight ought to have a data connection and not just power connection like most other cars of say 20 years ago. But even then when does the arms race end? Someone given enough time can cake apart a car to access any piece of it. A slim jim gets you to the hood release and the ecu of a say 2000 honda civic in 20 seconds. Was this a real world issue however in the 2000s, people hacking into drive by wire early obdii era cars like the s2000 to assassinate them with misdirected inputs or whatever the threat vector might be? Not really. Old fashioned ways to screw with people are simpler and cheaper.

[rangestransform]

> The car could be airgapped with the dealer network used to flash software updates like they do with most other cars before EV era.

I would rather have OTA updates than enable parasitic middlemen to siphon money out of me