[rjsw]

There isn't any reason why the entertainment system couldn't reprogram the ECUs, I have never seen a read-only CAN controller so the hardware will be able to write to the CAN bus. The OBD-II diagnostic connector provides full access to the CAN bus anyway so once you are inside the vehicle there isn't much security.

You could even run the service diagnostics on the entertainment system and avoid the need for extra hardware in repair shops.

[mdorazio]

At least with the auto manufacturers I've worked with the entertainment system is controlled by a DCU, which is in turn connected to the CAN controller. It is the DCU that limits the access to be read-only. It may be possible to alter the firmware of the DCU to allow two-way access, but it would not be easy.

100% agree with you that if you're already inside the car security of the entertainment system is a moot point. There are attack vectors you could use that bypass software controls entirely.