Just an FYI for everyone on the "segregated systems" bandwagon:
If a compromised device can talk on the CAN bus it's game over since (pretty much) everything listens on that bus so you can't (without a lot of time and effort, implement a way to) pick and choose systems to segregate while maintaining wireless connectivity to those critical system.
Vehicle manufactures get a huge data set sent back to them by vehicles. They use this for stuff like correlating part failures to operational conditions, determining which intermittent wiper setting people use as well as improving the logic for the operation of critical systems (e.g. if my last inputs were $stuff then don't upshift). I wouldn't be surprised if they sold the data as well. McDonalds would love to know where and when people start looking for food. insurance companies would love to have more variables to correlate to risk trivial (e.g. $color cars with $trivial_feature get in accident that cost $really_small_percent $more_or_less than $other_color
To segregate systems you need to be able to pitch to the bean-counters that the cost/benefit of whatever degree of segregation you're proposing beats the cost/benefit of whatever plan the next guy is proposing. These data sets are incredibly valuable to many different parts of the company. The people doing marketing and customer facing stuff would be at a severe competitive disadvantage if they had to wait months (first oil change) o get real world data on feature usage after a re-design.
Sure you could download it at service time..."but we already have a system that does it in near real time, can't we just secure that?"...
TL;DR: Segregating systems involves more than having the engineers wait a few months to figure out if their new tune solved the problem.
Which costs less in the long run, a potential class action lawsuit and loss of consumer confidence, or better system security?
If necessary, consider that security is a feature you can sell, when your competitors are following the path of least resistance and paying out their settlements.
Depends on the lawsuit. How much effort would you go through to secure software that runs on a decade old vehicle with a very particular set of options if the exploit requires a very particular set of conditions?
You might fix it just to have a similarly obscure zero day be discovered (unknown to you) and exploited in a different place. Then not only were all those resources spent in vain, but you've got to deal with the opportunity cost of not having thrown those resources behind current of future safety and security tech.
People accept the risk of driving vehicles with legacy safety equipment, why should software be any different from hardware or legacy software in non-embedded applications. At some point you have to let stuff go. Just ask Microsoft.
Depends on how much effort it would have taken to get it right the first time, which is what I'm suggesting be done.
And in this case, these vehicles were manufactured pretty recently, so even conceding your point, I don't think we've passed the 'let stuff go' point in this case.
Vehicle manufactures get a huge data set sent back to them by vehicles.
That is creepy. Is there a way to disable this phoning home (or know it even exists) if I ever buy a new vehicle? That's an unlikely situation for me, but maybe there are others who would like the new features but not the privacy aspects of it.
Even so, the manufacturers are only receiving data, so a one-way link from critical systems to others would be fine. That's how airplane avionics have been designed.
If a compromised device can talk on the CAN bus it's game over since (pretty much) everything listens on that bus so you can't (without a lot of time and effort, implement a way to) pick and choose systems to segregate while maintaining wireless connectivity to those critical system.
Vehicle manufactures get a huge data set sent back to them by vehicles. They use this for stuff like correlating part failures to operational conditions, determining which intermittent wiper setting people use as well as improving the logic for the operation of critical systems (e.g. if my last inputs were $stuff then don't upshift). I wouldn't be surprised if they sold the data as well. McDonalds would love to know where and when people start looking for food. insurance companies would love to have more variables to correlate to risk trivial (e.g. $color cars with $trivial_feature get in accident that cost $really_small_percent $more_or_less than $other_color
To segregate systems you need to be able to pitch to the bean-counters that the cost/benefit of whatever degree of segregation you're proposing beats the cost/benefit of whatever plan the next guy is proposing. These data sets are incredibly valuable to many different parts of the company. The people doing marketing and customer facing stuff would be at a severe competitive disadvantage if they had to wait months (first oil change) o get real world data on feature usage after a re-design.
Sure you could download it at service time..."but we already have a system that does it in near real time, can't we just secure that?"...
TL;DR: Segregating systems involves more than having the engineers wait a few months to figure out if their new tune solved the problem.