I'm not disagreeing with you, it's just the realities. For example CAN does not have a notion of source, it's really in the abstract a whole lot like a bus, just with cables.
So one reason the infotainment might want to send commands is to that station/song information appears in the instrument cluster.
Now I agree it would be really smart if there was another module sitting between the the radio and the IPC with two sides and it filters both ways. Also that gateway has logic like, I have power but it's been less than a minute, this packet has the right code, sure I will let this reflash happen. In fact such devices exist (except they are more trusting).
The thing is though that the radio tends to have the most impressive CPU of all in the car, so there is pressure to add that in there (I mean there was one manufacturer that had tried to merge BCM, TCM, telematics, and DIC all into the head unit with a roughly 400MHz cpu, so that gives oyu an idea), logic like 'yeah maybe, we won't be sending that in fact.' But once it is hacked, all bets are off, it can even DOS the bus. The other aspect is you just want they crap from Delco to work with the stuff from TRW and the gateway is getting in the way and yo don't want to expend the resources to figure-out why.
When it was all a wired network, it did not really matter so much.
> For example CAN does not have a notion of source, it's really in the abstract a whole lot like a bus, just with cables.
I get that. And if it did, the attack would by spoofing that.
Which is why the solution needs to filter what goes onto the bus - at the only point the source is known.
> When it was all a wired network, it did not really matter so much.
Well, consider if I told you there was a way to "cut the brakes" (at a future date, when the car is at speed, etc) on any car you've been in, without any tools needed or evidence left. Untraceable murder.
It's only the scope of the current attack that makes that look minor.
So one reason the infotainment might want to send commands is to that station/song information appears in the instrument cluster.
Now I agree it would be really smart if there was another module sitting between the the radio and the IPC with two sides and it filters both ways. Also that gateway has logic like, I have power but it's been less than a minute, this packet has the right code, sure I will let this reflash happen. In fact such devices exist (except they are more trusting).
The thing is though that the radio tends to have the most impressive CPU of all in the car, so there is pressure to add that in there (I mean there was one manufacturer that had tried to merge BCM, TCM, telematics, and DIC all into the head unit with a roughly 400MHz cpu, so that gives oyu an idea), logic like 'yeah maybe, we won't be sending that in fact.' But once it is hacked, all bets are off, it can even DOS the bus. The other aspect is you just want they crap from Delco to work with the stuff from TRW and the gateway is getting in the way and yo don't want to expend the resources to figure-out why.
When it was all a wired network, it did not really matter so much.