Comment by summm

6 hours ago

They already add cryptographic authentication to some CAN messages, so you can't change them. It is only a matter of time until they add encryption.

This is mostly a corporate problem of risk aversion in my opinion. Some department writes down a risk assessment with a list of miniscule risks, for example of some 3rd party app backend being hacked. Or just a headline "Tinkerer hacked his car to use with his home assistant" in the local press. This list circulates, and since nobody in the middle management wants to be responsible for anything, and there is no officially approved positive use case, draconian countermeasures are drafted and constructed one by one.

11 comments

summm

Reply
ornornor  6 hours ago

> draconian countermeasures are drafted and constructed one by one.

Except when it’s about privacy or anything else we actually care about: then absolutely nothing is done because it would cost more than 0 to do anything.

ryandrake  1 hour ago

> Or just a headline "Tinkerer hacked his car to use with his home assistant" in the local press.

It's pretty sad that "User used their product in a novel way we didn't expect" is seen as a risk that must be mitigated.

therealpygon  2 hours ago

I suspect the manufacturer probably cares less about what you do to your own car and hacking it, than they do about the potential for security compromise of their products on a broader scale, where they will then get blamed and sued for not having closed said loopholes. It is a no-win situation when it comes to fault assignment.

cisophrene  4 hours ago

> It is only a matter of time until they add encryption.

I hope I won't be in one of those cars when the in-memory encryption key gets bit-flipped by the unfortunate cosmic ray.

formerly_proven  4 hours ago

It’s a fair assumption that most of these things are trickle-down effects of CMS/R155 and CRA combined with very high risk aversion on the company side. The less you expose, the lower the risk.