> But it only takes one car (or truck) to cause chaos on a freeway.
And that's back to the original point, if you are looking for such small scale problems, make a spike strip and deploy it on the highway. Same scale of destruction as taking one car over, orders of magnitude less skill and money required.
Cars have standard components, but even for cars that don't take digital security seriously (Tesla has that reputation), no driving functions should be on the same network as the external 3G/4G. Yeah you have the infotainment or door opener there, but any ECU running an ASIL-qualified function should be on a separate network, and treat anything connected to the external world as untrusted. That was definitely one of the core architecture assumptions in all car software I've seen. The infotainment system is considered to be compromised and possibly sending malicious data. All the important communication happens on a different network, where internal signing and authentication mechanisms are also used.
And at that level, the internals are too different for the same exploit to work everywhere. What you need to send on the network to make the car brake, or what data format represents the gearbox position, those are different.
I think the major overlooked point is that the modern digital world provides a means for people to commit crimes they otherwise would not have done, simply because they can and because they feel there is low risk of getting caught.
A spike strip, you have to be in the area. A remote attack, you don't have to particularly care about any specific area enough to physically travel to it.. someone can cause chaos simply because they are bored.
And immediately after, they can go do something else.
Tech vulnerabilities aren't yet accessible enough to these types of people, but soon enough they will be and it is not like security is in a temporary poor state. A lot of these systems will remain unchanged for a long time because they are part of an already working business model
Police are quite practiced in finding armed robbers and other people who might use a spike strip (which is pretty tricky to deploy IRL if you want to hit a specific car). But organised crime car theft (with access to key cutting/duplication, remote unlock repeaters, engine immobilizer bypass codes, etc) is a significant problem. I don't see any reason why OCGs wouldn't be enthusiastic users of hacks, the same way that card skimmer gangs operate.
And that's back to the original point, if you are looking for such small scale problems, make a spike strip and deploy it on the highway. Same scale of destruction as taking one car over, orders of magnitude less skill and money required.
Cars have standard components, but even for cars that don't take digital security seriously (Tesla has that reputation), no driving functions should be on the same network as the external 3G/4G. Yeah you have the infotainment or door opener there, but any ECU running an ASIL-qualified function should be on a separate network, and treat anything connected to the external world as untrusted. That was definitely one of the core architecture assumptions in all car software I've seen. The infotainment system is considered to be compromised and possibly sending malicious data. All the important communication happens on a different network, where internal signing and authentication mechanisms are also used.
And at that level, the internals are too different for the same exploit to work everywhere. What you need to send on the network to make the car brake, or what data format represents the gearbox position, those are different.