Well for one thing the OBD port shouldn’t be designed so that it has direct access to any useful CAN bus. It should go to a gateway that requires authentication to do anything except read OBD, and all of the IDs that you are allowed to send should be whitelisted.
The issue people are mentioning with the headlights is easily solved by just moving the starter CAN to its own CAN bus between the immobiliser and the ECU (physically isolating the headlights), which costs about $5 total and requires no crypto unless thief is willing to cut the car nearly completely in half.
(The problem with crypto is the $10 safety MCUs used all throughout cars are only like 20MHz and they can’t really do the 2000+ crypto ops/sec on top of their current workload. Also the tooling support for crypto ATM is really poor in the model based design tools that are used for this safety relevant SW)
BTW I personally don’t believe that anything that involves cutting into a vehicle is negligence of anyone. I mean, from my perspective, anyone can just pop the hood and drive the car with their own BYO ECU. It’s just a hunk of metal and once you start cutting it up you can make it do whatever you want.
Yes, the simplest solution sometimes really is the right one. Cheaply isolate sensitive targets from easily accessible areas. Your $5 solution is enough to avert these issues, and makes the attack a lot more expensive. The job is to find a "lever" where you only have to put in a little effort (say $5 worth) but which causes the thief to have to put in a lot of effort (cutting the car in half). The better the "lever", the safer the design.
I agree fully with this, except for the fact that this then makes devices like the Comma (comma.ai) impossible. The hacker in me really wants to be able to send steering signals by plugging something into my car :)
The solution is not that complicated, just route the wiring harness on a location not easily accessible from the exterior of the vehicle. There’s nothing that can stop thieves just delay them enough to increase their risk to be discovered.
The issue people are mentioning with the headlights is easily solved by just moving the starter CAN to its own CAN bus between the immobiliser and the ECU (physically isolating the headlights), which costs about $5 total and requires no crypto unless thief is willing to cut the car nearly completely in half.
(The problem with crypto is the $10 safety MCUs used all throughout cars are only like 20MHz and they can’t really do the 2000+ crypto ops/sec on top of their current workload. Also the tooling support for crypto ATM is really poor in the model based design tools that are used for this safety relevant SW)
BTW I personally don’t believe that anything that involves cutting into a vehicle is negligence of anyone. I mean, from my perspective, anyone can just pop the hood and drive the car with their own BYO ECU. It’s just a hunk of metal and once you start cutting it up you can make it do whatever you want.
I am an automotive systems engineer.