I've also worked in this space for a few years and the amount of HN-style overconfident "we can fix this in hardware like the old days, the computers are coming for us!" comments without understanding the automotive industry or how cars are wired is pretty hilarious.

Something that should be noted for anyone who actually reads this is that the level of vulnerability is wildly different between automakers. No universal solution exists.

Yep - and not just between automakers, the security model varies wildly between different electrical architectures from the same manufacturer. Like any industry, there are hard problems, some of which are technically difficult, and some of which are self-inflicted from history/culture/insularity. No sector with any significant value or market competition has only the latter.

Without working in the industry, how could someone vet for the internal cybersecurity of an upcoming car purchase? None of these security features seem to be publicly documented anywhere. I have spent a long time looking.

You can't. Heck, it's sometimes hard to tell even when you work inside and have all the docs. The best information you have is to look at the manufacturer's past history as evidence for their future security competence.

Manufacturers also aren't building every piece of software on a given vehicle. Many components will be done by suppliers that range from "meh" to "wtf" when it comes to security. Even the best reviewers will struggle to catch everything a sufficiently incompetent implementation screws up.

> Most of the time the Gateway module has a static firewall - basically fixed routing tables so only modules that need to will be allowed to talk to each other.

This was exactly my thought. If the headlights, and any other easily access CAN bus wiring, were properly isolated from critical security ECUs via a properly configured gateway, this attack would be impossible.

I don't think that segmenting CAN wiring is a good solution to this problem. The Powertrain CAN will always be accessible externally for some definition of "externally" (on older GM cars it ran across the bottom of the car to reach the transmission, for example), and even a separate "immobilizer" CAN would probably be accessible somewhere.

The solution, as implemented by many automakers already, is just to authenticate immobilizer messages. It works, and there's not a great excuse for not doing this in 2023.

Do manufacturer's advertise these features? Some manufacturers don't even include immobilizers. It would be nice to know which include extra features. Seems like it could be a selling point.

On the contrary unfortunately, it's all secret for the average consumer.

People that never worked in the industry greatly underestimate how much it really costs in R&D and production to make a car. Adding "authentication" and "encryption" in this environment is way more complex and has more implications than importing yet another library in a web app.

Even so a few manufacturers go to a great deal of effort to secure their stuff while others are using 20y old architecture because it works and it saves money.

I want to say that "premium" brands are much better, but there are a lot of exceptions. However cars with lower margins and lower overall cost will be worse.

Can you recommend any manufacturers or models that are following the best practices?

I too would be interested in any web resources people know about detailing these things.

How does a person with a CAN tool and an insatiable curiosity for knowledge about his own car find detailed documentation for his own edification? Any leads?

The DIY-autonomous-car folks have assembled a wealth of knowledge.

There are one or two well-populated subreddits for car hacking, so that might be one place to start.

> These topics are well known in the industry and have been for a surprising amount of time (decades).

I always assumed that immobilizers were already using cryptography to talk to the ECU otherwise this kind of attack would be obvious.