Jeeps being hacked. Scary!
What is interesting is the total lack of security on the mobile side - it seems the manufacturer had SIMs on Sprint mobile network which simply operated on private IP addresses but still on Sprint's network. This allowed anyone with a Sprint SIM to access the cars systems.
One of my customers just commented on irc basically "Should've gone to A&A", in that we do private network data SIM cards for UK use where the SIM connects back to us, and can connect on to a private LNS on a corporate network allowing the IP traffic to be private to that network. It would, with a very simple set up, allow someone to run a completely private corporate mobile network from one SIM card upward for very low cost.
But this is "simple", in that it allows open, unencrypted, IP traffic to and from the mobile device and the corporate network relying entirely on the mobile and ISP networks to provide that security. It works well. It is great for things like iPads and the like that can "just work" out of the box and find themselves on the corporate LAN behind the corporate firewall without a complicated VPN set up.
Of course, doing this for cars would have the issue that you just get one of the SIMs from a car and have access to the car network. This, fortunately, is one line of firewall config on the LNS to stop car to car traffic (he he "traffic", and "cars", sorry, LOL).
Even so, and even though this is a solution we sell, this is far from the solution that should be used for access to a car! The link should use a secure and validated encrypted communications channel - essentially a VPN. This would allow the car to be sure that it is talking to the manufacturer, and would also allow the car to communicate safely via any IP connection to get there (WiFi or mobile) and so not tie the manufacturer to one SIM/mobile set up.
Hopefully they will learn! It sounds like there will be laws to make them learn!