tl;dr — >5700 words
“A slew of recently-revealed exploits show gaps in carmakers’ security fit and finish.
“[T]he auto industry as a whole struggles to understand security researchers and their approach to disclosure—some automakers feel like they’re the victim of a hit-and-run. The industry’s insular culture and traditional approach to safety have kept most from collaborating with outside researchers, and their default response to disclosures of security threats has been to make it harder for researchers to work with them. In some cases, car companies have even sued researchers to shut them up.
The threat of more regulation could move carmakers toward a voluntary standard more quickly. But market forces could do the same, Corman suggested. “When people start to look at which of these five stars they have…once people start to say, ‘I don’t want a car that has a radio that can to kill me,’ then we’ll see separation and isolation, even if the government never asks,” he said. ” If Jeep takes a hit for the next two quarters, they’re going to have to do something different.”
Miller isn’t sure that trying to talk to the auto industry will have any long term benefit. He said that the only way he thought car companies would change is if people got upset with them. When asked if he was concerned about people having a negative response to his work, he said, “If that’s their response, then good. If they want to freak out, maybe they’ll go to the car companies and ask. ‘What are you going to do about this?’ The more people are upset and talking about this, especially with their congressmen, the more likely that car companies are going to spend money on this.””
Read it all, see pictures, read comments at arstechnica.com.