I use my Tesla app to lock and unlock our vehicles all the time, in all cases outside of RF range. I have a Twilio number wired up I can call, enter a 10 digit code, and it will unlock and enable the vehicle to drive in the event I have lost my phone and keycard. These are material quality of life improvements.
Physical access is required to exploit any unauthorized access to the vehicle. What are you going to do? Steal my change?
Yes, I accept the risk and threat model. RF fobs are compromised frequently as well. Unless you rip the cellular module out of my vehicles, I will find it, and someone is just going to break the window if they want in.
Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
Of course, with this Kia attack, it didn't matter if you had never used or activated the feature, it was still vulnerable. With keyfobs you can just not use it or destroy it if you are worried about relay attacks.
Connecting every car to the Internet at all times just in case their owners might want to activate a remote start feature at some point is nuts.
>Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
Seems contradictory. What risk are you actually accepting if we're all forced to kick in for some regulator that protects you from the majority of the risk?
DHS, CISA and NHTSA already exist to provide cyber regulatory mechanisms at the intersection of automotive and telematics or other software/connected scope. If an entity ships shit, apply punitive punishment to the offender (NHTSA forces software updates as recalls today, but can do much more). Software and connectedness is not going away [1] [2], so secure software development, actual QA, and real change management must be strongly encouraged through incentives. "The beatings will continue until the security posture improves."
Risk/threat I would accept. Leaking data - to telcos by constantly being connected to some cell tower and explicitly to the manufacturer whatever they decide to transmit - is the part I don't like.
Physical access is required to exploit any unauthorized access to the vehicle. What are you going to do? Steal my change?