smart car thieves use CAN injection

[JPortici]

Note that unlike "classic" CAN, CAN FD and (particularly) CAN XL allow the implementation of authentication and cryptography.

Sorry, but that sounds like marketing wank to me.

(laughs)  Maybe it is   But the longer data length field and/or higher bit rates make it more practical compared to classical CAN.  CAN-XL has an explicit SEC bit in the frame header that indicates use of the CADsec protocol, so security and authentication are an explicit part of the protocol (vs. a bolt-on approach in CAN and CAN-FD)

Not commenting on the large payloads a problem more or less solved by automotive ethernet already, and i find that to be necessary only when uploading a new firmware (cameras and the like already use dedicated, more suitable buses) though i can appreciate if CAN/CAN-FD/CAN-XL can live on the same bus

[Zucca]

I am working since 2006 in a big german car company....
I left development and become a test (driver) because it was almost impossible to implement nice idea...
The security department was always turning them down or making them impossible to implement.

The result? You buy today a black box that not even the dealers can fix...

I will never buy something produced after in the last five years.... totally a encrypted and not reparable black box.

[Jeroen3]

Let me predict the future on this.

Say in a few years they do implement some security features in cars to prevent this kind of injection attack.
There will come online a video on youtube from a certain Louis lashing out to [car manufactuerer] that it is ridiculous that when a small car repair shop wants to replace a headlight they need to rent the expensive [car brand] software and adapter and pay membership to get enrolled into a [car brand]-repair program to simply swap the headlight to the ECU. Repairing the headlight unit is already impossible because it's welded shut. "It's like they don't want us to repair things!" he then complains, there should be laws against this!

[magic]

Usually there are two solutions to computer security problems: stop doing stupid things in the first place, or throw more stupid things at the problem to make practical attacks harder.

The latter typically happens not because it's unavoidable, but because somebody (maybe at marketing, design, etc) doesn't want to hear about the former...

This is also the reason why smart appliances (those on four wheels included) will never become secure, no matter the effort. They only get more stupid.

[Ed.Kloonk]

My local TV news reports on random crime involving a stolen car. Every time, it seems, that the get away car(s) involved are BMWs. Not every time, but noticing it very often.

?