Here in the UK, the insurance industry collectively funds Thatcham Research, an independent body that assesses the safety, security and repairability of new cars. Thatcham's assessments are hugely important to motor manufacturers, because they directly influence the cost of insurance; a good rating from Thatcham means a low insurance group rating, which is an important selling point. It's a fantastic example of what happens when everyone's interests are aligned.
Thatcham also assess aftermarket security equipment; most insurers offer discounts on premiums where Thatcham-approved equipment is fitted. It is worth noting that neither of the products mentioned in this article are Thatcham approved.
I'm skeptical it does. I saw a few times how regulated software (certain billing systems) were certified and that was a bad joke. Maybe you have different experience, though.
If you want government bodies to spend taxpayers money on something, I'd rather suggest spending it on funding security researchers actively attacking systems and cooperating with manufacturers on fixing the discovered issues (and you can legally mandate such cooperation). This might work, actually improving end-user security. Although you'd have to somehow audit those researchers are actually doing something...
For manufacturers to actually listen to security research, you'd need regulation as well.
You could also require all or certain software in cars to be open source.
Yes, it can. DO-178B is a widely used security standard in military equipment. It's difficult and expensive to obtain, and caters to fighter jets, not cell phones, but there is precedent for true technical security improvements through government programs.
https://jalopnik.com/how-the-nissan-leaf-can-be-hacked-via-w...
While I agree with everything above, it can be humbling to consider the huge amount of people already in control of that car (at the car company, software partner, hosting partner, phone maker) but extending that trust to the local network amounts to an inexcusable security problem.
It is interesting that having legitimate control over a certificate makes this a desired feature rather than a huge security problem. The real world may not be all that black and white.
I don't think it was the bug itself that bothered me so much as their response, I sent them an extremely clear email with the exact steps I took and screenshots showing how other apps responded to my fake cert with error/warning dialogs which was escalated directly to the engineering team and they seemed to have no idea what I was describing or why it was an issue. I assumed at that point the issues went a little deeper than what I had uncovered, and it seems from this post I wasn't too far off the mark.
How are these companies remaining in business? Call yourself unhackable and then don’t bother to even authenticate API requests... mind bogggles.
