Japan's automakers to cooperate on cybersecurity of connected cars

Its not hard if you know what you are doing, the industry lags behind because a real solution would put a lot of security companies out of business.

To do security well, is extremely hard. What we've learned over the years:

Never place entertainment systems on the same network as critical vehicle systems. Ask BMW why. Don't use anything that someone can look-up or see from outside the vehicle as the access code. Ask Nissan why. Don't use anything that someone can guess as the access code. Ask Nissan why. Don't allow more than 10 attempts with access before their is a lockout. Ask Ford why. Don't trust DNS. Ask any network engineer why. Don't trust public certificate authorities. Ask any DefCon member why. Always use unique keys between components with every authenticated API call. Ask most home router/webcam makers why. Do not trust that complex APIs will never be reverse-engineered as any sort of security. Basically, a RADIUS system for system-to-system communications is needed with unique keys. Always use 2FA for any remote control items. SMS cannot be used. Ask the US DoD why. Don't trust anything over RF. NEVER, NEVER, NEVER, trust bluetooth. Ask any DefCon member why. Build in patch methods with self-validating signatures. This has been solved for decades. Look to any major Linux distro for how. Allow users to decide when updates/patches will be applied, but don't make it hard to delay for 12-24 hours. Ask Microsoft to implement this ASAP. Users not getting a choice is a huge issue. Work through every possible use-case for the total vehicle ownership process. It must be possible to remove 1 owner's access from all things on the vehicle and hand over that access to a new owner. There are lots of "connected vehicles" where the old owner still has complete access to all remote controls.

Those are just off the top of my head.

If I refuse to allow location services on my phone, why would I want to be tracked everywhere in my car?

Many of the connected car features (telematics) are just distractions to drivers, with features such as social media interaction, shopping opportunities, email and other messages popping up on car navigation screens.

Pushed by advertising, big data, marketing companies telcos and car manufacturers...

The best security is to not connected it to the network. If a device is connected to the network, it will get hacked eventually. If the passengers need network based entertainment, then separate the entertainment system from the car's control circuit and the control can only connected via cable when in service.

I thought someone had demonstrated remotely took control a Tesla or some car.

@Cliffy - it was a few different vehicles - Jeeps, Nissan Leaf, and a few other 'unnamed' makes since the security guys that hacked in wanted to be employed as consultants. Most of the hacks were for seat heaters, A/C, and entertainment things, but a few were for altering low-tire pressure warnings and slamming on the breaks.