Automakers are notoriously bad at code [1][2][3], and consumers are bad at getting their car fixed if there is a recall [4]. I cannot see how connected vehicle security will go well.

[1] http://users.ece.cmu.edu/~koopman/pubs/koopman14_toyota_ua_s... (look at slide 36)

[2] http://www.networkworld.com/article/2895535/microsoft-subnet...

[3] https://www.ece.cmu.edu/~ece649/lectures/20_sweng_crit_sys.p...

[4] http://www.nytimes.com/2014/05/09/business/recalled-used-car...

I think this is going to result in catastrophic disasters, and hopefully catastrophic class-action lawsuits as well. I find it absolutely terrifying to think that every time I go near a road, my life will depend on General Motors churning out invasion-proof software.

Whenever they've been faced with computer security problems, big, 20th-century organizations have consistently proved themselves incompetent beyond imagining. Plus there's no way this kind of change wouldn't be managed by government, and it's not the kind of thing they do well at all.

Several major categories of risk:

* terrorists will hack into cars (or related systems) to make them kill people and/or destroy property on purpose

* bored kids will hack into cars (or related systems) and make them kill people and/or destroy property for no good reason

* criminals will hack into cars (or related systems) to enable theft, kidnapping, and other crimes

* opportunities for privacy violation, tracking, stalking, etc

* certificate systems kind of suck