The guys who figured out that FCA vehicles on the Sprint network had no authentication beyond also being on Sprint's network could remotely control *any* connected vehicle brought about a lot of changes. My 2019 Dodge has a 'security gateway' module that sits between the wireless module, the OBD port, and the chassis CAN bus to prevent unauthorized access. It's a simple wedge, and you "need" to cryptographically authenticate to that module. Bypassing it is simple if you have physical access to the vehicle, either at the module itself (under the dash) or by simply plugging into the bus elsewhere. I have a module plugged into the star connectors in the trunk, with two interfaces. One on the chassis bus and the other on the IHS bus (for the radio and other non-critical modules). Since Dodge wants me to pay a subscription to use remote keyless entry and whatnot, and I don't want to, I built my own.
Remote attacks will be more difficult going forward, but certainly not impossible. Insider attacks still being the simplest vector. If the risk were non-safety annoyances, like playing with door locks or disabling the starter that's one thing. But with cars that have actuators on the steering and braking being a lot more common, the argument for disabling these systems entirely becomes a lot more sensible in my opinion.
