I would add that shipping cars with such vulnerabilities should be a criminal action, if it isn't. It's certainly negligent (however unintentionally) and unsafe for consumers.
Not to go all law school on you, but criminal actions are defined by statues. There are many actions that are ethically wrong, but perfectly legal.
Now, for a civil action, it is always fuzzy. Whether or not it is negligent is going to be based on many things, a big one being whether it was "reasonable". Shipping cars before this event may have been reasonable, but continuing to do so many be negligent. But at least in the US, that needs to be decided in court, not on the internet.
I'm pointing all this out because you said "Certainly". That word really has no place in the US legal system.
Given the complexity of the software components in a modern car I think it would be a safe assumption that all of them are shipping with such vulnerabilities. If there is one area where we could benefit from some openness it is the embedded world, these are life critical systems in every sense of the world and what I've seen of such code bases does not inspire confidence at all (rather the opposite).
But that's exactly how these things happen. People program insecure stuff thinking 'well, at least this isn't connected to the internet', then one day someone else takes the blackbox the original guy (long departed) put together, hacks up a TCP/IP interface or does something else without looking through the codebase and boom you're wide open.
You can replay this story 10's of times over the next couple of years and lets hope it's only the nice guys finding them.
Don't get me started on that one, yes, it's probably even worse than automotive because these are 100's of thousands of legacy systems quite often without any security at all connected to the net. Obscurity is the only thing that keeps these systems working.
Yeah, good luck with that. Law enforcers find it incredibly useful to be able to remotely take over a (suspected) criminals vehicle and force it to stop, so they're hardly going to support a law that makes that impossible. And let's face it, the only way to truly make sure a hacker can't take over a vehicle remotely is to make it impossible.
There is such a thing as "criminal negligence", but I don't know if this case or anything in medicine would qualify. My guess is no, based on some examples I'm looking at.
An argument could be made that putting the vehicle control system on the same bus as the internet-connected entertainment system was criminal negligence, but they would just hang the guy who probably put up a fight against it in the first place for not putting up a bigger fight or something, the company would never feel any pain. :/
