Indeed, and I remember the vast majority of the people getting super excited at the possibility of "getting an OTA update that can improve your acceleration by 0.1s" - without realizing what exactly that means in terms of security. In particular, that others could also control your engine and car the same way through updates.
The car manufacturers who do OTA updates for their cars are sitting on time-bombs. The clock is ticking for them until people get killed this way (regardless of them using HTTPS or signed updates - which some manufacturers don't even use now).
yet it's an order of magnitude easier to just go buy the parts to a real 'time bomb' than to crack an OTA update. Security is relative after all, and evil geniuses have much better ways to kill you.
The car manufacturers who do OTA updates for their cars are sitting on time-bombs. The clock is ticking for them until people get killed this way (regardless of them using HTTPS or signed updates - which some manufacturers don't even use now).