The automotive firmware industry has had a strong preference historically for stable, old dependencies. With the advent of connected firmware, arises a strong force pushing in the other direction — towards frequent updates, built from latest and greatest dependencies. How they balance verification and validation for safety purposes with frequent and more volatile updates, will be interesting to watch.
The sharkfin is usually only for external comms. There's still other comms on separate antennas like Bluetooth that can be potential entry points to the vehicle.
Worse, even the external comms systems are moving to more redundant setups to mitigate signal loss scenarios.
I'll have to dig up the post but a gentleman with a relatively new Subaru was kind enough to share his explorations and found significant logic parts integrated into the sharkfin, not just the antenna bundle. Likely a cost measure.
How well does this extend to other vehicles? No clue.
All of that comms stuff has its own logic associated with it that usually lives up there in my experience. In the past, manufacturers have tried to avoid putting much stuff above the headliner beyond roof windows and speakers. It's hot, narrow, and vibrates a lot (especially in the center). Frankly, the antennas are only up there because antenna placement is very expensive magic that doesn't deign to obey the whims of mere "designers".
Things are changing though. Autonomous vehicles need large numbers of sensors up there anyways and you can't keep shoving everything under the cabin.
How available are full vehicle wiring diagrams these days? Not any good for radios built into computers like the bluetooth antenna in the head unit, but it might be nice to snip the wires to the sharkfin or other remote comm modules without having to tear at body work or computer modules.
That would take away the government's ability to track vehicles. They look the other way on consumer protection and the manufacturers get to coerce you into subscription services. Win win right?
The linked vulnerabilities don't even have anything to do with firmware (although it is certainly littered with issues too), but rather just basic web/application security issues on the "cloud" side of "cloud" services.
This is less of a directional shift IMO as the classic "hardware companies are bad at software" issue. There's no unsolved or novel problem in this SiriusXM vulnerability (or one from the same researcher in Hyundai/Genesis systems where they compared a JWT subject with a subject passed in the request, but stripped whitespace). There's no update-frequency or validation issue. It's just basic web application security getting neglected.
Maybe the automotive firmware industry had it right. Software on the internet is often just plain bad. SiriusXM's software should have had proper authentication on the endpoints.
