The only thing that surprises me in this article is that the attack took until mid-2015 to happen:
[…] The attack […] can compromise those Uconnect computers—an optional upgrade feature that doesn’t come standard in the Chrysler vehicles—through their cellular Internet connection to tamper with dashboard functions and track their GPS coordinates.
For 2014 Jeep Cherokees in particular, [the attack extends] to the vehicle’s CAN bus, the network that controls functions like steering, brakes, and transmission.
Attacks like this become a safety critical issue — rather than just an annoyance — due to two factors.
First, all software sucks, with consumers failing to demand the kind of qualities in software that they now routinely expect in hardware (mostly, to be fair, because consumers don’t know to ask — or how to ask).
Worse, most engineering reliability analyses don’t know how to model software reliability, so it gets neatly tuned out of a hardware failure modes analysis — meaning that it’s then easy to make the incorrect assumption that the software can’t fail, let alone take hardware out with it.
Engineers and other technical types might not make that assumption, but they’re not the ones generally making the decisions on what and where to cut the budget. Which brings us to the second factor: businesses are attuned to looking for maximum profit at minimum cost.
That means in turn that obvious safety considerations, such as not having any form of physical link between safety critical systems and online entertainment systems, are foregone because it’s an easy way to cut costs. One set of connectivity is cheaper than two, particularly when the safety critical systems already have sensors and the like which the entertainment systems can then utilise.