"security by obscurity is no defence & no substitute for doing security properly in the first place."
That's certainly true. But I don't believe the car industry has been very guilty of that up until now. By and large the car industry has got it right in the recent past. The only data interface to the car was the CAN bus, and that's not available outside the vehicle. You have to be physically in the vehicle already to be able to plug into it. So, as long as the blipper/keyless entry system was up to snuff (and generally they've been good enough at those), theft of a car mostly required breaking a window or somehow opening a door at least.
So their security model was pretty easy to get right. Make sure the CAN bus is physically inaccessible, and use a simple yet effective remote key fob system. Get just those two simple things right, and the car is acceptably secure.
Now they're beginning to put a publicly accessible wireless network interface on board there's a much larger threat to the car. There's so many more things they've got to get right in order to achieve the same level of security. No one has ever managed to fully secure any internet connected server; Windows, Linux, Mac OS X; they've all had their moments of weakness. What makes the car industry think they can do it any better than the software industry?
And it doesn't matter if they think that they're OK by having a closed, non-internet connected wireless network. By having a standardised wireless network interface they're vulnerable to someone else using standardised wireless networking equipment to connect to it one way or another. I mean, how hard is it to get a pseudo cell base station these days?
The OS vendors/creators are at least pretty good at publishing updates for the various versions of their products. I don't think the car industry quite realises the huge software maintenance burden they're bringing on themselves if they're to uphold reputations for long lived and reliable cars. Are they going to maintain software and fix bugs on 10 year old cars? I doubt it.
From the owners point of view Connected Cars could be a disaster waiting to happen. Once an unpatched flaw is published for any particular car then every owner of that car will probably find it impossible to get car insurance.
I can also see the insurance industry adding general exclusions to policies concerning car theft after a bug has been disclosed. Owning an older, no-more-updates car could become a real liability.
It does certainly sounds like BMW have counted on obscurity for security in this new system of theirs. Here begins their lesson.