Depends what you want to do. They don’t require a network connection to operate as a vehicle. So if you don’t care about the remote app features (local ones such as lock/unlock still work over BLE), live traffic, streaming music or updates, then a network connection isn’t necessary.

If you do want any of those features, then you would need to either get root access to the gateway and infotainment systems to modify the endpoints or take over the C&C server (formerly named “mothership”) domains and certificates.

Will certainly be a bummer if they do go under, I really appreciated their serviceability. Have several in the immediate family that have been going for over 7 years at this point though all kinds of calamities. Each time can I just pop out all the components clean/replace as necessary and get it back in service, good as new.

I set the VPN tunnel from the VPS to deny everything to the internal network by default, then put the services that need to be accessed on the allow list in the firewall. So the VPN endpoint from the VPS can only hit the very specific IPs/ports/protocols that were explicitly allowed. There is still the possibility of a compromise chain of VPS->service->container/VM->hypervisor->internal network access, but I feel comfortable with those layers.

You could also setup an IDS such as Snort to pick up on that exploit traffic between the services and internal VPN endpoint if extra security is necessary on top of fail2ban and log alerts on the VPS.

Trace Route. The *NIX equivalent command is traceroute, Windows shortened it to tracert.

Thanks for the links to the sources. It was interesting to read the backstory on how it came to be.