Low Speed/Fault Tolerant CAN offers baud rates from 40 Kbit/s to 125 Kbits/sec. This standard allows CAN bus communication to continue in case of a wiring failure on the CAN bus lines. In low speed/fault tolerant CAN networks, each device has its own termination.
In regards to German and otherwise European cars, I've never seen or heard of a modern car operating on anything other than a "high speed" CAN bus, with anything lower than 250Kbit/s and all the way up to 1 Mbit/s. While some cars do have two separate busses this is in no way a standard, and neither of those would necessarily be a fault tolerant one. Nor am I sure who your source might supply, but none the less, I feel like your trust in the quality of modern cars and their components might be a bit misguided.
Fair enough. Though my point was trying to say that protocols should assume a variety of component failure modes.
I'd rather just have to trust the safety standards of the manufacturer of my car (and to a lesser extent the cars I might directly collide with), not the safety standards of every vehicle within transmit distance.
If someone has access to control an ECU on your can bus you are just as bad off as you would be in the case you worry about. And on top of that i promise you the ECUs in modern cars are not works of art with good error handling. But consider that there are many currently unemployed technologies that can work to make for example the sharing of sensory data signed and trusted, for example by deploying technologies which apple uses today with great success amongst others?
I am not aware of any sensor system that involves meaningful cryptographic claims about sensor readings. I'd love to learn more about anything along those lines.
Especially the associated threat modelling and engineering principles!
Error counters and error-disabled states are baked into every CAN controller implementation.
The arbitration system is designed to let chatty-but-low-priority messages try to talk as often as they'd like, but only succeed when higher-priority messages allow it.
Short of faults that actually electrically disable the bus, it's pretty good.
How do you figure?