Perhaps a small proxy application that is fully vetted and tested code. This doesn't seem too dissimilar from the "I need a small suid root app to do $root_thing for an unprivileged user". As you said, unrestricted access is the problem. This just is typical "principle of least privilege" kind of stuff.
Totally doable, but it is unbelievable to me the lack of forethought in things like this.
CAN has been around for a long time. I don't think we can blame Bosch that they didn't see from 1985 the pitfalls of someone possibly adding global internet connectivity, nor can we assume they would have advised interconnecting CAN systems with the internet.
I was referring to an application/hardware that sat directly on the CAN bus, not a part of the infotainment system whatsoever. Something totally separate that had only 1 small function, to authorize access to CAN communications for "unprivileged" things such as the infotainment system.
Totally doable, but it is unbelievable to me the lack of forethought in things like this.