Not IoT related, just bad security
Sophisticated car security has been around for over two decades and Jeep still has it wrong?
The European Insurance Commission issued guidelines in the early 1990s requiring more sophisticated protection. BMW, for example, introduced their system in 1993. The dealers don't have access to the key cut codes or the security programming information. They have to request that a key be made by the regional distribution center.
Of course the dealers love this system. It's used to charge outrageous amounts, over $300 from some dealers, for replacement keys. And even more for a 'new' security module if all 10 key slots are used. But it does prevent this kind of security breech, which is completely predictable if you let every dealer (and thus an unknowable number of un-vetted people) have access to the keying information.
Clever people have reversed engineered the BMW system so that you can cut and program your own keys. But you still have to remove the inconveniently mounted security module and connect directly to the microcontroller pins to extract or reprogram the security keys. While it's not what BMW intended, the result is a good compromise between security and owner repair capability.