Is there a list of "kill switches encoded in law autos can't make" somewhere?
I know the vehicle data recorder, and I've heard that LTE radios have to report occupancy, though I can't find a requirement that cars need an LTE radio.
It's completely possible to build an EV that isn't connected. The idea that electric power means networked spying is an invented fiction. Due to the privacy-conscious background of one automaker, a vote by the board mandated that all their cars be able to function in a completely disconnected, non-reporting mode:
You've misunderstood the situation completely.
The first job of a persistent attacker is to gain acceess.
The second job of a persistent attacker is to pivot that access from illegitimate to legitimate, so that by the time their TTPs become IOCs, log rotation has wiped that illegitimate access from the books and all their access looks legitimate.
What we have here is a way for an attacker using shady means (email-delivered 0day, parking lot thumbdrive, browser drive-by compromise) to take over a computer and then drop a signed package that will allow for remote control over time that looks completely legitimate. To a network IDS, that access will look like an authorized cloud tunnel, completely normal. To a file scanner, it will look like an vendor-signed binary, the gold standard. To the complete defense-in-depth stack, the entire c2 chain is cloaked in legitimacy. If you get a single detection at all for the initial compromise (not possible with 0day), the entire rest of the kill chain looks like legitimate access and vanishes.
It's a nightmare for defense in depth and hunt teams.
Without working in the industry, how could someone vet for the internal cybersecurity of an upcoming car purchase? None of these security features seem to be publicly documented anywhere. I have spent a long time looking.