Or just make the "smart key" controller a dumb passthrough of the key's messages and do the actual decoding and verification of the key messages in the engine ECU. I'm in fact surprised this isn't the case, but then again most "security" you see on cars is more about trying to lock out the legitimate owner from doing their own repairs or key programming as opposed to true security designed to defeat skilled attackers.
Or just have the smart key ECU and the recipient ECU use a rolling code or even a 1 time shared secret. The other ECUs can learn the rolling code in the factory, or in after-service with the left door open, right blinker on, hood open, and horn tapped 8 times, and then wait 20 minutes.
Without the key to see what the code is, no injector can spoof the frame.
With the after-market procedure making tons of noise and spectacle, and a nice long wait for the police to arrive, the thieves can't replace the key ECU.
With the system being simple, no key provisioning is needed, no non-public information, just an extra page in the manual and a software update.
