Vehicles are being revolutionized by integrating modern computing and communication technologies in order to improve both user experience and driving safety. As a result, vehicular systems that used to be closed systems are opening up various interfaces, such as Bluetooth, 3G/4G, GPS, etc., to the outside world, thus introducing new opportunities for cyber attacks. It has been recently demonstrated that modern vehicles are vulnerable to several remote attacks launched through Bluetooth and cellular interfaces, allowing the attacker to take full control of the vehicle. The common root cause of these attacks is the lack of message authentication for the vehicle's internal bus system, called Controller Area Network (CAN). In this work, we propose VeCure -a practical security framework for vehicular systems, which can fundamentally solve the message authentication issue of the CAN bus. VeCure is designed to be compatible with existing vehicle system architectures, and employs a trust group structure and a novel message authentication scheme with offline computation capability to minimize online message processing delay and deployment cost. We built a proof-of-concept prototype on a testbed using Freescale's automotive development boards. The experimental results show that VeCure only introduces 50us additional delay to process a message, which is at least 20-fold faster than any existing solution.