Hacker News new | ask | show | jobs
by venzaspa 13 days ago
Quite a few other manufacturers have done the same thing. I use a reverse engineered Polestar library to get charging status but I'm in the middle of building a CANBUS sniffer to do the same job because I don't trust they won't do the same thing as this.

I don't really understand it, it doesn't seem to offer a huge potential revenue stream and it pisses off the people who are most invested in your product.
8 comments
summm 13 days ago
They already add cryptographic authentication to some CAN messages, so you can't change them. It is only a matter of time until they add encryption.

This is mostly a corporate problem of risk aversion in my opinion. Some department writes down a risk assessment with a list of miniscule risks, for example of some 3rd party app backend being hacked. Or just a headline "Tinkerer hacked his car to use with his home assistant" in the local press. This list circulates, and since nobody in the middle management wants to be responsible for anything, and there is no officially approved positive use case, draconian countermeasures are drafted and constructed one by one.

link
ornornor 13 days ago
> draconian countermeasures are drafted and constructed one by one.

Except when it’s about privacy or anything else we actually care about: then absolutely nothing is done because it would cost more than 0 to do anything.

link
reactordev 13 days ago
On the contrary, lots are being done about it, they have to update their terms of service…
link
summm 12 days ago
Depends. In some sense EU companies are quite afraid of the GDPR. Privacy is used in a twisted way in that argument: if any privacy relevant data is exposed to another party, and there is any incident down the line, they fear they could be made responsible. So they to block you as a user to access your own data.

Of course, if that privacy risk came from them storing and selling your data, they happily accept that, you are right in that regard.

link
SoftTalker 13 days ago
They had to add this stuff because it was possible to unlock and start a car by accessing the headlight socket.

https://www.thedrive.com/news/shadetree-hackers-are-stealing...

link
ryandrake 13 days ago
> Or just a headline "Tinkerer hacked his car to use with his home assistant" in the local press.

It's pretty sad that "User used their product in a novel way we didn't expect" is seen as a risk that must be mitigated.

link
therealpygon 13 days ago
I suspect the manufacturer probably cares less about what you do to your own car and hacking it, than they do about the potential for security compromise of their products on a broader scale, where they will then get blamed and sued for not having closed said loopholes. It is a no-win situation when it comes to fault assignment.
link
cisophrene 13 days ago
> It is only a matter of time until they add encryption.

I hope I won't be in one of those cars when the in-memory encryption key gets bit-flipped by the unfortunate cosmic ray.

link
b3lvedere 13 days ago
Proving that autopilot killed that poor old granny because of cosmic rays would be an interesting case study.
link
cisophrene 13 days ago
It actually happened with Toyota around 2010: they went into a settlement regarding an unintended acceleration issue because it was proven the code was terrible and a single bit-flip could cause the behaviour.

https://en.wikipedia.org/wiki/2009%E2%80%932011_Toyota_vehic...

link
AlotOfReading 13 days ago
Bit of context to this, it was demonstrated that it was a hypothetical possibility, but the issue couldn't be demonstrated in lab conditions. Stuck floormats, pedals, and confused drivers remain the only actual explanations for the real events behind the lawsuits.
link
b3lvedere 13 days ago
Very interesting read. Thank you for the link.
link
cisophrene 13 days ago
Another interesting case: a proven case of bit-flip that affected a voting machine in Belgium: https://www.independent.co.uk/news/science/subatomic-particl...
link
formerly_proven 13 days ago
It’s a fair assumption that most of these things are trickle-down effects of CMS/R155 and CRA combined with very high risk aversion on the company side. The less you expose, the lower the risk.
link
ethagnawl 13 days ago
Right? I imagine there would be a non-trivial sales/marketing boost for the one/first company (in any segment) to fully embrace HA. IKEA is arguably a good example of this.
link
andylynch 13 days ago
This is kind of an interesting contrast with BSH (Bosch and Siemens home appliances ), who are also German.

They appear to have seen making their Home Connect platform open as at least in part a matter of compliance with EU data transparency and portability laws.

link
qludes 13 days ago
The ability to interface with your car is fundamentally at odds with the regulatory momentum that's going towards encrypted everything.

Take a look what the automotive risc-v people are working on or the requirements of the EU cyber resilience act.

link
MostlyStable 13 days ago
I just found out about an open source product that might fit your needs, the WiCAN:

https://www.meatpi.com/products/wican-pro

link
Tangurena2 13 days ago
John Deere started the trend with locking down the farm equipment they sell.
link
c10o 13 days ago
I open my VW app and I think I know why:

https://imgur.com/a/nj0dLku

link
tclancy 13 days ago
Is there a repo for the new project?
link