Comment by jordanb
18 hours ago
> Researchers who find at least one valid “rooting” vulnerability will receive a permanent SSH certificate for their own car
It feels like this is something you should get by being owner of the car, and not have to do free speculative research for the manufacturer to get it.
The underlying tension is that "you own the car" means something very different from "you own the software running the car." Tesla treats the firmware as licensed software rather than property you can inspect and modify. The bug bounty program is a PR-friendly way to say "we support security research" while keeping full control over who gets access and under what terms.
Right-to-repair legislation is chipping away at this but slowly. The EU's right-to-repair directive covers physical repair and doesn't really touch software access. The real test would be a regulator taking the position that restricting root access on hardware you own constitutes an anticompetitive tying arrangement, since you can't use the car's data for your own purposes without going through Tesla's APIs and paying their fees.
John Deere has been the main battleground for this argument so far. Farmers can't repair their own tractors without paying for dealer access to diagnostic software. Tesla is the same pattern applied to consumer vehicles, but the consumer advocacy pressure is weaker because fewer people feel the pain directly.
>> Tesla is the same pattern applied to consumer vehicles
No i'd push back on this because the entire workshop manual is available for free without even registration required. You can literally google and land in the relevant sections and it is of a far higher quality than ford, VAG or bmw as three examples i'm pretty familiar with. I haven't seen the John Deere stuff.
Tesla does have "special tools" for some repair procedures, a practice as old as the auto industry but they don't rely on them to the same extent as BMW for example. Anecdotally, the special tools i'm aware of are genuinely useful - for example, the tool for disconnecting seatbelt anchors saves time vs the traditional bolt - where special tools on other marques are often clearly to workaround a failure of packaging or engineering resulting in tight access for a regular tool.
Their online API access is a little bit annoying, or at least unfriendly to casual home user, specifically the workflow to register an OIDC client, but not insurmountable.
> "Tesla is the same pattern applied to consumer vehicles"
It really isn't. Unlike John Deere, Tesla is actually pretty good on right-to-repair. All of their technical and repair manuals are available for free to anyone. The service/diagnostics software ("Toolbox") is also available to anyone, albeit for a (not entirely unreasonable) fee.
(There is also a service mode built in to the car which can do many basic diagnostics for free)
> All of their technical and repair manuals are available for free to anyone.
That should be the bare minimum. Ford charges you 40 dollar an hour for it and unless you know exactly what you are looking for you will spend several hundreds on it.
Too bad ford killed their old site, the print form was unauthenticated and you could print the entire schematics to pdf if you knew the internal model number. Or do what I did and run a script to dump it to higher res PNGs.
3 replies →
I would love to lobby to change how the law works for these cases: for some definition of "firmware" (informally "software that ships with hardware and is not intended to be selected by the consumer like a computer operating system"), add a copyright exception so that modifying the firmware in situ is treated like modifying the physical hardware, because in practice they are in fact the same thing: a single component that does a single thing.
With this, the John Deere approach to gatekeeping vehicle repair would no longer be legally protected by the DMCA or by copyright law. All the other protections afforded by copyright law would still apply: you cannot rip the firmware off the hardware and distribute it, the manufacturer is under no obligation to help you modify it, etc.
However, tools which patch or circumvent antifeatures of the firmware would now be legal to use on hardware you own: it would be legal to patch out software locks, retune engine computers, etc.
>The underlying tension is that "you own the car" means something very different from "you own the software running the car."
What does that mean? "The software" is a specific configuration of the hardware you own. How can you own the hardware and not the specific copy of whatever data is on it? Note that I'm not confusing the copy of the data with the IP rights to it.
Because American courts have entertained utterly moronic claims for decades now and the DMCA eliminates any sanity in consumer rights around IP products.
When you bought a DVD, you didn't "Own" the movie, but you had a legal right to do things with that data you didn't "own" anyway, like format shifting and selling that physical object on to another person. You could copy that data off and do things with it. I think technically it would be a copyright violation to then put that movie file into Movie Maker and cut up your own personal highlight reel, but good luck finding a judge willing to hear that case if you don't upload it to youtube.
Now, thanks to the DMCA and courts being absurdly credulous of bullshit arguments from corporate attorneys, you no longer have basic consumer rights. If you try to even inspect the code that runs to protect your literal life, that can be a crime. You own the literal hardware, but if you try to act like you own it, that's a crime. You technically still have the right to format shift a BluRay for example, but bypassing the math protecting that data overrides that "right" and you are guilty of a crime. A CEO's wet dream.
If the DMCA was older, IBM could have prevented the existence of the Clone PC market and ensured a locked up market. We would all be stuck on absurdly shit hardware because that's what was more profitable for IBM.
Pre-DMCA, Sega was told that their trademark rights were overridden by the innate market right to interoperate with their product. IP rights used to be fairly weak! Sony could not prevent a company from selling a software product that ran playstation games. To this day, Nintendo simply pretends these court cases didn't happen.
This is part of why China has so much success in manufacturing and product development IMO. They don't need to develop purposely worse versions of things just so some other company can sit on their hands for 20 years collecting rent. If you want a fast moving market, the ability to lock things down for 20 years is fundamentally unacceptable, only enriching a few owners, and outright harming our country. Basically every time in history that IP rights are weakened or nullified, you see a burst of development and advancement in products and solutions.
> Tesla treats the firmware as licensed software
This would be okay if there's a way to reject the license and install my own firmware.
You'd be required to jump through the hoops to get your custom firmware approved by the necessary regulatory bodies, just as Tesla did for theirs.
It's not really feasible for a private owner, so I can see why it's not offered as an option.
2 replies →
> The underlying tension is that "you own the car" means something very different from "you own the software running the car."
How is this different from the 2000s, or the 90s, or even before, when the normal thing to do with commercial software was to purchase a license to use said software and a physical medium containing a copy? You'd also then not "own the software", but you owned the right to install a copy on your own computer and use it. That worked without having to hand over the keys to your own computer.
Sure, the physical delivery medium is gone, but that's just a detail. Why do we now think that just because we license software for use, we can't be in ultimate charge of our own devices?
In 1990 Ford couldn't turn off your Mustang because you plugged a TwEECer into the J3 port and screwed around with the tune. Best they could do was void your warranty and deny you further upgrades (i.e. tunes flashed as part of a recall or TSB).
These days unauthorized access tends to lose you effective use of the hardware you bought because the hardware requires software features to work and that software often unnecessarily phones home so if the OEM toggles a field in a DB somewhere you lose access to back up assist or whatever other fancy tech features that you a) paid for b) don't strictly need to have dependencies that phone home to work but do "because reasons".
1 reply →
Tesla’s manuals are all online and many of the parts sell for cost plus. You may be thinking of Ford and Toyota
Tesla absolutely does not apply the same patterns as John Deere. Everyone can fix Teslas. Parts are easy to obtain. Never had issues with them. John Deere on the otherhand is the absolute evil of right to repair.
Normies get scammed on Discord into pasting commands into their browser console.
As a pedestrian I prefer for most people to not have root access to their multi-ton fast-moving killing machine.
Agrred, but it is remote root access is the danger, they already have root access to the physical dangerous things.
That is blatant whataboutism. Stop performing mental gymnastics and accept that what you personally want is not what’s good for society as a whole.
7 replies →
In most cases I agree with this, but maybe not for potentially dangerous things like cars? What if someone roots into their car and disables some essential safety feature - maybe even a legally mandated safety feature?
More concretely, the expertise-required-to-access-root is in a different field to the expertise-required-to-make-wise-changes. i.e. you might know how to hack a car, but that doesn't mean you know how cars operate.
People have been modifying their cars since cars have existed, an electric car shouldn’t be anything new.
Up until v recently cars were not remotely accessible and part of a command-and-control network which Teslas are (perhaps other modern cars are too, I only know Tesla because I have one).
I know that the car reports practically all user events to Tesla in real time over the cell network (eg, open door), and I know it has root access. I don't know if that root is available remotely and I don't know if foundational commands like steering, acceleration and brake are accessible via the CLI (they are computer controlled actions locally)
THUS I would not want to drive a Tesla if there was the possibility of all cars being rooted and remotely controlled by an unauthorized actor.
1 reply →
Given electric cars are responsible for much bigger responsibilities than combustion cars (avoid driving into that bicyclist), there are new concerns here which beg extra consideration.
1 reply →
People have been killing each other with weapons for as long as they've been around, nuclear weapons shouldn't be anything new.
As much as I tend to agree philosophically, could it not result in people making changes that endanger other road users?
No, one can do that anyway. There is basically no real way to stop folks from modifying their cars. It can be made more difficult, sure.
This is about selling tools and access. It's another profit pipeline for car OEMs.
Perhaps it is also about liability. Otherwise, we would have people installing OpenClaw on their Teslas.
9 replies →
I don’t think that’s the reason, seeing as a car is already endangering everyone around it by existing. More likely about keeping the tooling to diagnose issues proprietary and expensive.
Obviously, they are both very good reasons. Just because you don't like one of them, doesn't mean the other one doesn't suddenly exist anymore.
You could screenshot this and put it under the definition of “perfect being the enemy of good”
That kind of thing is always the stated justification but never the real reason.
Almost invariably when that excuse is trotted out, there are are usually many things that are much more common that are also far more dangerous. For example, texting while driving or driving with bald tires in the wet are both 100x more dangerous than anything almost anybody would do by modifying the car's software.
Four 9/11s worth of people die every year from drunk driving. If we can't even get that under control, I don't see why being able to modify your own car is a big deal.
We could do both…
Disabling alertness sensors might worsen drunk driving actually.
It doesn’t have to be a “big deal” for the powers that be to resolve that you shouldn’t have root access to your iPad on wheels, dude.
Isn't this largely a US problem?
Enforcement is abysmal for stupid reasons. Courts are reluctant to remove the ability for people to drive because America purposely made itself dependent on cars, and cops are reluctant to actually arrest a lot of people for drunk driving because they tend to be buddies, or worse. You can find plentiful examples of off duty officers trying to get out of drunk driving simply by being a cop.
This is what you get when you can vote on the sheriff and judges who insist they are "Tough on crime" because they sentence a dude smoking a joint to years in the joint while ignoring real problems like, you know, murder and theft and violence and all the shit their buddies are doing. The "Tough on crime" people are the ones drunk driving often enough.
You can translate that to corresponding car-purchases, i.e. vote with your wallet.
Really? Which car manufacturer officially provides you a root access to your vehicle?
It’s almost like there’s no market for this because it’s a silly thing that practically nobody actually wants enough to vote with their wallet.
That, or no company wants to assume liability. In which case, go whine to your local representative. That’ll be hilarious for all involved.
2 replies →
You can feel that way, but plenty of car configuration has always been locked away and walled off, and manufacturers make a tidy profit selling software licenses to dealers and mechanics to perform basic diagnostics. Proprietary software is big business what can you do.
Definitely not always. It used to be that a mechanic or a skilled owner could tune, modify, repair or replace absolutely anything in your car. That was basically since the invention of the car, up to somewhere in the 2000s. And even then, various hackers and pirates made sure almost anyone could get their hands on the software. In fact, many mechanics these days use 3rd party software because the manufacturer refuses to sell them their version or even that version doesn't have all the features.
That is the recent (and gradually worsening) situation but it is not in and of itself a justification. Effectively you're saying "it's currently this way therefore it's okay for it to be this way".
Manufacturers have increasingly restricted control over products as they've gradually been digitized. Prior to the digital era anyone could do anything to personal property (regulations notwithstanding ofc); more expensive items typically came with circuit diagrams for the purpose of repairing them.
[dead]
[flagged]