"where the user cannot directly access the data from the connected product or related service, the data holder must make the readily available data and necessary metadata accessible to the user without undue delay, in the same quality as available to the data holder, easily, securely, free of charge, in a structured, commonly used, machine-readable format, and continuously/in real time where relevant and technically feasible."
Indeed, this seems to be exactly the area where the Data Act could be used to regain access. Unfortunately it seems that it's not possible to directly sue (e.g.) Volkswagen to get access, unlike the GDPR where you have direct standing under article 79 [1].
There doesn't seem to be much written about enforcing the Data Act, so I looked at the regulation directly. Article 39 [2] seems to require to first lodge a complaint with the competent authority as designated by the member state of your residence. Then when that authority invariably fails to act – I have no idea which timeframe we're talking about here – you can "in accordance with national law, either have the right to an effective judicial remedy or access to review by an impartial body with the appropriate expertise". It isn't clear to me if such a lawsuit would be directed at the authority or at the party violating the Data Act.
I would very much like to be wrong about this. I can imagine Muñoz vs. Superior Fruiticola applies [3] ("it must be possible to enforce that obligation by means of civil proceedings"), but I'm not at all sure, and it's a much weaker route than the one which the GDPR explicitly describes.
Would anyone know or have better references on how to enforce the Data Act, preferably individually?
Quite a few other manufacturers have done the same thing. I use a reverse engineered Polestar library to get charging status but I'm in the middle of building a CANBUS sniffer to do the same job because I don't trust they won't do the same thing as this.
I don't really understand it, it doesn't seem to offer a huge potential revenue stream and it pisses off the people who are most invested in your product.
They already add cryptographic authentication to some CAN messages, so you can't change them. It is only a matter of time until they add encryption.
This is mostly a corporate problem of risk aversion in my opinion. Some department
writes down a risk assessment with a list of miniscule risks, for example of some 3rd party app backend being hacked. Or just a headline "Tinkerer hacked his car to use with his home assistant" in the local press.
This list circulates, and since nobody in the middle management wants to be responsible for anything, and there is no officially approved positive use case, draconian countermeasures are drafted and constructed one by one.
> draconian countermeasures are drafted and constructed one by one.
Except when it’s about privacy or anything else we actually care about: then absolutely nothing is done because it would cost more than 0 to do anything.
I suspect the manufacturer probably cares less about what you do to your own car and hacking it, than they do about the potential for security compromise of their products on a broader scale, where they will then get blamed and sued for not having closed said loopholes. It is a no-win situation when it comes to fault assignment.
It’s a fair assumption that most of these things are trickle-down effects of CMS/R155 and CRA combined with very high risk aversion on the company side. The less you expose, the lower the risk.
Right? I imagine there would be a non-trivial sales/marketing boost for the one/first company (in any segment) to fully embrace HA. IKEA is arguably a good example of this.
This is kind of an interesting contrast with BSH (Bosch and Siemens home appliances ), who are also German.
They appear to have seen making their Home Connect platform open as at least in part a matter of compliance with EU data transparency and portability laws.
BYD DMCAd my whole repo to connect to their cars... https://github.com/github/dmca/blob/master/2026/05/2026-05-2...
It's a shame these car makers are locking down their cars (which are brought for a premium!) and going on a crusade against open source.
This sure reads like a "you did nothing illegal but will attempt to make it look illegal" kind of thing. Like putting the key to a public space under the doormat, with a sign "key here" and then complaining you cannot use that key to access the already public space.
They alleging you have broken their encryption.. DMCA would be appropriate I would assume in this case.
OTOH, if there isn't a first party way to get an auth token or a way to connect your car with home assistant, I see that as a deficiency of service.
r/opensource_legalaid
let's reply and demand access to the data.
They don’t. Majority of users don’t care, and some middle manager shmuck, working on MySkoda, can report how “we” prevented a huge security risk and funneled valuable ~~cattle~~ user data where it belongs.
By the way, regarding additional profit stream, to access VW data before you still needed WeConnect subscription (100€ a year), just that before you could use another app or automation to access the data. Now you MUST use exclusively WeConnect and partners to access same data even though you paying already for subscription.
How is this a tangible income stream? I suspect that the amount of customers willing to pay for some weird API access or We Connect offering is rather limited. It would have to be bundled into some other solution, which again I'd guess have a limited customer base.
I have VW and I suppose We Connect, there's not a single thing that's worth paying for, not when you have CarPlay and Android Auto (or whatever that's called). If anything I'd prefer that they'd just drop the personalization they do with users. Our car will forever assume that my wife is driving, because that what the dealer configured and none of us care to mess around with it.
But yeah, people will buy the cars anyway, because all the automation is something that only an incredibly small segment has any interest in. It's just weird that those who actually care about connected cars are the only one VW is punishing with this move.
Unfortunately I think they're right on #1. In the grand scheme of things the lost sales because of this change are a drop in the bucket. HA and similar tools are not that popular, very few people who have their mind set on buying a VW will change their minds because of this alone.
What's worse is that other manufacturers are starting to do the same thing. They all see unofficial integrations as lost revenue (less of your data to sell because you don't use their app), and higher costs because the usage still comes on their cloud spend bill.
I was talking to my gadget-passionate (but not techie) best friend when the company making our cars made it more difficult to authenticate using the HA integration. He looked at me like I switched to an alien language. "Who cares? Don't you use the app?".
Most executives make commercially disadvantageous decisions in exchange for more power.
It's practically a law of business: executives prioritize their power first and their company's profit margins second. This is one reason why outsourcing coding was so popular despite not saving money and being so commercially disastrous - execs were in the driving seat with that relationship much more than they were with us.
Despite what some people will tell you about how the home assistant consumer segment "doesn't matter" (it does) it really is more about the tangibility of control over data vs the intangibility of lost consumer goodwill.
Companies are not profit maximizing at all costs. The shareholders and the executives are not a singular body they have different and sometimes wildly divergent interests.
Yea, I don't really see the revenue potential here. They seem to be doing this purely to force developers to have a "formal relationship" with them, and to grief all other developers who don't.
Same mentality behind companies who insist users have an "account" to use their otherwise-unconnected products.
I haven't seen anyone put this dynamic in such a clear and succinct description - the fact is that a lot of people (especially corporate managers) just hate the loss of control and will go out of their way to ban people accessing their things "wrong" - even if it's counterproductive for their larger corporation or a goal.
Client Assertion is an OAuth feature, but that is not at all what is being discussed here, if anyone else was confused. It is only present in the HN title and is not mentioned on the page.
With the software supply chain running amok recently having anything connected feels like playing Russian roulette and I say this as somebody who is running home assistant for years. I’m particularly paranoid about connecting my ev (non-vw) to it now, feels like a serious footgun today, would’ve been convenient three months ago, true.
If the data is going through the air or a wire it can be sniffed, right? Is every message signed or encrypted like ssl/tls, or is this just some kind of extra header(s)?
There needs to be a law that makes remote attestation - no matter who provides the root certificates, Google/Apple/GrapheneOS - illegal. There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own, while also making interoperability cryptographically impossible. This is anti-competitive and should simply be illegal.
There is a real chance that in 5-10 years, there will be laptops and smartphones running open processors and operating systems with UX and and an OS comparable or better than the proprietary equivalent, but which are effectively useless to the average consumer because it is cryptographically impossible to use them for anything due to remote attestation proliferating more and more
It already is illegal in the EU under the EU Data act. The VW executives are just criminals who don't care about the law, because they can bend it like before.
> There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own.
Well, that and making it possible to deploy devices you own in environments where they might be physically accessible to people you don't want extracting credentials from them. Or for ensuring people can only access sensitive company information on company issued devices rather than being able to casually make a copy of any data they have access to somewhere else. Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.
I'm quite firmly in favour of anything I own giving access to the data it's generating in an open format but screaming about how there's no legitimate use for attestation is quite simply nonsense.
> Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.
It only attests that the device booted normally (locked bootloader, factory firmware, etc.). Any kind of post-boot compromise (whether it's from malware or something user-initiated) goes completely undetected and does not impact attestation status.
Garmin recently did something similar, resorting to tls fingerprinting to prevent unofficial logins to their api (via the popular garth library).
They lost a lifetime customer in me - i think i have spent close to 20k on garmin gear between my wife and myself, watches, gps devices for cars, boats, and hiking gear. If they refuse to give me access to my data, i will (a) lobby for laws to be passed to make this mandatory (b) absolutely never ever buy anything garmin until i see a reversal of this policy and an apology.
More broadly though, its yet another service that blocks API access. No doubt this is caused by proliferation of amateurs armed with agentic tools building nice, personalized frontends for themselves. Companies seem to absolutely hate it when people dont go through their shitty websites with dark patterns, misleading search results and analytics.
Huh, I completely missed that. I've been using python-garminconnect [0] for a few months without issues. I agree though that it's annoying, though not reason enough for me to switch away from Garmin yet.
Already minted tokens work, they broke the login process.
For now its just tls fingerprinting, not client attestation - so, I managed to implement a working solution. But I am sure they will tighten the screws still further.
The only annoyance is that Garmin requires 2FA if you enable the ECG feature on your smart watch/fitness tracker, but I have a small program that reads the 2FA codes from my Gmail inbox and supplies them to the scraper without too much trouble.
We used to have them. Devices so simple anyone with a hammer could fix. Maybe not open source as we understand it today, but rather - trivially reverse engineerable, often with schematics included. Most complex would be rewiring the motor on a washing machine.
Did their job fine, but you can't sell them forever, so more complex devices were introduced. Nowadays motorcycles would probably be the closest equivalent, they're often very simple to work on.
That was even the norm for complex electronics for decades. But since it makes it easy to reverse engineer it, it's no longer being done due to fear of cheap clones (often inferior, and still doesn't stop anyone these days).
I recently saw a group of automakers together during an event. The contrast between Chinese and Germans was bizare. The group of german automakers were older men in black suits all wearing badge with titles like Senior Executive Sales blablabla. Whereas the Chinese were all young people wearing causual clothing and much more engineering minded. No wonder why european auto makers are doing so badly. They forgot to please people. The only know how to please their untergang.
This could equally illustrate the difference between long established multi national companies with an overbearing corporate culture vs young upstart companies with a dynamic startup culture.
Yeah, this is just the difference between the "cash cow" and "question mark" companies on the BCG growth-share matrix. The Chinese companies will sooner or later turn into stodgy cash cows themselves.
I think you two are talking about the same thing. The overbearing corporate culture is the cause of valuing dress formality over performance and dynamicism.
It means that the request to the API contains cryptographic proof that is was generated by a legitimate, reviewed app running on a unmodified and non-rooted mobile device controlled by Apple or Google.
fwiw this is a correct definition of Remote Attestation, matching what is mentioned in the github thread, but Client Assertion is something mostly unrelated (an OAuth implementation detail)
/me scratches VAG cars from a possible new EV purchase.
I hate Elon as much as the next guy, but Tesla is still playing the API game way better than the rest of the pack (even with the "not so new" Tesla Fleet API change)
But Volvo does not have cheap models with a reasonable range, unfortunately. I'm seeing right now on their Spain's website 40k EUR for a single motor EX30 with 337km WLTP which is ridiculous
And, does the Volvo community have something like TeslaMate built upon the API? It's not sine qua non factor but it will move the scale a LOT in favor of a brand.
Sad to see some people still believe raw capitalism works and that they can "vote with their wallet".. but they don't see that all car manufacturers can just agree to enshittify their products the same way and use their position to ensure you won't just "start your own car company". There's no real choice and those in power don't care.
Only regulation can help.. or a revolution in case the political system in your country is broken..
Anti-competitive practices that you describe ("all car manufacturers can just agree") is definitely not a capitalistic thing (market competition being an important part of capitalism), and indeed regulation can improve the bad outcomes.
I think revolutions are more successful when there is some new idea of what to replace the system with. Currently I did not see anything remotely interesting (ex: french revolution came with the new idea of equality before the law, which was not the case before), and I think is mostly due to low overall education - you can't improve a system if most of the people do not think about complex issues like laws, taxes, efficiency, etc. Everybody loves to point a finger at someone and blame them (immigrants, rich people, woke people, etc.) like that would "miraculously" solve any issue.
I don't think there's a consensus about that, as demonstrated by divided opinions on EU DMA and Apple vs Epic.
The anti-regulation arguments aren't framed as "market competition is bad", but rather "the market will sort itself out without intervention" and "let companies do whatever they want to avoid killing innovation".
> if you don't like that car/company, don't buy their product. buy competitors. that will show them much better.
I'm all for voting with my wallet, but it gets exhausting trying to be a few steps ahead. And then nothing guarantees that there won't be a rug pull once you bought the car.
> or petition to government to put pressure on them
Right. Not sure why you have to mention it, since everybody knows this works oh so well.
The problem is that all these T&Cs are just pages upon pages of legalese that not only nobody understands or even reads, but that also aren't exactly advertised before buying. "Buy our smart widget! It only works with its own app, and we'll only support it for a ridiculously short time! Please don't upgrade your phone, or it will stop working!"
Of course governments should do something about it, but even here in the EU, they don't seem too bothered. Hell, even people seem generally fine with it, judging by the number of crappy widgets they buy.
> if you don't like that car/company, don't buy their product. buy competitors. that will show them much better. (or petition to government to put pressure on them).
That maybe fine, but if something is allowed at the time I've bought the car, and then the manufacturer changes their policy such that the usage that I did is no longer allowed?
BTW, to me this is bullshit, first cars shouldn't be connected to the internet in the first place, in the case that they are, I would need to be in full control of what I can do with the API, not that I need to use special software to talk to my own car.
> something is allowed at the time I've bought the car,
good point. yet, I bet in their T&C it was covered. it was just not enforced. and usually they have claim like "if we fail to enforce any part of agreement does not constitue waiver.". so most likely it was expected all along, they were not technically adept to actualyl enforce this. now they can.
but, if your claim stands, I bet you can win case against them.
I mean, it was founded by the Nazi party, they single handedly destroyed diesels through the world's largest scam, what ethics can you really expect from them? I find it extremely funny when people boycott Teslas for being "Nazi" but won't boycott actual Volkswagens that was founded by the real Nazi party and to date - followed some of the most unethical practices in automative history :)
This is not an intelligent comment. the Nazi parry and modern-day Volkswagen have nothing in common, whereas Tesla is currently^ actively^ run by someone morally reprehensible to many.
If you had any actual understanding—:as opposed to just hearing this little factoid in passing and have been waiting for every opportunity to whip it out— you’d know that already.
It’s funny as a quip, but don’t for a a second act like it’s a legitimate point, which is exactly what you’re doing.
Stop pasting LLM replies through fake accounts. Dieselgate happened very recently (in this decade). Just research your stuff before you slap a prompt onto an LLM please.
Just because the Nsdap party created something that doesn't mean you can automatically treat it is bad. That is prejudice. Something bad happening decades and decades after the party's dissolution is not going to be directly related. It is a reach to think unsupported third party apps breaking is related.
While I agree with you in principle, I don't think this is followed equally. Tesla's are still being vandalized to date, though. Selective outrage is a dangerous thing.
Well so the Nazis founded VW with confiscated union capital, and after the war control of the company was basically handed over to the union to make things right.
Wasn't the EU Data Act (https://digital-strategy.ec.europa.eu/en/policies/data-act) put in place to exactly prevent these kind of scenarios (Article 4 and 5)?
"where the user cannot directly access the data from the connected product or related service, the data holder must make the readily available data and necessary metadata accessible to the user without undue delay, in the same quality as available to the data holder, easily, securely, free of charge, in a structured, commonly used, machine-readable format, and continuously/in real time where relevant and technically feasible."
There is even special EU guidance for vehicle data for it: https://digital-strategy.ec.europa.eu/en/library/guidance-ve...
Indeed, this seems to be exactly the area where the Data Act could be used to regain access. Unfortunately it seems that it's not possible to directly sue (e.g.) Volkswagen to get access, unlike the GDPR where you have direct standing under article 79 [1].
There doesn't seem to be much written about enforcing the Data Act, so I looked at the regulation directly. Article 39 [2] seems to require to first lodge a complaint with the competent authority as designated by the member state of your residence. Then when that authority invariably fails to act – I have no idea which timeframe we're talking about here – you can "in accordance with national law, either have the right to an effective judicial remedy or access to review by an impartial body with the appropriate expertise". It isn't clear to me if such a lawsuit would be directed at the authority or at the party violating the Data Act.
I would very much like to be wrong about this. I can imagine Muñoz vs. Superior Fruiticola applies [3] ("it must be possible to enforce that obligation by means of civil proceedings"), but I'm not at all sure, and it's a much weaker route than the one which the GDPR explicitly describes.
Would anyone know or have better references on how to enforce the Data Act, preferably individually?
[1] https://gdpr-info.eu/art-79-gdpr/
[2] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:...
[3] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
Quite a few other manufacturers have done the same thing. I use a reverse engineered Polestar library to get charging status but I'm in the middle of building a CANBUS sniffer to do the same job because I don't trust they won't do the same thing as this.
I don't really understand it, it doesn't seem to offer a huge potential revenue stream and it pisses off the people who are most invested in your product.
They already add cryptographic authentication to some CAN messages, so you can't change them. It is only a matter of time until they add encryption.
This is mostly a corporate problem of risk aversion in my opinion. Some department writes down a risk assessment with a list of miniscule risks, for example of some 3rd party app backend being hacked. Or just a headline "Tinkerer hacked his car to use with his home assistant" in the local press. This list circulates, and since nobody in the middle management wants to be responsible for anything, and there is no officially approved positive use case, draconian countermeasures are drafted and constructed one by one.
> draconian countermeasures are drafted and constructed one by one.
Except when it’s about privacy or anything else we actually care about: then absolutely nothing is done because it would cost more than 0 to do anything.
1 reply →
> Or just a headline "Tinkerer hacked his car to use with his home assistant" in the local press.
It's pretty sad that "User used their product in a novel way we didn't expect" is seen as a risk that must be mitigated.
I suspect the manufacturer probably cares less about what you do to your own car and hacking it, than they do about the potential for security compromise of their products on a broader scale, where they will then get blamed and sued for not having closed said loopholes. It is a no-win situation when it comes to fault assignment.
> It is only a matter of time until they add encryption.
I hope I won't be in one of those cars when the in-memory encryption key gets bit-flipped by the unfortunate cosmic ray.
5 replies →
It’s a fair assumption that most of these things are trickle-down effects of CMS/R155 and CRA combined with very high risk aversion on the company side. The less you expose, the lower the risk.
Right? I imagine there would be a non-trivial sales/marketing boost for the one/first company (in any segment) to fully embrace HA. IKEA is arguably a good example of this.
This is kind of an interesting contrast with BSH (Bosch and Siemens home appliances ), who are also German.
They appear to have seen making their Home Connect platform open as at least in part a matter of compliance with EU data transparency and portability laws.
The ability to interface with your car is fundamentally at odds with the regulatory momentum that's going towards encrypted everything.
Take a look what the automotive risc-v people are working on or the requirements of the EU cyber resilience act.
John Deere started the trend with locking down the farm equipment they sell.
Is there a repo for the new project?
BYD DMCAd my whole repo to connect to their cars... https://github.com/github/dmca/blob/master/2026/05/2026-05-2... It's a shame these car makers are locking down their cars (which are brought for a premium!) and going on a crusade against open source.
You should email Louis Rossmann, he's been helping people in similar situations.
This sure reads like a "you did nothing illegal but will attempt to make it look illegal" kind of thing. Like putting the key to a public space under the doormat, with a sign "key here" and then complaining you cannot use that key to access the already public space.
They alleging you have broken their encryption.. DMCA would be appropriate I would assume in this case. OTOH, if there isn't a first party way to get an auth token or a way to connect your car with home assistant, I see that as a deficiency of service.
r/opensource_legalaid let's reply and demand access to the data.
This comment has really nice translation of corpo-speek to human language :
https://github.com/robinostlund/homeassistant-volkswagencarn...
Why are they shooting them selves in the feet? Is this really a tangible income stream? Is it really increasing security?
> Why are they shooting them selves in the feet?
They don’t. Majority of users don’t care, and some middle manager shmuck, working on MySkoda, can report how “we” prevented a huge security risk and funneled valuable ~~cattle~~ user data where it belongs.
By the way, regarding additional profit stream, to access VW data before you still needed WeConnect subscription (100€ a year), just that before you could use another app or automation to access the data. Now you MUST use exclusively WeConnect and partners to access same data even though you paying already for subscription.
And that is why I'll not be buying a vw ever again despite being a fan of the brand so far.
Pretty sure connect is free for like ten years.
1 reply →
> Why are they shooting them selves in the feet?
Because people will still buy their cars. The average Joe has very little regard for their privacy. We've been trained to be numb.
> Is this really a tangible income stream?
Yep.
> Is it really increasing security?
Nope.
How is this a tangible income stream? I suspect that the amount of customers willing to pay for some weird API access or We Connect offering is rather limited. It would have to be bundled into some other solution, which again I'd guess have a limited customer base.
I have VW and I suppose We Connect, there's not a single thing that's worth paying for, not when you have CarPlay and Android Auto (or whatever that's called). If anything I'd prefer that they'd just drop the personalization they do with users. Our car will forever assume that my wife is driving, because that what the dealer configured and none of us care to mess around with it.
But yeah, people will buy the cars anyway, because all the automation is something that only an incredibly small segment has any interest in. It's just weird that those who actually care about connected cars are the only one VW is punishing with this move.
2 replies →
> Why are they shooting them selves in the feet?
1. They dont think anyone will stop buying their cars because of this
2. They want to make more money
3. (speculation) The drop in demand for their cars in china is leaving them fucked, they need revenue now
Unfortunately I think they're right on #1. In the grand scheme of things the lost sales because of this change are a drop in the bucket. HA and similar tools are not that popular, very few people who have their mind set on buying a VW will change their minds because of this alone.
What's worse is that other manufacturers are starting to do the same thing. They all see unofficial integrations as lost revenue (less of your data to sell because you don't use their app), and higher costs because the usage still comes on their cloud spend bill.
I was talking to my gadget-passionate (but not techie) best friend when the company making our cars made it more difficult to authenticate using the HA integration. He looked at me like I switched to an alien language. "Who cares? Don't you use the app?".
Most executives make commercially disadvantageous decisions in exchange for more power.
It's practically a law of business: executives prioritize their power first and their company's profit margins second. This is one reason why outsourcing coding was so popular despite not saving money and being so commercially disastrous - execs were in the driving seat with that relationship much more than they were with us.
Despite what some people will tell you about how the home assistant consumer segment "doesn't matter" (it does) it really is more about the tangibility of control over data vs the intangibility of lost consumer goodwill.
Companies are not profit maximizing at all costs. The shareholders and the executives are not a singular body they have different and sometimes wildly divergent interests.
Yea, I don't really see the revenue potential here. They seem to be doing this purely to force developers to have a "formal relationship" with them, and to grief all other developers who don't.
Same mentality behind companies who insist users have an "account" to use their otherwise-unconnected products.
I haven't seen anyone put this dynamic in such a clear and succinct description - the fact is that a lot of people (especially corporate managers) just hate the loss of control and will go out of their way to ban people accessing their things "wrong" - even if it's counterproductive for their larger corporation or a goal.
wow - I was looking at moving from Tesla to Skoda for our next EV. Last month it was interceptor missiles for Israel and now this.
[dead]
Client Assertion is an OAuth feature, but that is not at all what is being discussed here, if anyone else was confused. It is only present in the HN title and is not mentioned on the page.
The apps now require the use of "Security Assertion" from the client.
In this case, it's by Play Protect on Android, and whatever they use on iOS.
Client attestation might be more accurate?
seems like google is playing a part in this ? https://github.com/robinostlund/homeassistant-volkswagencarn...
With the software supply chain running amok recently having anything connected feels like playing Russian roulette and I say this as somebody who is running home assistant for years. I’m particularly paranoid about connecting my ev (non-vw) to it now, feels like a serious footgun today, would’ve been convenient three months ago, true.
Seems doubtful that this security will be very strong. It won't be hard to spoof an official client.
If they’ve done it using Secure Enclave it’s essentially physically impossible to spoof.
The github OP reports that browser-based login still works, so it'll likely be circumventable.
Wouldn’t any Volkswagen keys need to cross the network to get into the Secure Enclave? Or couldn’t you exploit the Volkswagen app itself?
2 replies →
If the data is going through the air or a wire it can be sniffed, right? Is every message signed or encrypted like ssl/tls, or is this just some kind of extra header(s)?
1 reply →
DIY alternative with https://www.openvehicles.com/
Ok it's clear my next car will not be a Sköda (or Volkswagen)
Which brand are you thinking of, then?
There needs to be a law that makes remote attestation - no matter who provides the root certificates, Google/Apple/GrapheneOS - illegal. There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own, while also making interoperability cryptographically impossible. This is anti-competitive and should simply be illegal.
There is a real chance that in 5-10 years, there will be laptops and smartphones running open processors and operating systems with UX and and an OS comparable or better than the proprietary equivalent, but which are effectively useless to the average consumer because it is cryptographically impossible to use them for anything due to remote attestation proliferating more and more
It already is illegal in the EU under the EU Data act. The VW executives are just criminals who don't care about the law, because they can bend it like before.
How so? Do you have rights to your data in secure enclaves?
what you really looking for is API-free services/products. so it works without cloud at all.
or products/companies that explicitly expose API access to their products.
> There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own.
Well, that and making it possible to deploy devices you own in environments where they might be physically accessible to people you don't want extracting credentials from them. Or for ensuring people can only access sensitive company information on company issued devices rather than being able to casually make a copy of any data they have access to somewhere else. Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.
I'm quite firmly in favour of anything I own giving access to the data it's generating in an open format but screaming about how there's no legitimate use for attestation is quite simply nonsense.
> Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.
It only attests that the device booted normally (locked bootloader, factory firmware, etc.). Any kind of post-boot compromise (whether it's from malware or something user-initiated) goes completely undetected and does not impact attestation status.
1 reply →
[flagged]
*Smuggly* Huh, don’t like it? Just vote with your wallet and buy a car with better TC. Or build your own?
Caught one in the wild!
https://news.ycombinator.com/item?id=48320351
1 reply →
I wonder if companies can T&C their way out of any problem.
8 replies →
Garmin recently did something similar, resorting to tls fingerprinting to prevent unofficial logins to their api (via the popular garth library).
They lost a lifetime customer in me - i think i have spent close to 20k on garmin gear between my wife and myself, watches, gps devices for cars, boats, and hiking gear. If they refuse to give me access to my data, i will (a) lobby for laws to be passed to make this mandatory (b) absolutely never ever buy anything garmin until i see a reversal of this policy and an apology.
More broadly though, its yet another service that blocks API access. No doubt this is caused by proliferation of amateurs armed with agentic tools building nice, personalized frontends for themselves. Companies seem to absolutely hate it when people dont go through their shitty websites with dark patterns, misleading search results and analytics.
Huh, I completely missed that. I've been using python-garminconnect [0] for a few months without issues. I agree though that it's annoying, though not reason enough for me to switch away from Garmin yet.
Already minted tokens work, they broke the login process.
For now its just tls fingerprinting, not client attestation - so, I managed to implement a working solution. But I am sure they will tighten the screws still further.
Same here. I've been scraping the data from my Garmin watch for years with very little problems (first with https://github.com/tcgoetz/GarminDB, then https://github.com/sealbro/dotnet.garmin.connect).
The only annoyance is that Garmin requires 2FA if you enable the ECG feature on your smart watch/fitness tracker, but I have a small program that reads the 2FA codes from my Gmail inbox and supplies them to the scraper without too much trouble.
Where's the 'Open Source Car'?
Where's the open source phone?
The open source washing machine?
We used to have them. Devices so simple anyone with a hammer could fix. Maybe not open source as we understand it today, but rather - trivially reverse engineerable, often with schematics included. Most complex would be rewiring the motor on a washing machine. Did their job fine, but you can't sell them forever, so more complex devices were introduced. Nowadays motorcycles would probably be the closest equivalent, they're often very simple to work on.
> often with schematics included
That was even the norm for complex electronics for decades. But since it makes it easy to reverse engineer it, it's no longer being done due to fear of cheap clones (often inferior, and still doesn't stop anyone these days).
> more complex devices were introduced
And people buys them because they don't care
1 reply →
There are freely available plans for all of those things. They are just more primitive than what you have in mind.
I recently saw a group of automakers together during an event. The contrast between Chinese and Germans was bizare. The group of german automakers were older men in black suits all wearing badge with titles like Senior Executive Sales blablabla. Whereas the Chinese were all young people wearing causual clothing and much more engineering minded. No wonder why european auto makers are doing so badly. They forgot to please people. The only know how to please their untergang.
This could equally illustrate the difference between long established multi national companies with an overbearing corporate culture vs young upstart companies with a dynamic startup culture.
Yeah, this is just the difference between the "cash cow" and "question mark" companies on the BCG growth-share matrix. The Chinese companies will sooner or later turn into stodgy cash cows themselves.
Yea is there not a saying about when the suits and bean counters take over a company the culture dies?
1 reply →
I think you two are talking about the same thing. The overbearing corporate culture is the cause of valuing dress formality over performance and dynamicism.
The question is why doesn't Germany have any young upstart auto companies when the US and China do? The question being the rhetorical kind.
16 replies →
What does client assertion mean here? I don't see any mention in the GitHub issue.
It means that the request to the API contains cryptographic proof that is was generated by a legitimate, reviewed app running on a unmodified and non-rooted mobile device controlled by Apple or Google.
fwiw this is a correct definition of Remote Attestation, matching what is mentioned in the github thread, but Client Assertion is something mostly unrelated (an OAuth implementation detail)
/me scratches VAG cars from a possible new EV purchase.
I hate Elon as much as the next guy, but Tesla is still playing the API game way better than the rest of the pack (even with the "not so new" Tesla Fleet API change)
Volvo is also doing pretty good with offering an official API
But Volvo does not have cheap models with a reasonable range, unfortunately. I'm seeing right now on their Spain's website 40k EUR for a single motor EX30 with 337km WLTP which is ridiculous
2 replies →
And, does the Volvo community have something like TeslaMate built upon the API? It's not sine qua non factor but it will move the scale a LOT in favor of a brand.
Volvo also has the fully mandatory requirement of a consumer Google Account to use the vehicle now due to how tightly integrated Google Automotive is.
4 replies →
Fleet api kinda sucks, but esphome via ble is solid. Even managed to connect $10 macropad so kids in back can control music.
That's pretty brave.
Sad to see some people still believe raw capitalism works and that they can "vote with their wallet".. but they don't see that all car manufacturers can just agree to enshittify their products the same way and use their position to ensure you won't just "start your own car company". There's no real choice and those in power don't care.
Only regulation can help.. or a revolution in case the political system in your country is broken..
Anti-competitive practices that you describe ("all car manufacturers can just agree") is definitely not a capitalistic thing (market competition being an important part of capitalism), and indeed regulation can improve the bad outcomes.
I think revolutions are more successful when there is some new idea of what to replace the system with. Currently I did not see anything remotely interesting (ex: french revolution came with the new idea of equality before the law, which was not the case before), and I think is mostly due to low overall education - you can't improve a system if most of the people do not think about complex issues like laws, taxes, efficiency, etc. Everybody loves to point a finger at someone and blame them (immigrants, rich people, woke people, etc.) like that would "miraculously" solve any issue.
I don't think there's a consensus about that, as demonstrated by divided opinions on EU DMA and Apple vs Epic.
The anti-regulation arguments aren't framed as "market competition is bad", but rather "the market will sort itself out without intervention" and "let companies do whatever they want to avoid killing innovation".
[flagged]
> if you don't like that car/company, don't buy their product. buy competitors. that will show them much better.
I'm all for voting with my wallet, but it gets exhausting trying to be a few steps ahead. And then nothing guarantees that there won't be a rug pull once you bought the car.
> or petition to government to put pressure on them
Right. Not sure why you have to mention it, since everybody knows this works oh so well.
The problem is that all these T&Cs are just pages upon pages of legalese that not only nobody understands or even reads, but that also aren't exactly advertised before buying. "Buy our smart widget! It only works with its own app, and we'll only support it for a ridiculously short time! Please don't upgrade your phone, or it will stop working!"
Of course governments should do something about it, but even here in the EU, they don't seem too bothered. Hell, even people seem generally fine with it, judging by the number of crappy widgets they buy.
true. on both accounts.
> if you don't like that car/company, don't buy their product. buy competitors. that will show them much better. (or petition to government to put pressure on them).
That maybe fine, but if something is allowed at the time I've bought the car, and then the manufacturer changes their policy such that the usage that I did is no longer allowed?
BTW, to me this is bullshit, first cars shouldn't be connected to the internet in the first place, in the case that they are, I would need to be in full control of what I can do with the API, not that I need to use special software to talk to my own car.
> something is allowed at the time I've bought the car,
good point. yet, I bet in their T&C it was covered. it was just not enforced. and usually they have claim like "if we fail to enforce any part of agreement does not constitue waiver.". so most likely it was expected all along, they were not technically adept to actualyl enforce this. now they can.
but, if your claim stands, I bet you can win case against them.
> cars shouldn't be connected to the internet
yep, same with you on this one.
I mean, it was founded by the Nazi party, they single handedly destroyed diesels through the world's largest scam, what ethics can you really expect from them? I find it extremely funny when people boycott Teslas for being "Nazi" but won't boycott actual Volkswagens that was founded by the real Nazi party and to date - followed some of the most unethical practices in automative history :)
This is not an intelligent comment. the Nazi parry and modern-day Volkswagen have nothing in common, whereas Tesla is currently^ actively^ run by someone morally reprehensible to many.
If you had any actual understanding—:as opposed to just hearing this little factoid in passing and have been waiting for every opportunity to whip it out— you’d know that already. It’s funny as a quip, but don’t for a a second act like it’s a legitimate point, which is exactly what you’re doing.
Stop pasting LLM replies through fake accounts. Dieselgate happened very recently (in this decade). Just research your stuff before you slap a prompt onto an LLM please.
1 reply →
https://m.youtube.com/watch?v=sa8sllg5KIU&pp=ygUOxaFrb2RhIGh...
Insert "we live in a society" meme
Just because the Nsdap party created something that doesn't mean you can automatically treat it is bad. That is prejudice. Something bad happening decades and decades after the party's dissolution is not going to be directly related. It is a reach to think unsupported third party apps breaking is related.
While I agree with you in principle, I don't think this is followed equally. Tesla's are still being vandalized to date, though. Selective outrage is a dangerous thing.
3 replies →
Yup, I wonder if Israelis visiting Germany avoid highways.
Well so the Nazis founded VW with confiscated union capital, and after the war control of the company was basically handed over to the union to make things right.
“Nazis”: see Godwins law