Comment by Hnedelin

Easy: separate the systems into the safety-critical ones required for driving, and the nice-to-have ones used for things like entertainment. You can now give the car's owner full access to the latter via all sorts of weird 3rd-party apps, as there's no way for that access to cause serious issues.

They should be doing this anyways, or else you end up with your Jeep being crashed via wifi [0], and having the blast radius of a corrupt album image [1] restricted to infotainment is probably a really good idea too.

[0]: https://www.kaspersky.com/blog/blackhat-jeep-cherokee-hack-e...

[1]: https://www.theregister.com/software/2022/02/10/radio-statio...

> If they cannot prove that they did everything possible to prevent that, then they are legally liable to the authorities.

Laws mostly don't work like that. The seller of gasoline doesn't have to prove they did everything possible to design the product to prevent anyone from using it for arson, nor should they because that's preposterous.

> Because when something happens, what do you think is more likely? That the customer accepts full responsibility for using a rooted device and says that’s on me? Or that they blame the bank for losing all their savings?

You're making the assumption that rooted phones are more likely to be compromised, but it's entirely the opposite. The stock software on phones regularly goes out of support and has known unpatched vulnerabilities (but will still pass Play Protect) and the only way to get a patched system on that device is to install a newer third party ROM. On top of that, GrapheneOS has better security than stock Android even for the same version.

Moreover, that has nothing to do with liability. When the user with the vendor-supplied firmware still gets pwned and has their account drained, they're still going to go to the bank looking to get their money back. All the bank does by going out of their way to block third party firmware is to make that marginally more likely.