| ▲ | varenc 8 hours ago |
| From the article > Tesla offers a “Root access program” on their bug bounty program. Researchers who find at least one valid “rooting” vulnerability will receive a permanent SSH certificate for their own car, allowing them to log in as root and continue their research further. Pretty interesting. Sounds like Apple's Security Research Device Program[0], where you're loaned a rooted iPhone, but with a clear qualification criteria. It strikes a nice balance, because to qualify you have to 1) show you have the skills to get root access anyway and 2) show you're willing to participate in the bug bounty program and get things patched. I would of course love root on everything I own, but I can understand Tesla's motivation here since root for everyone would make vulnerability discovery easier for malicious actors. And if everyone had root on their Tesla, it'd be much easier to make naughty modifications that might catch the ire of regulators. (like disabling driver attentiveness checks in self-driving mode). [0] https://security.apple.com/research-device/ |
|
| ▲ | jordanb 5 hours ago | parent | next [-] |
| > Researchers who find at least one valid “rooting” vulnerability will receive a permanent SSH certificate for their own car It feels like this is something you should get by being owner of the car, and not have to do free speculative research for the manufacturer to get it. |
| |
| ▲ | AbanoubRodolf 2 hours ago | parent | next [-] | | The underlying tension is that "you own the car" means something very different from "you own the software running the car." Tesla treats the firmware as licensed software rather than property you can inspect and modify. The bug bounty program is a PR-friendly way to say "we support security research" while keeping full control over who gets access and under what terms. Right-to-repair legislation is chipping away at this but slowly. The EU's right-to-repair directive covers physical repair and doesn't really touch software access. The real test would be a regulator taking the position that restricting root access on hardware you own constitutes an anticompetitive tying arrangement, since you can't use the car's data for your own purposes without going through Tesla's APIs and paying their fees. John Deere has been the main battleground for this argument so far. Farmers can't repair their own tractors without paying for dealer access to diagnostic software. Tesla is the same pattern applied to consumer vehicles, but the consumer advocacy pressure is weaker because fewer people feel the pain directly. | | |
| ▲ | Reason077 2 hours ago | parent | next [-] | | > "Tesla is the same pattern applied to consumer vehicles" It really isn't. Unlike John Deere, Tesla is actually pretty good on right-to-repair. All of their technical and repair manuals are available for free to anyone. The service/diagnostics software ("Toolbox") is also available to anyone, albeit for a (not entirely unreasonable) fee. (There is also a service mode built in to the car which can do many basic diagnostics for free) | | |
| ▲ | consp 32 minutes ago | parent [-] | | > All of their technical and repair manuals are available for free to anyone. That should be the bare minimum. Ford charges you 40 dollar an hour for it and unless you know exactly what you are looking for you will spend several hundreds on it. Too bad ford killed their old site, the print form was unauthenticated and you could print the entire schematics to pdf if you knew the internal model number. Or do what I did and run a script to dump it to higher res PNGs. |
| |
| ▲ | CraigJPerry an hour ago | parent | prev | next [-] | | >> Tesla is the same pattern applied to consumer vehicles No i'd push back on this because the entire workshop manual is available for free without even registration required. You can literally google and land in the relevant sections and it is of a far higher quality than ford, VAG or bmw as three examples i'm pretty familiar with. I haven't seen the John Deere stuff. Tesla does have "special tools" for some repair procedures, a practice as old as the auto industry but they don't rely on them to the same extent as BMW for example. Anecdotally, the special tools i'm aware of are genuinely useful - for example, the tool for disconnecting seatbelt anchors saves time vs the traditional bolt - where special tools on other marques are often clearly to workaround a failure of packaging or engineering resulting in tight access for a regular tool. Their online API access is a little bit annoying, or at least unfriendly to casual home user, specifically the workflow to register an OIDC client, but not insurmountable. | |
| ▲ | 2 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | gspr 2 hours ago | parent | prev | next [-] | | > The underlying tension is that "you own the car" means something very different from "you own the software running the car." How is this different from the 2000s, or the 90s, or even before, when the normal thing to do with commercial software was to purchase a license to use said software and a physical medium containing a copy? You'd also then not "own the software", but you owned the right to install a copy on your own computer and use it. That worked without having to hand over the keys to your own computer. Sure, the physical delivery medium is gone, but that's just a detail. Why do we now think that just because we license software for use, we can't be in ultimate charge of our own devices? | |
| ▲ | holoduke an hour ago | parent | prev [-] | | Tesla absolutely does not apply the same patterns as John Deere.
Everyone can fix Teslas. Parts are easy to obtain. Never had issues with them.
John Deere on the otherhand is the absolute evil of right to repair. |
| |
| ▲ | trvz 2 hours ago | parent | prev | next [-] | | Normies get scammed on Discord into pasting commands into their browser console. As a pedestrian I prefer for most people to not have root access to their multi-ton fast-moving killing machine. | | |
| ▲ | pastage 30 minutes ago | parent [-] | | Agrred, but it is remote root access is the danger, they already have root access to the physical dangerous things. |
| |
| ▲ | CalRobert 3 hours ago | parent | prev | next [-] | | As much as I tend to agree philosophically, could it not result in people making changes that endanger other road users? | | |
| ▲ | chneu 3 hours ago | parent | next [-] | | No, one can do that anyway. There is basically no real way to stop folks from modifying their cars. It can be made more difficult, sure. This is about selling tools and access. It's another profit pipeline for car OEMs. | | |
| ▲ | dr_kiszonka 2 hours ago | parent [-] | | Perhaps it is also about liability. Otherwise, we would have people installing OpenClaw on their Teslas. | | |
| ▲ | fc417fc802 2 hours ago | parent [-] | | Then why wasn't it a problem before? People have always been able to install aftermarket or possibly even hacked together physical parts. If there was liability you'd expect some sort of shield blocking access to, for example, the hydraulic system for the brakes. As it turns out though blatant irresponsibility is quite rare (depending on your definition anyway) since people have a strong self interest in not endangering their own lives or wallets. It's similar for homeowners - many states explicitly carve out a requirement that insurance companies cover DIY modifications that are within reason and this generally works out since you have a strong vested interest in not destroying your own house regardless of any insurance policy. | | |
| ▲ | lmm 37 minutes ago | parent [-] | | > Then why wasn't it a problem before? It is. Thousands of people have died because of aftermarket headlights. Harder to assess, but probably much larger, is the number of excess deaths from nitrous oxide etc. emitted by modified cars. | | |
| ▲ | pastage 23 minutes ago | parent [-] | | There are about 3000 deaths per year in Sweden attributed to position from cars, and 300 physical accidents. So it is a really big issue, but it is almost impossible to make people understand that their car use and modification mains people. Modified cars can release 1000x more polution, on streets with 800 daily cars that will have an affect. |
|
|
|
| |
| ▲ | jazzyjackson 3 hours ago | parent | prev | next [-] | | I don’t think that’s the reason, seeing as a car is already endangering everyone around it by existing. More likely about keeping the tooling to diagnose issues proprietary and expensive. | | |
| ▲ | auggierose 2 hours ago | parent [-] | | Obviously, they are both very good reasons. Just because you don't like one of them, doesn't mean the other one doesn't suddenly exist anymore. |
| |
| ▲ | stephen_g 2 hours ago | parent | prev | next [-] | | That kind of thing is always the stated justification but never the real reason. Almost invariably when that excuse is trotted out, there are are usually many things that are much more common that are also far more dangerous. For example, texting while driving or driving with bald tires in the wet are both 100x more dangerous than anything almost anybody would do by modifying the car's software. | |
| ▲ | RockRobotRock 2 hours ago | parent | prev [-] | | Four 9/11s worth of people die every year from drunk driving. If we can't even get that under control, I don't see why being able to modify your own car is a big deal. |
| |
| ▲ | unglaublich 3 hours ago | parent | prev | next [-] | | You can translate that to corresponding car-purchases, i.e. vote with your wallet. | | |
| ▲ | Yaggo 3 hours ago | parent [-] | | Really? Which car manufacturer officially provides you a root access to your vehicle? |
| |
| ▲ | jazzyjackson 3 hours ago | parent | prev | next [-] | | You can feel that way, but plenty of car configuration has always been locked away and walled off, and manufacturers make a tidy profit selling software licenses to dealers and mechanics to perform basic diagnostics. Proprietary software is big business what can you do. | | |
| ▲ | franga2000 3 hours ago | parent | next [-] | | Definitely not always. It used to be that a mechanic or a skilled owner could tune, modify, repair or replace absolutely anything in your car. That was basically since the invention of the car, up to somewhere in the 2000s. And even then, various hackers and pirates made sure almost anyone could get their hands on the software. In fact, many mechanics these days use 3rd party software because the manufacturer refuses to sell them their version or even that version doesn't have all the features. | |
| ▲ | fc417fc802 2 hours ago | parent | prev [-] | | That is the recent (and gradually worsening) situation but it is not in and of itself a justification. Effectively you're saying "it's currently this way therefore it's okay for it to be this way". Manufacturers have increasingly restricted control over products as they've gradually been digitized. Prior to the digital era anyone could do anything to personal property (regulations notwithstanding ofc); more expensive items typically came with circuit diagrams for the purpose of repairing them. |
| |
| ▲ | aaron695 3 hours ago | parent | prev [-] | | [dead] |
|
|
| ▲ | Traster 13 minutes ago | parent | prev | next [-] |
| And as we all know, if you're smart enough to get root access, your neighbours children playing football in the street should be subject to the risk of you driven a car that claims to have full self driving with custom code on it. |
|
| ▲ | xyzzy123 7 hours ago | parent | prev | next [-] |
| Having shell is extremely handy for further discovery. SO handy that if they were just gonna patch the bug and lock you out, you would simply not disclose it. |
|
| ▲ | fomine3 6 hours ago | parent | prev | next [-] |
| If they don't give root, researcher may have incentive to keep vuln secret for root access. Looks reasonable. |
|
| ▲ | EquallyJust 5 hours ago | parent | prev | next [-] |
| It's a mixed bag. This only applies to the infotainment system and not the autopilot computer. They've also revoked certificates from researchers personal cars in the past |
|
| ▲ | dostick 4 hours ago | parent | prev | next [-] |
| That’s quite a weak confidence in their own platform security if finding a root level vulnerability is not one-off event, but it’s a program expected to have multiple people routinely finding those. |
| |
| ▲ | unglaublich 3 hours ago | parent [-] | | Well it's a selection bias. If an athlete breaks a world record, they're likely to do it again. Even though it's incredibly hard to break a world record. |
|
|
| ▲ | noosphr 2 hours ago | parent | prev | next [-] |
| Imagine having to hack your device, then having to submit a request to actually own it. |
|
| ▲ | otabdeveloper4 2 hours ago | parent | prev [-] |
| The interesting part is this implies that Tesla cars have static certifcates that don't rotate. (Whoops.) |
| |
| ▲ | bdavbdav 32 minutes ago | parent | next [-] | | Not necessarily. All they have to do is roll a pub key into the update package. Same as any OTA update. | |
| ▲ | worthless-trash 2 hours ago | parent | prev [-] | | Why can't they rotate ? having root ssh keys on the device doesn't imply the certs don't rotate. |
|
