42 comments

[ 2.7 ms ] story [ 66.0 ms ] thread
(comment deleted)
This comment has really nice translation of corpo-speek to human language :

https://github.com/robinostlund/homeassistant-volkswagencarn...

Why are they shooting them selves in the feet? Is this really a tangible income stream? Is it really increasing security?

wow - I was looking at moving from Tesla to Skoda for our next EV. Last month it was interceptor missiles for Israel and now this.
By the way, regarding additional profit stream, to access VW data before you still needed WeConnect subscription (100€ a year), just that before you could use another app or automation to access the data. Now you MUST use exclusively WeConnect and partners to access same data even though you paying already for subscription.
I have first hand view of traffic Home Assistant creates.. there is an upside down usage model.

Infrastructure (servers, bandwidth, etc) costs money.

For better or worse, most devices don't have local interfaces. Some matter devices exist in the past year or two, but not all data/functions are available via matter. Older devices likely won't ever be updated to support matter.

Also lump in the fact that HA is a locally run/focused application, it isn't super compatible with a cloud based API/data delivery system without some additional development from the OEM end.

Last I did the math for an internal system.. in 24 hours HA traffic was ~20% of total, for less than 1% of users. That's wild. Mostly because each instance is pinging the API directly every X or less minutes.

If an executive here heard that math, they'd likely ask to block it as well. Right or wrong that's how people react.

I recently saw a group of automakers together during an event. The contrast between Chinese and Germans was bizare. The group of german automakers were older men in black suits all wearing badge with titles like Senior Executive Sales blablabla. Whereas the Chinese were all young people wearing causual clothing and much more engineering minded. No wonder why european auto makers are doing so badly. They forgot to please people. The only know how to please their untergang.
Are the Chinese particularly open API-wise here? Another user says BYD applied the DMCA to his repo that reverse-engineered their app (necessary because there's no other way). I think European auto-makers are probably doing poorly because a regime shift occurred in battery tech and EVs became much more useful and EVs are a manufacturing problem that advantages the guys who've been manufacturing electric motors and disadvantages the guys who manufacture cutting-edge gasoline engines.

I'm reminded of the fact that when I got a Roomba ten years ago the box said that the device was open and hackable. Searching online, the text looked like:

> This robot contains an electronic and software interface that allows you to control or modify, and remotely monitor its sensors. For software programmers interested in giving your iRobot new functionality we encourage you to do so.

My Dreame X40 Ultra does work flawlessly with Home Assistant but it carries no such text. In the end, I prefer the working to the text (so perhaps the Chinese companies are better), but things have changed over the intervening years.

There needs to be a law that makes remote attestation - no matter who provides the root certificates, Google/Apple/GrapheneOS - illegal. There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own, while also making interoperability cryptographically impossible. This is anti-competitive and should simply be illegal.
It already is illegal in the EU under the EU Data act. The VW executives are just criminals who don't care about the law, because they can bend it like before.
> There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own.

Well, that and making it possible to deploy devices you own in environments where they might be physically accessible to people you don't want extracting credentials from them. Or for ensuring people can only access sensitive company information on company issued devices rather than being able to casually make a copy of any data they have access to somewhere else. Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.

I'm quite firmly in favour of anything I own giving access to the data it's generating in an open format but screaming about how there's no legitimate use for attestation is quite simply nonsense.

/me scratches VAG cars from a possible new EV purchase.

I hate Elon as much as the next guy, but Tesla is still playing the API game way better than the rest of the pack (even with the "not so new" Tesla Fleet API change)

Garmin recently did something similar, resorting to tls fingerprinting to prevent unofficial logins to their api (via the popular garth library).

They lost a lifetime customer in me - i think i have spent close to 20k on garmin gear between my wife and myself, watches, gps devices for cars, boats, and hiking gear. If they refuse to give me access to my data, i will (a) lobby for laws to be passed to make this mandatory (b) absolutely never ever buy anything garmin until i see a reversal of this policy and an apology.

More broadly though, its yet another service that blocks API access. No doubt this is caused by proliferation of amateurs armed with agentic tools building nice, personalized frontends for themselves. Companies seem to absolutely hate it when people dont go through their shitty websites with dark patterns, misleading search results and analytics.

Quite a few other manufacturers have done the same thing. I use a reverse engineered Polestar library to get charging status but I'm in the middle of building a CANBUS sniffer to do the same job because I don't trust they won't do the same thing as this.

I don't really understand it, it doesn't seem to offer a huge potential revenue stream and it pisses off the people who are most invested in your product.

This is kind of an interesting contrast with BSH (Bosch and Siemens home appliances ), who are also German.

They appear to have seen making their Home Connect platform open as at least in part a matter of compliance with EU data transparency and portability laws.

Is there a repo for the new project?
The ability to interface with your car is fundamentally at odds with the regulatory momentum that's going towards encrypted everything.

Take a look what the automotive risc-v people are working on or the requirements of the EU cyber resilience act.

John Deere started the trend with locking down the farm equipment they sell.
I mean, it was founded by the Nazi party, they single handedly destroyed diesels through the world's largest scam, what ethics can you really expect from them? I find it extremely funny when people boycott Teslas for being "Nazi" but won't boycott actual Volkswagens that was founded by the real Nazi party and to date - followed some of the most unethical practices in automative history :)
Well so the Nazis founded VW with confiscated union capital, and after the war control of the company was basically handed over to the union to make things right.
Insert "we live in a society" meme
Seems doubtful that this security will be very strong. It won't be hard to spoof an official client.
With the software supply chain running amok recently having anything connected feels like playing Russian roulette and I say this as somebody who is running home assistant for years. I’m particularly paranoid about connecting my ev (non-vw) to it now, feels like a serious footgun today, would’ve been convenient three months ago, true.
Sad to see some people still believe raw capitalism works and that they can "vote with their wallet".. but they don't see that all car manufacturers can just agree to enshittify their products the same way and use their position to ensure you won't just "start your own car company". There's no real choice and those in power don't care.

Only regulation can help.. or a revolution in case the political system in your country is broken..

Anti-competitive practices that you describe ("all car manufacturers can just agree") is definitely not a capitalistic thing (market competition being an important part of capitalism), and indeed regulation can improve the bad outcomes.

I think revolutions are more successful when there is some new idea of what to replace the system with. Currently I did not see anything remotely interesting (ex: french revolution came with the new idea of equality before the law, which was not the case before), and I think is mostly due to low overall education - you can't improve a system if most of the people do not think about complex issues like laws, taxes, efficiency, etc. Everybody loves to point a finger at someone and blame them (immigrants, rich people, woke people, etc.) like that would "miraculously" solve any issue.

seems like google is playing a part in this ? https://github.com/robinostlund/homeassistant-volkswagencarn...
Yes this is Google helping vendors block access to their APIs by using hardware attestation.

I recently hit the same wall trying to directly my garage door opener's API (MyQ).

I'd be amazed if Google enabling this behavior doesn't violate some EU competition laws.

What does client assertion mean here? I don't see any mention in the GitHub issue.
Where's the 'Open Source Car'?

Where's the open source phone?

The open source washing machine?

Client Assertion is an OAuth feature, but that is not at all what is being discussed here, if anyone else was confused. It is only present in the HN title and is not mentioned on the page.
Wasn't the EU Data Act (https://digital-strategy.ec.europa.eu/en/policies/data-act) put in place to exactly prevent these kind of scenarios (Article 4 and 5)?

"where the user cannot directly access the data from the connected product or related service, the data holder must make the readily available data and necessary metadata accessible to the user without undue delay, in the same quality as available to the data holder, easily, securely, free of charge, in a structured, commonly used, machine-readable format, and continuously/in real time where relevant and technically feasible."

There is even special EU guidance for vehicle data for it: https://digital-strategy.ec.europa.eu/en/library/guidance-ve...

Ok it's clear my next car will not be a Sköda (or Volkswagen)
> Sköda

If IKEA ever bought Škoda.

(comment deleted)
I've been doing smart home stuff for a long time. This is one of the reasons why I got off of Home Assistant.

It's a very cool and functional project but it is entirely dependent on companies keeping their APIs open, or, more commonly, companies not patching teh magic that makes reverse-engineered APIs possible.

Unfortunately, developments over the years have NOT gone in their favor. Tesla, Ring, MyQ, Ecobee and probably others have closed their APIs over the years. They've usually cited "security concerns" as the motivating factor for the API closures, which has some legitimacy, but IMO it's usually driven by fear of losing subscription revenue.

(Tesla charges a lot for official OAuth apps, though, to be fair, earlier hacks relied on a leaked OAuth app that they never got around to patching. Ecobee locked HomeKit and some other stuff behind their Security+ Subscription, which is a joke considering how anemic their security platform is. MyQ definitely did it to protect their $45/year subscription; jokes on them since RATGDO is infinitely better. Ring still works for some reason, but HomeKit Secure Video support is extremely dicey in part due to the fear of them turning their API off as well.)

For someone like me who primarily used HA for HomeKit integration, depending on it is a ticking timebob. When we moved into our new house, I focused on finding stuff that was natively compatible with HomeKit without workarounds. Our smart home works much better now because of it.

This entire thing is simply ridiculous, and infuriating! Just sell me a car, or TV, or washing machine, etc. Don't sell me a multi-layered safe with different combinations for each level.
And this is why there should be very very unpleasant for manufacturer legislation about allowing access to hardware you buy. This is a generic problem not limited to automotive industry, though they are a major offender. Locked down android auto, systems, buses, everything is proprietary and you are the whims of the manufacturers decisions