alt Hacker News> Researchers who find at least one valid “rooting” vulnerability will receive a permanent SSH certificate for their own car
It feels like this is something you should get by being owner of the car, and not have to do free speculative research for the manufacturer to get it.
Replies
Normies get scammed on Discord into pasting commands into their browser console.
As a pedestrian I prefer for most people to not have root access to their multi-ton fast-moving killing machine.
In most cases I agree with this, but maybe not for potentially dangerous things like cars? What if someone roots into their car and disables some essential safety feature - maybe even a legally mandated safety feature?
More concretely, the expertise-required-to-access-root is in a different field to the expertise-required-to-make-wise-changes. i.e. you might know how to hack a car, but that doesn't mean you know how cars operate.
As much as I tend to agree philosophically, could it not result in people making changes that endanger other road users?
You can translate that to corresponding car-purchases, i.e. vote with your wallet.
You can feel that way, but plenty of car configuration has always been locked away and walled off, and manufacturers make a tidy profit selling software licenses to dealers and mechanics to perform basic diagnostics. Proprietary software is big business what can you do.
[dead]
I genuinely think that you shouldn’t get to respond to a comment if you haven’t finished reading it and / or you’re just opting to speak past who you’re replying to. Either way, your comment is in bad faith.
The underlying tension is that "you own the car" means something very different from "you own the software running the car." Tesla treats the firmware as licensed software rather than property you can inspect and modify. The bug bounty program is a PR-friendly way to say "we support security research" while keeping full control over who gets access and under what terms.
Right-to-repair legislation is chipping away at this but slowly. The EU's right-to-repair directive covers physical repair and doesn't really touch software access. The real test would be a regulator taking the position that restricting root access on hardware you own constitutes an anticompetitive tying arrangement, since you can't use the car's data for your own purposes without going through Tesla's APIs and paying their fees.
John Deere has been the main battleground for this argument so far. Farmers can't repair their own tractors without paying for dealer access to diagnostic software. Tesla is the same pattern applied to consumer vehicles, but the consumer advocacy pressure is weaker because fewer people feel the pain directly.