Volkswagen blocks Home Assistant by requiring client assertion

Indeed, this seems to be exactly the area where the Data Act could be used to regain access. Unfortunately it seems that it's not possible to directly sue (e.g.) Volkswagen to get access, unlike the GDPR where you have direct standing under article 79 [1].

There doesn't seem to be much written about enforcing the Data Act, so I looked at the regulation directly. Article 39 [2] seems to require to first lodge a complaint with the competent authority as designated by the member state of your residence. Then when that authority invariably fails to act – I have no idea which timeframe we're talking about here – you can "in accordance with national law, either have the right to an effective judicial remedy or access to review by an impartial body with the appropriate expertise". But then you are suing that authority, and not the company directly (edit: I was originally unsure about who to sue under article 39, but 39(3) does clarify that it is the authority).

I would very much like to be wrong about this. I can imagine Muñoz vs. Superior Fruiticola applies [3] ("it must be possible to enforce that obligation by means of civil proceedings"), but I'm not at all sure, and it's a much weaker route than the one which the GDPR explicitly describes.

Would anyone know or have better references on how to enforce the Data Act, preferably individually?

[1] https://gdpr-info.eu/art-79-gdpr/

[2] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:...

[3] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...

Volkswagen has an EU Data Act site:

https://drivesomethinggreater.com/eu-data-act

They already add cryptographic authentication to some CAN messages, so you can't change them. It is only a matter of time until they add encryption.

This is mostly a corporate problem of risk aversion in my opinion. Some department writes down a risk assessment with a list of miniscule risks, for example of some 3rd party app backend being hacked. Or just a headline "Tinkerer hacked his car to use with his home assistant" in the local press. This list circulates, and since nobody in the middle management wants to be responsible for anything, and there is no officially approved positive use case, draconian countermeasures are drafted and constructed one by one.

Right? I imagine there would be a non-trivial sales/marketing boost for the one/first company (in any segment) to fully embrace HA. IKEA is arguably a good example of this.

This is kind of an interesting contrast with BSH (Bosch and Siemens home appliances ), who are also German.

They appear to have seen making their Home Connect platform open as at least in part a matter of compliance with EU data transparency and portability laws.

The ability to interface with your car is fundamentally at odds with the regulatory momentum that's going towards encrypted everything.

Take a look what the automotive risc-v people are working on or the requirements of the EU cyber resilience act.

I open my VW app and I think I know why:

https://imgur.com/a/nj0dLku

I just found out about an open source product that might fit your needs, the WiCAN:

https://www.meatpi.com/products/wican-pro

John Deere started the trend with locking down the farm equipment they sell.

Is there a repo for the new project?

You should email Louis Rossmann, he's been helping people in similar situations.

This sure reads like a "you did nothing illegal but will attempt to make it look illegal" kind of thing. Like putting the key to a public space under the doormat, with a sign "key here" and then complaining you cannot use that key to access the already public space.

Have you moved it anywhere else? I checked codeberg and didn't see it there.

They alleging you have broken their encryption.. DMCA would be appropriate I would assume in this case. OTOH, if there isn't a first party way to get an auth token or a way to connect your car with home assistant, I see that as a deficiency of service.

r/opensource_legalaid let's reply and demand access to the data.

> Why are they shooting them selves in the feet?

They don’t. Majority of users don’t care, and some middle manager shmuck, working on MySkoda, can report how “we” prevented a huge security risk and funneled valuable ~~cattle~~ user data where it belongs.

I have first hand view of traffic Home Assistant creates.. there is an upside down usage model.

Infrastructure (servers, bandwidth, etc) costs money.

For better or worse, most devices don't have local interfaces. Some matter devices exist in the past year or two, but not all data/functions are available via matter. Older devices likely won't ever be updated to support matter.

Also lump in the fact that HA is a locally run/focused application, it isn't super compatible with a cloud based API/data delivery system without some additional development from the OEM end.

Last I did the math for an internal system.. in 24 hours HA traffic was ~20% of total, for less than 1% of users. That's wild. Mostly because each instance is pinging the API directly every X or less minutes.

If an executive here heard that math, they'd likely ask to block it as well. Right or wrong that's how people react.

By the way, regarding additional profit stream, to access VW data before you still needed WeConnect subscription (100€ a year), just that before you could use another app or automation to access the data. Now you MUST use exclusively WeConnect and partners to access same data even though you paying already for subscription.

> Why are they shooting them selves in the feet?

Because people will still buy their cars. The average Joe has very little regard for their privacy. We've been trained to be numb.

> Is this really a tangible income stream?

Yep.

> Is it really increasing security?

Nope.

Most executives make commercially disadvantageous decisions in exchange for more power.

It's practically a law of business: executives prioritize their power first and their company's profit margins second. This is one reason why outsourcing coding was so popular despite not saving money and being so commercially disastrous - execs were in the driving seat with that relationship much more than they were with us.

Despite what some people will tell you about how the home assistant consumer segment "doesn't matter" (it does) it really is more about the tangibility of control over data vs the intangibility of lost consumer goodwill.

Companies are not profit maximizing at all costs. The shareholders and the executives are not a singular body they have different and sometimes wildly divergent interests.

> Why are they shooting them selves in the feet?

1. They dont think anyone will stop buying their cars because of this

2. They want to make more money

3. (speculation) The drop in demand for their cars in china is leaving them fucked, they need revenue now

wow - I was looking at moving from Tesla to Skoda for our next EV. Last month it was interceptor missiles for Israel and now this.

The apps now require the use of "Security Assertion" from the client.

In this case, it's by Play Protect on Android, and whatever they use on iOS.

Client attestation might be more accurate?

Yes this is Google helping vendors block access to their APIs by using hardware attestation.

I recently hit the same wall trying to directly my garage door opener's API (MyQ).

I'd be amazed if Google enabling this behavior doesn't violate some EU competition laws.

This seems like less of a reason to get off of Homeassistant and more a reason to stop buying closed source/cloud only products to connect to HomeAssistant.

> It's a very cool and functional project but it is entirely dependent on companies keeping their APIs open

I have more than 50 entities in HA, there isn't a company in the world that could make a single one of them stop working.

Honestly I think that out of the things you mention, HA is the furthest from a ticking timebomb.

That's a frying pan => fire situation. I started my home automation journey in the same way, and being HK-centric is pretty decent. HA with 100% local-control devices that _bridges_ to HK is what I'm looking at next.

Often, the HK-only devices are terrible wrt WiFi stability, and I need to pay more attention to how matter/thread is working lately.

I know some people complain about zigbee/zwave but they've been way better on average than HK over wifi.

There is a real chance that in 5-10 years, there will be laptops and smartphones running open processors and operating systems with UX and and an OS comparable or better than the proprietary equivalent, but which are effectively useless to the average consumer because it is cryptographically impossible to use them for anything due to remote attestation proliferating more and more

It already is illegal in the EU under the EU Data act. The VW executives are just criminals who don't care about the law, because they can bend it like before.

what you really looking for is API-free services/products. so it works without cloud at all.

or products/companies that explicitly expose API access to their products.

> There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own.

Well, that and making it possible to deploy devices you own in environments where they might be physically accessible to people you don't want extracting credentials from them. Or for ensuring people can only access sensitive company information on company issued devices rather than being able to casually make a copy of any data they have access to somewhere else. Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.

I'm quite firmly in favour of anything I own giving access to the data it's generating in an open format but screaming about how there's no legitimate use for attestation is quite simply nonsense.

> Sköda

If IKEA ever bought Škoda.

Which brand are you thinking of, then?

If they’ve done it using Secure Enclave it’s essentially physically impossible to spoof.

Huh, I completely missed that. I've been using python-garminconnect [0] for a few months without issues. I agree though that it's annoying, though not reason enough for me to switch away from Garmin yet.

  [0]: https://github.com/cyberjunky/python-garminconnect

We used to have them. Devices so simple anyone with a hammer could fix. Maybe not open source as we understand it today, but rather - trivially reverse engineerable, often with schematics included. Most complex would be rewiring the motor on a washing machine. Did their job fine, but you can't sell them forever, so more complex devices were introduced. Nowadays motorcycles would probably be the closest equivalent, they're often very simple to work on.

There are freely available plans for all of those things. They are just more primitive than what you have in mind.

It means that the request to the API contains cryptographic proof that is was generated by a legitimate, reviewed app running on a unmodified and non-rooted mobile device controlled by Apple or Google.

This could equally illustrate the difference between long established multi national companies with an overbearing corporate culture vs young upstart companies with a dynamic startup culture.

Are the Chinese particularly open API-wise here? Another user says BYD applied the DMCA to his repo that reverse-engineered their app (necessary because there's no other way). I think European auto-makers are probably doing poorly because a regime shift occurred in battery tech and EVs became much more useful and EVs are a manufacturing problem that advantages the guys who've been manufacturing electric motors and disadvantages the guys who manufacture cutting-edge gasoline engines.

I'm reminded of the fact that when I got a Roomba ten years ago the box said that the device was open and hackable. Searching online, the text looked like:

> This robot contains an electronic and software interface that allows you to control or modify, and remotely monitor its sensors. For software programmers interested in giving your iRobot new functionality we encourage you to do so.

My Dreame X40 Ultra does work flawlessly with Home Assistant but it carries no such text. In the end, I prefer the working to the text (so perhaps the Chinese companies are better), but things have changed over the intervening years.

Volvo is also doing pretty good with offering an official API

Fleet api kinda sucks, but esphome via ble is solid. Even managed to connect $10 macropad so kids in back can control music.

Anti-competitive practices that you describe ("all car manufacturers can just agree") is definitely not a capitalistic thing (market competition being an important part of capitalism), and indeed regulation can improve the bad outcomes.

I think revolutions are more successful when there is some new idea of what to replace the system with. Currently I did not see anything remotely interesting (ex: french revolution came with the new idea of equality before the law, which was not the case before), and I think is mostly due to low overall education - you can't improve a system if most of the people do not think about complex issues like laws, taxes, efficiency, etc. Everybody loves to point a finger at someone and blame them (immigrants, rich people, woke people, etc.) like that would "miraculously" solve any issue.

Insert "we live in a society" meme

Just because the Nsdap party created something that doesn't mean you can automatically treat it is bad. That is prejudice. Something bad happening decades and decades after the party's dissolution is not going to be directly related. It is a reach to think unsupported third party apps breaking is related.

Well so the Nazis founded VW with confiscated union capital, and after the war control of the company was basically handed over to the union to make things right.

This is not an intelligent comment. the Nazi parry and modern-day Volkswagen have nothing in common, whereas Tesla is currently^ actively^ run by someone morally reprehensible to many.

If you had any actual understanding—:as opposed to just hearing this little factoid in passing and have been waiting for every opportunity to whip it out— you’d know that already. It’s funny as a quip, but don’t for a a second act like it’s a legitimate point, which is exactly what you’re doing.

“Nazis”: see Godwins law