Volkswagen blocks Home Assistant by requiring client assertion

Original Article ↗ Hacker News Discussion ↗

What VW Changed and How

  • VW group apps now use hardware-backed “security/client attestation” (Play Integrity / iOS equivalent) so the backend only accepts requests from approved, non-rooted devices running official apps.
  • This breaks Home Assistant and other unofficial integrations that previously authenticated via the same cloud APIs.
  • Browser-based login still works for now, so people expect some circumvention, but see this as a clear tightening trend.

Motivations Attributed to Automakers

  • Revenue and data: unofficial integrations are seen as lost data monetization and lost subscription/API revenue; some point to Tesla-style paid APIs and VW’s WeConnect subscription as precedents.
  • Cost: HA instances can generate disproportionate traffic (e.g., ~20% of API load from <1% of users), so blocking them saves bandwidth and infra costs.
  • Power/control: multiple comments argue execs and middle managers prioritize control over data and “formal relationships” with developers over user goodwill.
  • Risk and regulation: others link it to security compliance (UNECE R155, EU Cyber Resilience Act), corporate risk aversion, and fear of liability from third‑party hacks or sensational headlines.

User Impact and Reactions

  • Home Assistant users feel disproportionately punished despite being the most engaged customers.
  • Some cancel planned VW/Skoda purchases or swear off the brand; others think mainstream buyers don’t care and sales impact will be negligible.
  • A few are moving to CAN bus sniffing or hardware dongles to bypass cloud APIs.

Remote Attestation Debate

  • Critics see attestation as a tool to prevent owners from using devices as they wish and to make interoperability “cryptographically impossible”; some call for it to be outlawed.
  • Supporters list legitimate uses: protecting credentials on exposed devices, enforcing corporate device policies, and securing payment terminals, while acknowledging it’s only one layer of defense.
  • Disagreement over whether such uses justify locking out owner-built integrations.

Law, Data Rights, and Enforcement (EU)

  • Several cite the EU Data Act vehicle guidance: users should get real-time, machine-readable access to their product data.
  • Some claim VW’s behavior is already illegal; others analyze the text and note that enforcement likely requires complaints to national authorities, with no clear direct private right of action.
  • Frustration over EU’s fragmented enforcement vs. a more centralized US-style regulator.

Broader Trend: Lockdown and Right to Repair

  • Similar API lockouts or legal threats reported from Tesla, Garmin, Polestar, BYD (DMCA), MyQ, John Deere and others.
  • Concern that increasing cryptographic control (CAN auth/encryption, remote attestation) will make open-source, self-hosted and “right to repair” approaches progressively harder.
  • Some advocate only buying locally controlled, non-cloud, or explicitly open-API products; others argue regulation is the only realistic counterweight to industry-wide “enshittification.”