Security ultimately often times comes with a tradeoff for user experience or privacy.
How does device integrity checks materially affect the security posture for theft when considering this system? Presumably the security checks for remotely unlocking a car is based around credentials and authN/authZ for the unlock service call?
Enforcing client side security has entered the picture recently, but a lot of it comes from security checklists from people saying did you add this check? Sure adding a device integrity check may stop at least one malicious actor, but is it worth the cost? To most companies, they’re going to say they don’t understand or care about the impact.
They could just go back to key fobs since those can’t run arbitrary code.
It’s a question of security risk profiles.
Security ultimately often times comes with a tradeoff for user experience or privacy.
How does device integrity checks materially affect the security posture for theft when considering this system? Presumably the security checks for remotely unlocking a car is based around credentials and authN/authZ for the unlock service call?
Enforcing client side security has entered the picture recently, but a lot of it comes from security checklists from people saying did you add this check? Sure adding a device integrity check may stop at least one malicious actor, but is it worth the cost? To most companies, they’re going to say they don’t understand or care about the impact.
They could just go back to key fobs since those can’t run arbitrary code.
No one cares about privacy.