It's not good that they allow anyone that happens to be in your car briefly root access. It'd be live having an always-on laptop in your office with a open shell on it.
replyThey should have provided some mechanism for the real owner to approve updates if the updates aren't all trusted by default.
Who cares? The valet could do any number of other attacks, like stealing the car, sabotage, adding a tracker, whatever. Threat modeling is important, otherwise security can harm one's own goals. Sometimes you have to briefly trust another person. I'd rather have an open shell inside a locked room when the alternative is no access at all.
replyYou would notice if someone stole your car though.
replyHow do you validate “the real owner” if having the keys isn’t enough? That sufficient to steal the car.
replyYou could do a PIN/password, but if it is never used during operation, nobody will know it. Ask anyone who’s had a head unit that needed a PIN after losing power.
Mere possession is also enough for someone to steal your laptop, but that still shouldn't allow them to trivially install a secret persistent backdoor, or break your disk encryption.
replyAgree that a PIN/Password would have usability problems with a car. Since no car manufacturer intentionally permits you to install software you want, there's no standard mechanism. But if this was standard I think an owner-set PIN would be very reasonable.
Surely due to incompetence rather than hacker friendliness though?
replyOtherwise they would have had something like an unlockable bootloader where you need a special key to unlock it, or something difficult to access switch or something like that.