Under this model, if you buy a used car, how can you be sure it doesn't have keys that are controlled by someone else? You can follow the "factory-reset" procedure, but how do you know the reset mechanism hasn't been tampered with?
They can design it so that the firmware is in two parts.
The first part does minimal initialization and then gives control to the second part, which is where most of the functionality is.
The first part is also the part responsible for implementing the firmware update protocol and the reset procedure. The first part would either not allow any update to replace the first part, or it would only allow the first part to replace with factory signed firmware.
Alternatively (or in addition) they could have a diagnostic connector that lets external hardware read the firmware memory. You could then do the factory reset on your used car, and then hook something up to that diagnostic connector and have it compute a hash of the firmware that you can check to make sure it is the right firmware. An Arduino should be sufficient as the thing to read and hash the firmware.
I think the best solution would be your first one, but have the second part be stored on removable media, like an SD card. Make it physically impossible to write changes to anything but the SD card (e.g. use actual ROMs for the first part, and use volatile RAM for temporary storage of the code loaded from the SD card).
Then, if you want to be sure that the firmware isn't hacked, simply remove the SD card, put it in a computer, and verify the contents. If paranoid, overwrite the SD card with the official firmware. If extremely paranoid, throw away the SD card, buy a new one, and write the official firmware to it.
They could still open source the first system's firmware code. FOSS doesn't imply easily modifiable, does it?
E.g., rms says he used a Lemote Yeeloong because of its free BIOS, but AFAIK he couldn't have reprogrammed it unless he removed the BIOS chip from the motherboard.
Similarly, when you buy a used car, how can you be sure the previous owner didn't copy the key (you know, the thing that lets you open the door and drive away) and still has it? That's not a new question.
Similarly, you move into a new apartment and the super gives you the key (to the door, not a cryptographic one). You installed a new lock, right?
In newer cars, keys are unique and registered to the car individually. My Audi has a list of all keys registered, and I can have the dealer unregister any I've lost.
Cursory searching reveals the procedure for manually adding blank keyfobs to Audis, but what you describe above seems... a fairly technically complex system to take on faith. (Given the article we're talking about)
Modern keys are complex things. Gone are the days where you can have a piece of metal re-cut for $5 at Home Depot. A replacement key for modern cars is an expensive proposition: they have to be custom-ordered from the factory (with proof of identity and insurance) then programmed by your dealer. Replacement keys for modern Audis/BMWs/Mercedes run $300-400 all-in. (Remember that scene from Gone in 60 Seconds? And that was 15 years ago. And also a movie.)
You can buy blanks, sure, but without programming, it's nothing more than a hunk of metal.
Is it somehow possible to "clone" a key? Never underestimate hackers, but it ain't easy. Per Brian-Puccio's use-case, unless the previous owner is presenting auto exploits at DefCon, you don't have to worry about someone having a copy of a key you don't know about. (And if they've lost it, you can go to the dealer and have it un-registered.)
Aside: Google around for articles on new car theft: you'll find that no thieves are copying keys or hot wiring or anything like that. In fact, the "new thing" is to get a signal amplifier that allows a car's keyless entry/start system to "find" a key that's sitting 100 feet away inside someone's house or office, then just drive away.
One correction: MMI doesn't list all the registered keys, but it does track them (e.g., you just see the total number registered). I know that dealers can un-register, and I know they're unique.
Neat! Thanks for the additional details. The part I was curious about was the dealership being involved in the process. In other words, who is authoritative: if the car queries the manufacturer for authorization, or if the dealership is updating the car.
I see at least two ways to implement that, but I certainly don't see how practical they are, if implemented at scale:
1) Every component has unmodifiable update logic that supports just that: factory reset for itself, and propagating it to the subcomponents.
This is still where we can say "the owner does not own the car", but in this case it could be treated as a part of hardware (that could not be modified either), rather than "user-space" firmware.
2) Allow easy reinstallation of the critical electronics components, which can be bought from the manufacturer. I don't quite like this "hard" way, but it's a possibility.
The firmware must be able to create and sign a document with written the signature of the keys inside so that the car's owner can check the result (the car's maker would publish his public keys).
If the hardware of the firmware is tamper resistant you can pretty much be sure that it's unmodified. If the attacker can modify tamper resistant hardware I don't think that the car is your first concern.
I would assume in this perfect scenario that the factory reset lives in some ROM somewhere that nobody, not even the manufacturer can touch post-release.
This is a strange thing to worry about: the former owner of your used car planning to murder you? I'm perfectly fine with the answer that, as with most technology, it's nearly impossible to prove your car computer hasn't been backdoored.
