Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Transportation

Feds Tell Automakers Not To Comply With Massachusetts 'Right To Repair' Law (arstechnica.com) 89

An anonymous reader quotes a report from Ars Technica: In 2020, voters in Massachusetts chose to extend that state's automotive "right to repair" law to include telematics and connected car services. But this week, the National Highway Traffic Safety Administration told automakers that some of the law's requirements create a real safety problem and that they should be ignored since federal law preempts state law when the two conflict. Almost all new cars in 2023 contain embedded modems and offer some form of telematics or connected car services. And the ballot language that passed in Massachusetts requires "manufacturers that sell vehicles with telematics systems in Massachusetts to equip them with a standardized open data platform beginning with model year 2022 that vehicle owners and independent repair facilities may access to retrieve mechanical data and run diagnostics through a mobile-based application."

There have been attempts by state lawmakers, the auto industry, and NHTSA to tweak the law to create a more reasonable timeline for implementation, but to no avail. Now, according to Reuters, NHTSA has written to automakers to advise them not to comply with the Massachusetts law. Among its problems are the fact that someone "could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently," and that "open access to vehicle manufacturers' telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking." Faced with this dilemma, it's quite possible the automakers will respond by simply disabling telematics and connected services for customers in the state. Subaru already took that step when it introduced its model year 2022 vehicles, and NHTSA says other OEMs may do the same.

This discussion has been archived. No new comments can be posted.

Feds Tell Automakers Not To Comply With Massachusetts 'Right To Repair' Law

Comments Filter:
  • NHTSA (Score:5, Insightful)

    by Areyoukiddingme ( 1289470 ) on Wednesday June 14, 2023 @05:12PM (#63603344)

    Among its problems are the fact that someone "could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently," and that "open access to vehicle manufacturers' telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking."

    Really. So you're saying we're one determined decoding away from mass chaos on the highways? That vehicles today already remotely accept commands to operate dangerously, if only you know the correct encoding?

    I call bullshit. How gullible is NHTSA? Or a better question, how much did it cost to make them sound that gullible?

    • Re:NHTSA (Score:5, Interesting)

      by ArmoredDragon ( 3450605 ) on Wednesday June 14, 2023 @05:20PM (#63603372)

      It's reasonable in the security through obscurity sense, which itself is a valid means of having security, but definitely shouldn't be the only part of the security, rather just be another layer of it. Hyundai and Kia found that out the hard way (and some tech companies with a bad case of NIH syndrome, like Apple, keep finding out the hard way.) If such a thing can even happen to begin with, then I think it would be prudent for the NHTSA to crack down on it, regardless of whether it ends up being opened.

      Personally, I'd be just fine if I could opt out of telematics and connected car services. I neither need nor want as its primary purpose is surveillance.

      • Re:NHTSA (Score:5, Insightful)

        by cayenne8 ( 626475 ) on Wednesday June 14, 2023 @05:27PM (#63603398) Homepage Journal

        Personally, I'd be just fine if I could opt out of telematics and connected car services. I neither need nor want as its primary purpose is surveillance.

        Let me add my voice to you on this.

        I do not want nor need my vehicle sending information about me to a factory, or, presumably, eventually to any govt. entity that wants it.

        Please, just make my vehicle simpler for ME to operate and maintain.

        I do not want nor need tracking devices, or worse monitoring and reporting where I am or how I drive.

        And YES...I should be able to know exactly what is there and be able to disable it as I wish, in a vehicle I purchased and now, presumably own.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Disconnect the LTE antenna. Simple as that.

        • Are you planning on cutting the RFID tag out of all your auto tires or vulcanize your own rubber?

          • Are you planning on cutting the RFID tag out of all your auto tires or vulcanize your own rubber?

            Do you really think they're the same? RFID tags are passive, they don't contact the mothership by themselves. They can only be read when you happen to be in the proximity of a reader and don't broadcast their status permanently. They provide only a simple identifier - basically no more useful than the car's license plate itself - and not the rich set of status and historical data on-line cars send to their manufacturers and to who knows who else.

            In other words, your question is a non-sequitur.

          • Just how far do you think RFID travels?

          • Are you planning on cutting the RFID tag out of all your auto tires or vulcanize your own rubber?

            You're one of those guys who puts his passport in the microwave with the idea of preventing the government from tracking you, aren't you?

            Well that's not going to do you any favors. RFID and NFC, assuming you can even successfully power them from far away at all without frying everything in between in the process, output far too weak of a signal to be read from any meaningful distance, let alone a satellite in orbit or anything like that, which is physically impossible.

            Those little Faraday sleeves that peopl

            • by Shaitan ( 22585 )

              Actually with the right equipment you can scrape data from them from several feet away.

              You certainly aren't going to just track people GPS style in the world but you could for example track people at scale they pass through turnstills, hallways, doorways, approach counters and go through other choke points. With a pervasive enough network of such points you could reasonably track peoples movement throughout a city and some buildings especially airports and public buildings.

              • IF it's unobstructed, AND the device is designed for it, you can go up to 8 meters. Though for a credit card sized device? Probably not. I think the furthest somebody got with it is half a meter or so. Even so, your own body, and some kinds of clothing, are more than enough to block that. But even if we assume perfect conditions for it, I don't think you'd need a Faraday sleeve, rather I think having two NFC cards within close proximity would sufficiently interfere with each other's signaling at about half

                • by Shaitan ( 22585 )

                  Not everyone carries around a cell phone. I certainly don't and even if I do have my phone I leave it in the car or at some stationary point for the most part rather than carrying it on me.

                  Half a meter is enough to hit the center of a hallway from the wall. But most of what you are saying is true for making a reliable contact... you need that to engineer a proper application but not for tracking. Rather lots of momentary opportunistic contacts is all that is needed and sketchy unreliable and inconsistent co

        • by NFN_NLN ( 633283 )

          >I do not want nor need my vehicle sending information about me to a factory, or, presumably, eventually to any govt. entity that wants it.

          What does this have to do with right to repair?

          The auto manufacturer will get access regardless. This is about whether you ALSO get access as a consumer.

          • by Shaitan ( 22585 )

            Because as the consumer you should have the access required to TURN OFF or limit the access of the manufacturer. Presumably part of the motivation here is simply preventing people from realizing the access which is there.

        • After experiencing the over-automation in my wife's new car, I've decided the next time I spend $25k+ on a vehicle I'll restore/repair something older.

          I guess I'm a curmudgeon, but I recently got a "fishing truck" ('93 Ranger) with no automatic anything and other than the lack of AC (i'm in Florida, it gets important) I'm happier driving it than my wife's 2022 CX-30. Total cost on truck so far is $2100 for truck, fixing clutch (it went out after I put 5k on it and taught 2 people how to drive stick), and t

        • by 0xG ( 712423 )

          Otonomo is the firm that collects and markets your telematics (including gps). There are competitors who do the same thing, it's an entire industry.

      • Personally, I'd be just fine if I could opt out of telematics and connected car services. I neither need nor want as its primary purpose is surveillance.

        I wonder if the transceiver for those use a separate antenna that one could, say, put a Faraday cage around (or disconnect, but that might log an error somewhere) ...

      • Security through obscurity is not reasonable, especially when you are talking about safety issues with cars. That means if a state actor with resources say Russia goes to the effort of breaking the security they can cause a large portion of the cars on the road to crash all at once.

        The only obscurity that should be allowed is obscuring the private keys, having every software engineer at a company being able kill millions of people because they can read the code really is not OK.

        I agree with opting out of te

        • Security through obscurity is not reasonable, especially when you are talking about safety issues with cars.

          It's perfectly reasonable, but as I said, only when combined with other security measures. When you're an attacker, the very first thing you need to do before you can do anything at all is surveillance. For example, how are you going to exploit hardware if you have no idea how it even works? When you're starting, you have no idea what CPU architecture it is, no idea what software stack it runs, and in this case, no idea how the protocol works. You need to do surveillance to find that out. This is a lot easi

          • by Shaitan ( 22585 )

            "It's perfectly reasonable, but as I said, only when combined with other security measures. When you're an attacker, the very first thing you need to do before you can do anything at all is surveillance. For example, how are you going to exploit hardware if you have no idea how it even works? When you're starting, you have no idea what CPU architecture it is, no idea what software stack it runs, and in this case, no idea how the protocol works. You need to do surveillance to find that out. This is a lot eas

            • There is more than enough historical data to settle this debate.

              Indeed, and if you knew anything at all about security, you'd know just how wrong you are about this.

              Transparency results in more fence testing and patching, drastically reducing the vulnerabilities in a system and increasing the complexity of those which remain. Obscurity does raise the bar for initial penetration but once someone takes the time to penetrate the fog there are far more points of vulnerability to find of greater severity and increased ease of exploit.

              I'll tell you what, go get a complete topology of the network for whoever you work for, along with device names, IPs, routing protocols, software versions of all connected devices, etc, and publish it to reddit, slashdot, and facebook along with the company's name. When your boss asks why you did that, kindly explain to him that you guys don't need to rely on outside parties being unfamiliar with your intern

              • by Shaitan ( 22585 )

                "Indeed, and if you knew anything at all about security, you'd know just how wrong you are about this."

                I suppose I could have missed something in the few decades I've been doing this for a living.

                "I'll tell you what, go get a complete topology of the network for whoever you work for, along with device names, IPs, routing protocols, software versions of all connected devices, etc, and publish it to reddit, slashdot, and facebook along with the company's name. When your boss asks why you did that, kindly expl

                • I suppose I could have missed something in the few decades I've been doing this for a living.

                  Apparently. Good security is always layered. You never rely on just one layer. I don't know how you could have been doing this that long and have missed that basic concept. But here you are.

                  Not a chance but we all know that is BECAUSE our employers have been depending on obscurity and as a consequence are not secure, not because it is a bad idea.

                  Again, they don't depend only on obscurity. What is so hard to understand about that?

                  Who said they wouldn't try to exploit it? If revealing that information provides them with something to exploit, you weren't secure in the first place. If you rely on obscurity for your security you become vulnerable to internal parties who have access to this information. If my company needs to fear me publishing those details then they aren't secure FROM me, who has those details.

                  Dude...this is true of ANY secret. Passwords, private keys, you name it. Obscurity is another secret, and like all other secrets its only useful until it is known by the attacker. Nonetheless, there remains a period of time that this sec

      • by sjames ( 1099 )

        It's only reasonable if you control all access to the device being secured. That's kinda hard when you sell the device in a consumer market.

        Of course, they COULD just make all of the data available over the diagnostic port only.

      • Security through obscurity is only ever valid if the number of installations remains small. The moment a piece of software goes big and is everywhere, relying on obscurity for security is retarded.

        • Security through obscurity is only ever valid if the number of installations remains small. The moment a piece of software goes big and is everywhere, relying on obscurity for security is retarded.

          It's perfectly valid even in large installations. Nobody ever said to rely solely on that. Again, it's all about layering.

          As an attacker, you require knowledge of your target before you can even do anything to it. If you can deny knowledge to the enemy, you can deny them the ability to attack you at all. To give an analogy, your argument would be like saying that Ukraine may as well broadcast their troop movements over the internet, because they shouldn't rely on denying knowledge to the attacker, particula

      • which itself is a valid means of having security

        Literally every security-focused person with any sense says otherwise.

        "Security through obscurity is no security at all."

      • by r0nc0 ( 566295 )
        It's reasonable in the security through obscurity sense, which itself is a valid means of having security, but definitely shouldn't be the only part of the security, rather just be another layer of it. No, a thousand times no. I hear this BS all the time from people who really should know better. Security through obscurity is not security and it is NOT another layer of "belt and suspenders" - it's just easy cruft that sounds good.
    • by NFN_NLN ( 633283 )

      > I call bullshit.

      Proper summary here from Rossman --> https://www.youtube.com/watch?... [youtube.com]

    • Really. So you're saying we're one determined decoding away from mass chaos on the highways?

      They are so close to understanding one of the many issues with all this tech bullshit in vehicles. Sort of like this guy [imgur.com] being oh so close to understanding.

    • Re:NHTSA (Score:5, Insightful)

      by Marful ( 861873 ) on Wednesday June 14, 2023 @06:27PM (#63603578)
      This is the main argument most of the corporate shills use to justify denial of right-to-repair.

      Their main argument is that we will kill ourselves if we have unfettered access to our own property. And it is only through their bravery in denying us access to repair our own property, that society doesn't come to a crashing halt with bodies heaped upon bodies.

      I recall watching a hearing on Louis Rossman's channel of such a corporate shill arguing this on the topic of replacing broken smart phone screens.
    • by Shaitan ( 22585 )

      This

    • by AmiMoJo ( 196126 )

      Tesla has had remote driving of the car for years. You can use your phone to drive the car at low speeds.

  • Build a consortium and share the source code. It's called "opening up". More eyes might highlight flaws but then they do get brought down to a threshold.
  • by MpVpRb ( 1423381 ) on Wednesday June 14, 2023 @05:19PM (#63603366)

    is no security

    • is no security

      It is an element of security. The fact that it's an element that is easily leaked or reverse engineered doesn't make it "no security". It just makes it less effective than other means of security.

      After all, what is encryption in its most basic form other than a means of automated obscurity known only to the parties in question. What is protection of your private key if not a task in obscuring something in the name of security.

    • Ok, post your passwords then.

  • Or they saw it coming and decided to ignore it?
    • by vbdasc ( 146051 )

      What problem? Judging by what Subaru did, according to the article, this seems to be a clear win for Boston and its citizens.

  • by Gravis Zero ( 934156 ) on Wednesday June 14, 2023 @05:20PM (#63603370)

    "open access to vehicle manufacturers’ telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking."

    If you can remotely send commands simply by understanding how the system works then your system is fundamentally flawed.

  • by localroger ( 258128 ) on Wednesday June 14, 2023 @05:24PM (#63603386) Homepage
    Federal laws trump state laws, but I don't think Federal agency rules made up by unelected bureaucrats trump state laws. What will probably happen, as another poster already suggested, is that automakers will simply disable telematics on vehicles sold in MA. Which would be fine with me, were I buying such a car. I would consider that a feature, not a bug. As for the other right to repair provisions, such as making the diagnostic systems available to everybody, it's a long stretch to even think this logic would affect those requirements.
    • by PJ6 ( 1151747 )

      Federal laws trump state laws, but I don't think Federal agency rules made up by unelected bureaucrats trump state laws.

      That is exactly how it works.

    • by jonadab ( 583620 )
      > automakers will simply disable telematics on vehicles sold in MA.
      > Which would be fine with me, were I buying such a car. I would
      > consider that a feature, not a bug

      Even if you wanted the telematics, Massachussetts is small enough
      that you could easily just cross the border and buy a car in another
      state, if you were so inclined. Even if you live in the very middle of
      the state, you're close enough to other states that it's normal for a
      lot of people to commute farther than that to work every day.
  • I think this is a case where a standardized API across brands is needed. Create a working group with representation across all manufacturers to define the standards, limitations, and safety concerns. If each brand keeps operating in a silo, they're all more likely to create the same mistakes independently, whereas if they worked together, they can identify issues and fix them at one time.

    To me this is similar to Ford abandoning the idea to do away with CarPlay and Android Auto. They admitted that the con

    • I think this is a case where a standardized API across brands is needed. Create a working group with representation across all manufacturers to define the standards, limitations, and safety concerns.

      Great idea, and by 2060 they'd come up with a standard that makes RS-232 look like the Holy Grail of standards that ensured very RS-232 device way 100% compatible with every other device using it. Then, of course, they'd release a new version, USB-Car, later with a whole new implementation.

    • by Luthair ( 847766 )
      Its actually Chevy smelling their own farts with infotainment.
    • by jonadab ( 583620 )
      Obligatory xkcd:
      https://xkcd.com/927/
  • The easiest way to keep people from taking control of the car and messing with steering and braking is to not have these items controllable remotely. Is there really any reason that we need cars that can be driven remotely? We aren't all James Bond after all.

    • by lsllll ( 830002 )
      That is going to be impossible with self-driving/self-correcting cars that need to be connected to the internet.
    • by jsonn ( 792303 )
      Having a diagnostic/repair mode where you can control steering or braking e.g. from under the car is actually quite useful. But it should certainly require explicitly putting the car into that mode from within the car...
  • by blacklint ( 985235 ) on Wednesday June 14, 2023 @06:08PM (#63603528)

    Obviously no one wanted or expected manufacturers to expose safety critical functions over the internet. Looking at this summary the "run diagnostics" in "may access to retrieve mechanical data and run diagnostics through a mobile-based application" might have been a mistake, but the NHTSA could have stated that only read-only access was allowed.

    When I voted for the bill I expected manafacturers to make some horrible JSON or XML dump of the diagnostic data. Instead they seem to have convinced the NHTSA that the bill would require the CAN bus to be exposed to the internet.

    Which makes me wonder how existing telematics are implemented, and glad I never had a Starlink subscription. (Subaru's Starlink, not that I want Musk's either.)

  • If nothing else, open source is transparent.

    You (auto manufacturers) have nothing to fear if you have nothing to hide.

    The NHTSA piping up in this way looks suspicious. It makes me think some entity with money to throw around has something to hide.
  • In that case ... (Score:5, Informative)

    by PPH ( 736903 ) on Wednesday June 14, 2023 @06:52PM (#63603642)

    ... it would seem that NHTSA needs to ban all modes of self-driving vehicles. Open data platforms notwithstanding, vehicle telematics have already been cracked. Specifically, the proprietary ones. So it appears that if the risk of such attacks are enough of a problem to hold up the Massachusetts law, then all instances of telematics co-located with autonomous functions need to be banned.

  • by jonwil ( 467024 ) on Wednesday June 14, 2023 @11:03PM (#63604112)

    If parts, repair instructions, tools, diagnostic hardware & software, service bulletins or anything else are available to dealer service departments or authorised repair shops, those same things need to be available to anyone (including individuals wishing to work on their own vehicles)

    The perfect example of why this is needed is the guy on YouTube fixing a purple Porsche who had to fly to the UK to buy certain parts because Porsche USA and it's dealers will only sell those parts to authorised repairers. Right to repair should mean that manufacturers like Porsche would be required to sell those parts to independent repair shops (and individuals fixing their own cars).

  • by larryjoe ( 135075 ) on Thursday June 15, 2023 @12:20AM (#63604218)

    The NHTSA is saying that open access to vehicle manufacturers' telematics offerings would be an unacceptable security vulnerability and therefore must remain obscure. Security via obscurity doesn't work as a general principle, but it's especially problematic in a world where many people (such as workers in the authorized repair centers) already have that information.

  • The potential problems they point out are likely. But, I'm not sure what Federal law the Mass. law is contradicting. NHTSA policy is not the same thing as Federal Law, an abuse of which we're seeing with many Federal agency policies these days.

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...