Feds Tell Automakers Not To Comply With Massachusetts 'Right To Repair' Law (arstechnica.com) 89
An anonymous reader quotes a report from Ars Technica: In 2020, voters in Massachusetts chose to extend that state's automotive "right to repair" law to include telematics and connected car services. But this week, the National Highway Traffic Safety Administration told automakers that some of the law's requirements create a real safety problem and that they should be ignored since federal law preempts state law when the two conflict. Almost all new cars in 2023 contain embedded modems and offer some form of telematics or connected car services. And the ballot language that passed in Massachusetts requires "manufacturers that sell vehicles with telematics systems in Massachusetts to equip them with a standardized open data platform beginning with model year 2022 that vehicle owners and independent repair facilities may access to retrieve mechanical data and run diagnostics through a mobile-based application."
There have been attempts by state lawmakers, the auto industry, and NHTSA to tweak the law to create a more reasonable timeline for implementation, but to no avail. Now, according to Reuters, NHTSA has written to automakers to advise them not to comply with the Massachusetts law. Among its problems are the fact that someone "could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently," and that "open access to vehicle manufacturers' telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking." Faced with this dilemma, it's quite possible the automakers will respond by simply disabling telematics and connected services for customers in the state. Subaru already took that step when it introduced its model year 2022 vehicles, and NHTSA says other OEMs may do the same.
There have been attempts by state lawmakers, the auto industry, and NHTSA to tweak the law to create a more reasonable timeline for implementation, but to no avail. Now, according to Reuters, NHTSA has written to automakers to advise them not to comply with the Massachusetts law. Among its problems are the fact that someone "could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently," and that "open access to vehicle manufacturers' telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking." Faced with this dilemma, it's quite possible the automakers will respond by simply disabling telematics and connected services for customers in the state. Subaru already took that step when it introduced its model year 2022 vehicles, and NHTSA says other OEMs may do the same.
NHTSA (Score:5, Insightful)
Among its problems are the fact that someone "could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently," and that "open access to vehicle manufacturers' telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking."
Really. So you're saying we're one determined decoding away from mass chaos on the highways? That vehicles today already remotely accept commands to operate dangerously, if only you know the correct encoding?
I call bullshit. How gullible is NHTSA? Or a better question, how much did it cost to make them sound that gullible?
Re:NHTSA (Score:5, Interesting)
It's reasonable in the security through obscurity sense, which itself is a valid means of having security, but definitely shouldn't be the only part of the security, rather just be another layer of it. Hyundai and Kia found that out the hard way (and some tech companies with a bad case of NIH syndrome, like Apple, keep finding out the hard way.) If such a thing can even happen to begin with, then I think it would be prudent for the NHTSA to crack down on it, regardless of whether it ends up being opened.
Personally, I'd be just fine if I could opt out of telematics and connected car services. I neither need nor want as its primary purpose is surveillance.
Re:NHTSA (Score:5, Insightful)
Let me add my voice to you on this.
I do not want nor need my vehicle sending information about me to a factory, or, presumably, eventually to any govt. entity that wants it.
Please, just make my vehicle simpler for ME to operate and maintain.
I do not want nor need tracking devices, or worse monitoring and reporting where I am or how I drive.
And YES...I should be able to know exactly what is there and be able to disable it as I wish, in a vehicle I purchased and now, presumably own.
Re: (Score:2, Informative)
Disconnect the LTE antenna. Simple as that.
Re: (Score:1)
Are you planning on cutting the RFID tag out of all your auto tires or vulcanize your own rubber?
Re: (Score:2)
Are you planning on cutting the RFID tag out of all your auto tires or vulcanize your own rubber?
Do you really think they're the same? RFID tags are passive, they don't contact the mothership by themselves. They can only be read when you happen to be in the proximity of a reader and don't broadcast their status permanently. They provide only a simple identifier - basically no more useful than the car's license plate itself - and not the rich set of status and historical data on-line cars send to their manufacturers and to who knows who else.
In other words, your question is a non-sequitur.
Re: (Score:2)
Just how far do you think RFID travels?
Re: (Score:1)
Quite far with UHF antennas, as used by readers on highway ramps: https://tagmaster.com/newslett... [tagmaster.com]
Re: (Score:1)
I heard bluetooth broadcast from head units are also used (mac address as identifier).
Re: (Score:2)
Are you planning on cutting the RFID tag out of all your auto tires or vulcanize your own rubber?
You're one of those guys who puts his passport in the microwave with the idea of preventing the government from tracking you, aren't you?
Well that's not going to do you any favors. RFID and NFC, assuming you can even successfully power them from far away at all without frying everything in between in the process, output far too weak of a signal to be read from any meaningful distance, let alone a satellite in orbit or anything like that, which is physically impossible.
Those little Faraday sleeves that peopl
Re: (Score:2)
Actually with the right equipment you can scrape data from them from several feet away.
You certainly aren't going to just track people GPS style in the world but you could for example track people at scale they pass through turnstills, hallways, doorways, approach counters and go through other choke points. With a pervasive enough network of such points you could reasonably track peoples movement throughout a city and some buildings especially airports and public buildings.
Re: (Score:2)
IF it's unobstructed, AND the device is designed for it, you can go up to 8 meters. Though for a credit card sized device? Probably not. I think the furthest somebody got with it is half a meter or so. Even so, your own body, and some kinds of clothing, are more than enough to block that. But even if we assume perfect conditions for it, I don't think you'd need a Faraday sleeve, rather I think having two NFC cards within close proximity would sufficiently interfere with each other's signaling at about half
Re: (Score:2)
Not everyone carries around a cell phone. I certainly don't and even if I do have my phone I leave it in the car or at some stationary point for the most part rather than carrying it on me.
Half a meter is enough to hit the center of a hallway from the wall. But most of what you are saying is true for making a reliable contact... you need that to engineer a proper application but not for tracking. Rather lots of momentary opportunistic contacts is all that is needed and sketchy unreliable and inconsistent co
Re: (Score:2)
>I do not want nor need my vehicle sending information about me to a factory, or, presumably, eventually to any govt. entity that wants it.
What does this have to do with right to repair?
The auto manufacturer will get access regardless. This is about whether you ALSO get access as a consumer.
Re: (Score:2)
Because as the consumer you should have the access required to TURN OFF or limit the access of the manufacturer. Presumably part of the motivation here is simply preventing people from realizing the access which is there.
Re: (Score:2)
After experiencing the over-automation in my wife's new car, I've decided the next time I spend $25k+ on a vehicle I'll restore/repair something older.
I guess I'm a curmudgeon, but I recently got a "fishing truck" ('93 Ranger) with no automatic anything and other than the lack of AC (i'm in Florida, it gets important) I'm happier driving it than my wife's 2022 CX-30. Total cost on truck so far is $2100 for truck, fixing clutch (it went out after I put 5k on it and taught 2 people how to drive stick), and t
Re: (Score:1)
Otonomo is the firm that collects and markets your telematics (including gps). There are competitors who do the same thing, it's an entire industry.
Re: (Score:2)
Personally, I'd be just fine if I could opt out of telematics and connected car services. I neither need nor want as its primary purpose is surveillance.
I wonder if the transceiver for those use a separate antenna that one could, say, put a Faraday cage around (or disconnect, but that might log an error somewhere) ...
Re: (Score:2)
Security through obscurity is not reasonable, especially when you are talking about safety issues with cars. That means if a state actor with resources say Russia goes to the effort of breaking the security they can cause a large portion of the cars on the road to crash all at once.
The only obscurity that should be allowed is obscuring the private keys, having every software engineer at a company being able kill millions of people because they can read the code really is not OK.
I agree with opting out of te
Re: (Score:3)
Security through obscurity is not reasonable, especially when you are talking about safety issues with cars.
It's perfectly reasonable, but as I said, only when combined with other security measures. When you're an attacker, the very first thing you need to do before you can do anything at all is surveillance. For example, how are you going to exploit hardware if you have no idea how it even works? When you're starting, you have no idea what CPU architecture it is, no idea what software stack it runs, and in this case, no idea how the protocol works. You need to do surveillance to find that out. This is a lot easi
Re: (Score:2)
"It's perfectly reasonable, but as I said, only when combined with other security measures. When you're an attacker, the very first thing you need to do before you can do anything at all is surveillance. For example, how are you going to exploit hardware if you have no idea how it even works? When you're starting, you have no idea what CPU architecture it is, no idea what software stack it runs, and in this case, no idea how the protocol works. You need to do surveillance to find that out. This is a lot eas
Re: (Score:2)
There is more than enough historical data to settle this debate.
Indeed, and if you knew anything at all about security, you'd know just how wrong you are about this.
Transparency results in more fence testing and patching, drastically reducing the vulnerabilities in a system and increasing the complexity of those which remain. Obscurity does raise the bar for initial penetration but once someone takes the time to penetrate the fog there are far more points of vulnerability to find of greater severity and increased ease of exploit.
I'll tell you what, go get a complete topology of the network for whoever you work for, along with device names, IPs, routing protocols, software versions of all connected devices, etc, and publish it to reddit, slashdot, and facebook along with the company's name. When your boss asks why you did that, kindly explain to him that you guys don't need to rely on outside parties being unfamiliar with your intern
Re: (Score:2)
"Indeed, and if you knew anything at all about security, you'd know just how wrong you are about this."
I suppose I could have missed something in the few decades I've been doing this for a living.
"I'll tell you what, go get a complete topology of the network for whoever you work for, along with device names, IPs, routing protocols, software versions of all connected devices, etc, and publish it to reddit, slashdot, and facebook along with the company's name. When your boss asks why you did that, kindly expl
Re: (Score:2)
I suppose I could have missed something in the few decades I've been doing this for a living.
Apparently. Good security is always layered. You never rely on just one layer. I don't know how you could have been doing this that long and have missed that basic concept. But here you are.
Not a chance but we all know that is BECAUSE our employers have been depending on obscurity and as a consequence are not secure, not because it is a bad idea.
Again, they don't depend only on obscurity. What is so hard to understand about that?
Who said they wouldn't try to exploit it? If revealing that information provides them with something to exploit, you weren't secure in the first place. If you rely on obscurity for your security you become vulnerable to internal parties who have access to this information. If my company needs to fear me publishing those details then they aren't secure FROM me, who has those details.
Dude...this is true of ANY secret. Passwords, private keys, you name it. Obscurity is another secret, and like all other secrets its only useful until it is known by the attacker. Nonetheless, there remains a period of time that this sec
Re: (Score:2)
It's only reasonable if you control all access to the device being secured. That's kinda hard when you sell the device in a consumer market.
Of course, they COULD just make all of the data available over the diagnostic port only.
Re: (Score:2)
It really depends on how the information can be used.
Re: (Score:2)
Security through obscurity is only ever valid if the number of installations remains small. The moment a piece of software goes big and is everywhere, relying on obscurity for security is retarded.
Re: (Score:2)
Security through obscurity is only ever valid if the number of installations remains small. The moment a piece of software goes big and is everywhere, relying on obscurity for security is retarded.
It's perfectly valid even in large installations. Nobody ever said to rely solely on that. Again, it's all about layering.
As an attacker, you require knowledge of your target before you can even do anything to it. If you can deny knowledge to the enemy, you can deny them the ability to attack you at all. To give an analogy, your argument would be like saying that Ukraine may as well broadcast their troop movements over the internet, because they shouldn't rely on denying knowledge to the attacker, particula
Re: (Score:2)
Already addressed this earlier dude...
Re: NHTSA (Score:2)
and that's what I argued against, it's not a valid means of security, nor is it a valid piece of security because it's not security. Since you don't understand, let me try to explain it more thoroughly.
No, you don't understand. Like everybody else who has inserted their two cents here, you're assuming that I was speaking about the entire security model, despite that I very clearly said otherwise.
Re: NHTSA (Score:2)
And, as I said, you're wrong. Besides, you've already pretty well shown that you're talking out of your ass here. I mean who the fuck would even compare NAT to a firewall with SSH. That's a stupid comparison to begin with, but you did it anyways.
And as for your very poorly contrived rot13+aes analogy, a much better comparison would be something akin to using steganography to embed an aes encrypted file into a grainy png photo with additional dithering applied.
Anyways, I'm done here unless you want to untick
Re: (Score:3)
which itself is a valid means of having security
Literally every security-focused person with any sense says otherwise.
"Security through obscurity is no security at all."
Re: (Score:1)
Re: (Score:2)
> I call bullshit.
Proper summary here from Rossman --> https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
Really. So you're saying we're one determined decoding away from mass chaos on the highways?
They are so close to understanding one of the many issues with all this tech bullshit in vehicles. Sort of like this guy [imgur.com] being oh so close to understanding.
Re:NHTSA (Score:5, Insightful)
Their main argument is that we will kill ourselves if we have unfettered access to our own property. And it is only through their bravery in denying us access to repair our own property, that society doesn't come to a crashing halt with bodies heaped upon bodies.
I recall watching a hearing on Louis Rossman's channel of such a corporate shill arguing this on the topic of replacing broken smart phone screens.
Re: (Score:2)
This
Re: (Score:2)
Tesla has had remote driving of the car for years. You can use your phone to drive the car at low speeds.
Re: (Score:2)
Wait a minute.
What "federal law" are they quoting the preempts the Mass. law???
It sounds here like the NHTSA is trying to "write law" themselves and the SCOTUS has already slapped the hands of the executive branch trying overreach.
Hopefully this gets slapped down too.
Re: (Score:2)
No part of your government is "directly answerable to "the people" and that is by design.
Re: (Score:1)
Making rules governing highway safety is literally NHTSA's mandate. Creating and Enforcing Federal Motor Vehicle Safety Standards is (again, literally) their job.
These exec agencies are NOT supposed to make law
Their job is literally to make and enforce hjghway safety-related regulations. You literally have not the faintest clue what you are talking about. Again.
Re: (Score:2)
> Feds trying to break the law
Proper summary here from Rossman --> https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
The clickbait title is a nice touch Biden administration DESTROYS right to repair in the most corrupt way possible
Re: (Score:2)
All those MAGA idiots spouting nonsense about how Trump should take up right to repair as policy because it would be popular.
It's like they think he gives a shit about them.
Bullshit. (Score:1)
Security by obscurity (Score:4, Insightful)
is no security
Re: (Score:3)
is no security
It is an element of security. The fact that it's an element that is easily leaked or reverse engineered doesn't make it "no security". It just makes it less effective than other means of security.
After all, what is encryption in its most basic form other than a means of automated obscurity known only to the parties in question. What is protection of your private key if not a task in obscuring something in the name of security.
Re: (Score:3)
Ok, post your passwords then.
No-one in Boston saw this problem coming? (Score:2)
Re: (Score:2)
What problem? Judging by what Subaru did, according to the article, this seems to be a clear win for Boston and its citizens.
Sounds like a serious design flaw. (Score:5, Insightful)
"open access to vehicle manufacturers’ telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking."
If you can remotely send commands simply by understanding how the system works then your system is fundamentally flawed.
Re: Sounds like a serious design flaw. (Score:1)
Re: (Score:2)
Re: (Score:2)
"Federal law pre-empts state law."
The Tenth Amendment to the Constitution forbids the federal government from exercising any power not specifically granted it by the Constitution.
Meanwhile, the Ninth Amendment recognizes that states have every power they are not specifically denied in the Constitution.
These two amendments interlock to create a separation of powers between state and federal governments. The academic term is known as federalism.
Logically, state and federal law can never conflict because their powers are separate. The interstate commerce myth was wrapped up for good when the Supreme Court unanimously ruled it doesn't apply just because similar things happen in two states.
Interstate Commerce Clause.
Re:The Constitution Governs (Score:5, Informative)
This Massachusetts law applies to cars sold only in Massachusetts, similar to how California is regulating vehicles sold in its state. As for the commerce clause, the current SCOTUS is primed to overturn Wickard v. Filburn [wikipedia.org]
Massachusetts could also say to automakers, sell what you like. Good luck passing our registration and inspection requirements.
Re: (Score:2)
Oh now that's fucking funny, you think they're going to actually reverse Wickard when they have yet to reverse Slaughterhouse and have instead invented entirely out of whole cloth substantive due process to explain away the idiocy of not doing so so they could piecemeal allow the BoR to apply to the States?
Re: (Score:2)
Re: (Score:2)
Also, any car in Massachusetts for more than 30 days cumulatively in a year is required to be registered in Massachusetts. Even if you only come for 2-3 days per month and don't live here.
So good luck with that, lazy, greedy, lying automakers, and incompetent NHTSA shills.
PS: If I can contr
Re: (Score:2)
So which federal LAW would be relevant here? The NHTSA is not a law making body...
I don't think this works the way NHTSA thinks (Score:5, Interesting)
Re: (Score:2)
Federal laws trump state laws, but I don't think Federal agency rules made up by unelected bureaucrats trump state laws.
That is exactly how it works.
Re: (Score:1)
> Which would be fine with me, were I buying such a car. I would
> consider that a feature, not a bug
Even if you wanted the telematics, Massachussetts is small enough
that you could easily just cross the border and buy a car in another
state, if you were so inclined. Even if you live in the very middle of
the state, you're close enough to other states that it's normal for a
lot of people to commute farther than that to work every day.
Create an open standard (Score:2)
I think this is a case where a standardized API across brands is needed. Create a working group with representation across all manufacturers to define the standards, limitations, and safety concerns. If each brand keeps operating in a silo, they're all more likely to create the same mistakes independently, whereas if they worked together, they can identify issues and fix them at one time.
To me this is similar to Ford abandoning the idea to do away with CarPlay and Android Auto. They admitted that the con
Re: (Score:2)
I think this is a case where a standardized API across brands is needed. Create a working group with representation across all manufacturers to define the standards, limitations, and safety concerns.
Great idea, and by 2060 they'd come up with a standard that makes RS-232 look like the Holy Grail of standards that ensured very RS-232 device way 100% compatible with every other device using it. Then, of course, they'd release a new version, USB-Car, later with a whole new implementation.
Re: (Score:2)
Re: (Score:1)
https://xkcd.com/927/
Easiest way to keep people from taking control... (Score:2)
The easiest way to keep people from taking control of the car and messing with steering and braking is to not have these items controllable remotely. Is there really any reason that we need cars that can be driven remotely? We aren't all James Bond after all.
Re: (Score:2)
Re: (Score:2)
Fear mongering to avoid a read-only API? (Score:3)
Obviously no one wanted or expected manufacturers to expose safety critical functions over the internet. Looking at this summary the "run diagnostics" in "may access to retrieve mechanical data and run diagnostics through a mobile-based application" might have been a mistake, but the NHTSA could have stated that only read-only access was allowed.
When I voted for the bill I expected manafacturers to make some horrible JSON or XML dump of the diagnostic data. Instead they seem to have convinced the NHTSA that the bill would require the CAN bus to be exposed to the internet.
Which makes me wonder how existing telematics are implemented, and glad I never had a Starlink subscription. (Subaru's Starlink, not that I want Musk's either.)
Re: (Score:2)
I'm sure someone has said this already... (Score:1)
You (auto manufacturers) have nothing to fear if you have nothing to hide.
The NHTSA piping up in this way looks suspicious. It makes me think some entity with money to throw around has something to hide.
In that case ... (Score:5, Informative)
Right to repair should be simple... (Score:5, Insightful)
If parts, repair instructions, tools, diagnostic hardware & software, service bulletins or anything else are available to dealer service departments or authorised repair shops, those same things need to be available to anyone (including individuals wishing to work on their own vehicles)
The perfect example of why this is needed is the guy on YouTube fixing a purple Porsche who had to fly to the UK to buy certain parts because Porsche USA and it's dealers will only sell those parts to authorised repairers. Right to repair should mean that manufacturers like Porsche would be required to sell those parts to independent repair shops (and individuals fixing their own cars).
Security via legally enforced obscurity (Score:5, Insightful)
The NHTSA is saying that open access to vehicle manufacturers' telematics offerings would be an unacceptable security vulnerability and therefore must remain obscure. Security via obscurity doesn't work as a general principle, but it's especially problematic in a world where many people (such as workers in the authorized repair centers) already have that information.
Don't exactly disagree with the NHTSA... (Score:2)
The potential problems they point out are likely. But, I'm not sure what Federal law the Mass. law is contradicting. NHTSA policy is not the same thing as Federal Law, an abuse of which we're seeing with many Federal agency policies these days.