Getty Images
In 2020, voters in Massachusetts chose to extend that state’s automotive “right to repair” law to include telematics and connected car services. But this week the National Highway Traffic Safety Administration told automakers that some of the law’s requirements create a real safety problem and that they should be ignored, since federal law preempts state law when the two conflict.
Almost all new cars in 2023 contain embedded modems and offer some form of telematics or connected car services. And the ballot language that passed in Massachusetts requires “manufacturers that sell vehicles with telematics systems in Massachusetts to equip them with a standardized open data platform beginning with model year 2022 that vehicle owners and independent repair facilities may access to retrieve mechanical data and run diagnostics through a mobile-based application.”
At this point, some of our more security-minded readers might need to have a lie down because, yes, that language does essentially mean there would be no proper security controls preventing someone from remotely connecting into a car.
There have been attempts by state lawmakers, the auto industry, and NHTSA to tweak the law to create a more reasonable timeline for implementation, but to no avail.
Now, according to Reuters, NHTSA has written to automakers to advise them not to comply with the Massachusetts law. Among its problems are the fact that someone “could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently,” and that “open access to vehicle manufacturers’ telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking.”
Faced with this dilemma, it’s quite possible the automakers will respond by simply disabling telematics and connected services for customers in the state. Subaru already took that step when it introduced its model year 2022 vehicles, and NHTSA says other OEMs may do the same.
A federal right to repair law?
Meanwhile, a bipartisan automotive right to repair law is working its way through Congress. Called the REPAIR Act, it would “provide to a vehicle’s owner certain direct, real-time, in-vehicle data generated by the operation of the vehicle that is related to diagnostics, repair, service, wear, and calibration or recalibration of parts and systems of the vehicle.”
This bill does acknowledge the cybersecurity risks; if passed it would require NHTSA to develop data access standards for connected vehicles.