Red Flags for Repair in Proposed Auto Cyber Guidelines
Draft guidance from the U.S. auto safety regulator contains red flags for repair advocates. Also: remembering Repair Revolution author John Wackman.
Automobiles are on the front line of the fight to repair in the United States, but draft vehicle cyber security guidelines from the U.S. National Highway Traffic Safety Administration (NHTSA) raise red flags for repair advocates and could run afoul of state-level laws granting owners and independent repair shops access to wireless data needed for vehicle repair and maintenance.
The draft Cybersecurity Best Practices for the Safety of Modern Vehicles were published January 21st. NHTSA is seeking comments from the public on the best practices. The 60 day comment period ends on March 12th, 2021. (You can submit comments here.)
The document is a proposed update to non-binding guidelines NHTSA released in 2016. NHTSA released an updated, draft version of its updated guidelines in 2020. With the latest request for comments (RFC), NHTSA is proposing more changes to the 2020 draft based on “knowledge gained through prior comments, continued research, motor vehicle cybersecurity issues discovered by researchers, and related industry activities over the past four years.”
Lock Down or Lock Out?
First, let me say that I reached out for NHTSA with some questions about these new guidelines and their impact on repair and got a fairly terse response that the agency “will not be able to accommodate an interview at this time.” Okay then! Just keep in mind that what follows is my reading of the new guidelines. I didn’t have anyone from NHTSA on the line to clarify questions that their language raises.
Second: there are certainly things to like in the new guidelines (more on that later). But there are also some glaring red flags for repair, notably in language in the draft guidelines pertaining to third party access to vehicle systems. For example, new language in the guidelines for Technical Vehicle Cybersecurity Best Practices (T.8) addresses access to vehicle systems by diagnostic tools. It recommends that “vehicle and diagnostic tool manufacturers should control tools’ access to vehicle systems that can perform diagnostic operations and reprogramming by providing for appropriate authentication and access control.” That recommendation “responds to research demonstrating the ability to leverage diagnostic tools to reverse engineer and implement vulnerabilities in vehicle systems,” the guidelines explain.
If adopted, that kind of language would give more cover to automakers who are challenging the country’s only automobile right to repair law in Massachusetts. Voters there recently and overwhelmingly approved a ballot measure to expand the state’s 2013 auto right to repair law to cover maintenance and repair information sent over wireless telematics systems that are now standard in late model vehicles. But automakers immediately filed a lawsuit in federal court challenging that measure and claiming that it contradicts federal vehicle safety laws. One pillar of the automakers’ case is a July letter sent by NHTSA to Massachusetts lawmakers raising concerns about the impact of the ballot measure, Question 1.
“It is our view that the terms of the ballot initiative would prohibit manufacturers from complying with both existing Federal guidance and cybersecurity hygiene best practices,” the letter, signed by NHTSA Deputy Administrator James Owens reads. “NHTSA is also concerned about the increased safety-related cybersecurity risks of a requirement for remote, real-time, bi-directional (i.e., read/write capability) access to safety-critical vehicular systems”
As it works its way through the courts, it seems clear that the automakers’ case will hinge on whether they can prove that the Massachusetts law impinges on Federal law. That will mean proving that the Federal government actually has cyber security standards to run afoul of. As this article notes, in a recent hearing in which Massachusetts’ Attorney General Maura Healy sought to dismiss the case, Assistant Attorney General, Robert Toone Jr., was quoted as saying, of the automakers case: “The problem is that no existing federal motor vehicle safety standard covers cybersecurity.”
The new language in the NHTSA guidelines seems to reinforce the automakers’ position: clarifying that the NHTSA recommends that control of access to vehicle systems for diagnostic purposes should reside with auto manufacturers and giving them the responsibility for “providing for appropriate authentication and access control.”
That guidance would also work against the spirit and letter of laws like Massachusetts 2013 auto right to repair act. According to the language of that law, beginning in the 2018 model “manufacturers of motor vehicles sold in the commonwealth…shall provide access to their onboard diagnostic and repair information system… (and) shall provide access to the same onboard diagnostic and repair information available to their dealers, including technical updates to such onboard systems, through such non-proprietary interfaces as referenced in this paragraph.”
In short: which is it? Are automakers compelled to provide access to owners and their agents (like independent repair shops) per the Massachusetts law, or is it up to automakers to decide who gets access, based on their assessment of the cyber risk of giving access to a particular party, per the Federal standard?
If it is the latter, we can pretty much predict what will happen: auto manufacturers will hew to the line they took in opposing both the 2013 auto right to repair bill and the 2020 expansion of it: arguing that only their authorized dealers and repair professionals are trustworthy. They will argue that expanding access to a population of millions of vehicle owners and independent repair shops like AutoZone, AAA and Roy’s Garage presents too much uncertainty and (cyber) risk and seek to limit access to diagnostic systems on their vehicles.
Questions on Updates
The other area of possible concern in the proposed cybersecurity guidelines is in regard to over-the-air software updates. In the 21st century, vehicles are mostly run by software. That means applying vendor software updates, periodically, is critical to proper maintenance of the car. The question for vehicle owners is: who gets to do that? Does the auto manufacturer have sole control over that, or might local repair shops or owners themselves be able to apply software updates? Clearly, with vehicles like Tesla - which does not operate dealerships - the software updates are pushed directly from the automaker to the vehicle. For other makes, owners may need to bring their vehicle into the dealership to receive an update. Ideally: access to software updates would be democratized, with vehicle owners free to update the software on their vehicle in their driveway and at their convenience, or free to bring their car to a local garage to receive its update.
It is not clear that NHTSA agrees, however. The draft guidance released in 2020 included a section on software updates (T.21) that recommends that auto manufacturers “employ state-of-the-art techniques for limiting the ability to modify firmware to authorized and appropriately authenticated parties.” The latest update goes further, proposing another section (T.22) that recommends automakers “Maintain the integrity of OTA updates, update servers, the transmission mechanism and the updating process in general.”
Together, those two sections seem to lay the groundwork for greater manufacturer control over software updates. The “devil is in the details,” as the saying goes. Who counts as an “authorized” party? And what does NHTSA mean by “modifying firmware”? Is merely applying an update of vehicle firmware a “modification” or are they referring to actually tinkering with the firmware itself - something akin to “jailbreaking” in the smart phone world? In theory, both should be possible (again: the vehicle is the owner’s property to do with as she wishes - including running her own software on it). Reasonable people could disagree on that, but is NHTSA actually implying that only OEMs should be able to apply software updates to cars? If so, that’s a blow to independent repair and a boon to car dealerships and authorized repair vs. independent repair. It would also seem to run contrary to laws like Massachusetts that specifically prohibit proprietary interfaces for maintenance that lock out independent repair and owners.
Likable Enough
As I said at the beginning, the proposed NHTSA automobile cybersecurity guidelines aren’t all bad and - in fact - there is plenty to like about them. First, they carry over language from the 2016 guidelines that specifically encourages automakers to maintain serviceability. Vehicle cybersecurity protections should not “unduly restrict access by alternative third-party repair services authorized by the vehicle owner,” according to the guidelines. So that’s good.
Also, the proposed changes that are out for comment now include specific language encouraging automakers to evaluate all software for known vulnerabilities, have a plan for addressing (that is: patching) newly discovered vulnerabilities in vehicles. Importantly, the new guidelines urge automakers to maintain and track all the software used in a vehicle so that new vulnerabilities in discrete software components like open source libraries don’t go unnoticed.
There’s specific language instructing automakers to think about man in the middle attacks, protocol vulnerabilities and the like. That - and the extensive footnotes- suggests the folks at NHTSA have done their homework on state of the art vehicle hacks and have learned their lessons.
If its not too much trouble…
Of course, one of the big problems is that the NHTSA guidance is purely voluntary and non-binding. That means that automakers are free to adopt it - or not. And they’re free to pick and choose from NHTSA’s recommendations. Practically, that may mean that the toothiest recommendations here (and the most expensive to implement) get left on the factory floor, while recommendations that are easier to implement - or that are perceived to strengthen the automakers market position - are embraced.
And that’s the concern I have regarding repair. The new guidelines would seem to give lots of cover for the auto industry as it seeks to constrain third party- and owner access to in-vehicle systems for maintenance, repair and other purposes. At the same time, as a voluntary framework, it doesn’t hold anyone’s feet to the fire to implement the more meaty changes that might really improve the cybersecurity of new vehicles.
And then there’s the issue of the tens of millions of Internet connected vehicles that have already been sold and are driving around on our roads — all while NHTSA was busy writing up its voluntary guidelines.
As independent security researchers have shown, those cars - like the 2015 Jeep Cherokee hacked by Charlie Miller and Chris Valasek - are engineered in ways that would seem to open the door to remote, software based attacks on critical safety systems.
While I’m sure automakers have introduced new security features since then, its not clear to me that the underlying architecture of late model vehicles has changed so as to preclude some latter day Miller and Valasek from repeating their feat. To the best of my knowledge, nobody is saying they have. The end result of these new guidelines, then, may be maximum consumer pain (a manufacturer monopoly on after market parts, repair and service) for minimum cyber security and safety gain. That’s not an outcome anyone should feel good about.