Tilting Against Repair Law, NHTSA Endorses Security Through Obscurity
HomeHome > Blog > Tilting Against Repair Law, NHTSA Endorses Security Through Obscurity

Tilting Against Repair Law, NHTSA Endorses Security Through Obscurity

Nov 02, 2023

“Security through obscurity” - the notion that keeping the workings of technology a secret is a means of protecting it from attacks - was abandoned long ago by cybersecurity professionals and the broader information security industry. As history has shown us: secrecy isn’t the same as security, and doesn’t stand up well against adversaries who are clever, resourceful and determined.

Just don’t tell the National Highway Traffic Safety Administration (NHTSA), which came down strongly in favor of the concept in a letter to 22 automakers last week. The letter, dated June 13, took aim at a Massachusetts law that provides vehicle owners with control of- and access to their car’s telematics data. NHTSA said that the law could facilitate cyber attacks and “allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking.” It went on to tell automakers that telematics cyber risks constitute a vehicle safety risk and run afoul of the National Traffic and Motor Vehicle Safety Act (Safety Act), a law dating to the mid 1960s, and all but orders them to keep their vehicle telematics systems closed.

“Given the serious safety risks posed by the Data Access Law, taking action to open remote access to vehicles’ telematics units in accordance with that law, which requires communication pathways to vehicle control systems, would conflict with your obligations under the Safety Act,” NHTSA wrote.

But in endorsing automakers’ security through obscurity, NHTSA overlooked both its own cyber best practices and recent reports that suggest that automakers’ telematics systems are rife with exploitable security flaws and vulnerabilities.

Massachusetts’ vehicle telematics right to repair law is written to make it easier and less expensive for vehicle owners to repair their cars by promoting competition within the automotive repair market. Three years ago, the ballot measures spawned a rancorous, months-long campaign that saw automakers running millions of dollars of television advertising warning Massachusetts residents, without evidence, that access to vehicle repair information would give criminals and stalkers access to their homes and vehicles. Industry scare tactics didn’t work: the ballot measure passed with more than three quarters of voters supporting it in November, 2020.

But that wasn’t the end. Its passage spurred a lawsuit that same month by an auto industry lobbying group. That suit, Alliance for Automotive Innovation vs. Campbell, has languished in the courtroom of Federal Judge Douglas Woodlock for more than two years, with no decision in sight. On June 1, Massachusetts’ newly elected Attorney General, Andrea Joy Campbell began enforcing the law in the absence of a court ruling for- or against it. The NHTSA letter, two weeks later, threw a monkey wrench into the state’s enforcement.

There’s just one problem: Massachusetts’ automobile right to repair law doesn’t do any of the things that NHTSA’s letter says it does. As written and passed by Massachusetts voters, the law simply says that vehicles sold in Massachusetts that use a telematics system are required to equip such vehicles with “an inter-operable, standardized and open access platform across all of the manufacturer's makes and models.” Security isn’t an afterthought. In fact, the law specifies that “such a platform shall be capable of securely communicating all mechanical data emanating directly from the motor vehicle via direct data connection to the platform.”

That’s it. The word “open” appears just once in the 2020 update to the Data Access law and it is used in the context of “non-proprietary,” not “unsecured.” What the law does do is take automakers out of the role of gatekeepers that can decide who gets access to vehicle telematics data. Instead, it asserts that individuals can access and share the telematics data produced by their vehicle as they see fit, including to third party, independent repair professionals.

That’s all in keeping with a 2013 Massachusetts auto right to repair law which mandated a standards-based system for accessing telematics data needed for repair. The passage of that law saw automakers comply and use the standard On Board Diagnostic (OBD) port in vehicles to convey vehicle performance and diagnostic data via a wired connections. The 2020 update to the auto right to repair law also made a fix to the earlier auto right to repair law, mandating that firewalls put over the OBD port in an effort to circumvent the 2013 law must be administered by an entity unaffiliated with the manufacturers.

NHTSA’s letter sparked an angry response from Massachusetts’ two senators, Elizabeth Warren and Ed Markey. In a letter dated June 16, 2023, the two senators accused NHTSA of “circumventing the legal process, contradicting a judicial order, undermining Massachusetts voters, harming competition and hurting consumers.” The letters, sent two weeks after Massachusetts’ Attorney General began enforcing the law “caused unnecessary confusion by raising this novel view” of the law.

The conflicts in NHTSA’s position are easy to see. The agency’s letter to automakers cites its own “Cybersecurity Best Practices” document (PDF) which warns that “unauthorized wireless access to vehicle computing resources could scale rapidly to multiple vehicles without appropriate controls.” But those standards also call on automakers to “consider the serviceability of vehicle components and systems by individuals and third parties” and “provide strong vehicle cybersecurity protections that do not unduly restrict access by alternative third-party repair services authorized by the vehicle owner.”

“Cybersecurity should not become a reason to justify limiting serviceability. Similarly, serviceability should not limit strong cybersecurity controls,” the best practices document states.

Judging by NHTSA’s letter, however, the agency has had a re-think. According to the latest missive, automakers can manage cyber threats to vehicles only by limiting access to vehicle telematics, and leaving automakers in control of who can access those systems and how. By keeping telematics systems proprietary and closed, NHTSA suggests, automakers can limit attacks on them.

There are a couple reasons why that thinking is (deeply) flawed. For one thing: it puts a lot of trust in OEM telematics software and systems that have been shown to be riddled with security holes. In recent years, security researchers have demonstrated numerous methods for accessing and manipulating telematics software to gain physical control over vehicles.

For example, At the Car Hacking Village at the annual DEF CON hacking conference last August, researchers Mohammed Shine and Ayyappan Rajesh separately demonstrated flaws in mobile telematics applications made by Honda, including a remotely exploitable flaw that could enable attackers to remotely start or shut off a vehicle, pop the trunk, lock and unlock the car’s doors, and more. Circumventing the security features built into Honda Connect was “easy,” Shine said.

Then, in January, the security researcher Sam Curry and a team of collaborators published a report, “Web Hackers Vs. The Auto Industry,” that documented a long list of additional security flaws in telematics software used by multiple automakers. Curry and his fellow researchers gained access to “hundreds of mission-critical internal applications” and “internal vehicle APIs” (application programming interfaces) used by Mercedes Benz. At Spireon, a GPS provider for vehicles, the researchers claimed to have obtained “full administrator access to a company-wide administration panel with ability to send arbitrary commands to an estimated 15.5 million vehicles (including) flash/update device firmware on vehicles.” They also claimed to be able to carry out a remote code execution (RCE) attack on “core systems for managing user accounts, devices, and fleets, and the ability to “fully take over any fleet” including police department and first responder fleets that rely on Spireon’s services.

More recently, Toyota said an audit of its cloud-connected vehicle telematics systems revealed that the company had exposed the data of more than two million customers to the internet due to a “misconfiguration of its connected cloud service.” The data, included vehicle owner registered email addresses; vehicle-unique chassis and navigation terminal numbers; the location of vehicles and what time they were there; and videos from the vehicle’s “drive recorder” which records footage from the car.

The automakers eventually issued fixes and software patches for the discovered flaws. However, many of the automakers’ and suppliers’ security measures “felt a few years behind,” Curry told me in an interview at the time. ”They have very complicated threat models and huge attack surfaces, so it wasn’t surprising to us to have found (the flaws).” In other words: more vulnerabilities are almost certainly waiting to be discovered.

Consider: the flaws uncovered by Curry and other researchers are actual examples of the kind of safety risks that NHTSA is claiming may hypothetically be possible as a result of the Massachusetts law being enforced.

Using the standard floated by NHTSA in its letter to automakers, it would seem that modern telematics systems already deployed on vehicles are likely to violate the terms of the Safety Act and should be recalled by automakers to address the kinds of cybersecurity flaws recently uncovered.

So NHTSA is on that, right? Apparently not. The agency’s letter last week made no mention of Curry’s research or recent, glaring cybersecurity failings of automakers. Similarly, a review of ongoing NHTSA safety investigations shows no record of any active inquiries into the telematics flaws Curry, Shine, Rajesh and others disclosed. (NHTSA did not respond to a request for comment or an interview.)

In fact, while NHTSA has published voluminous documentation related to vehicle cybersecurity, enforcement of cybersecurity best practices remains an afterthought.

What’s the fix here (pun intended)? First, NHTSA should rescind its warning to automakers regarding the Massachusetts right to repair law. The agency’s tortured reading of the language of the law is a clear sop to the automotive industry that is fighting it, and raises serious and important questions about NHTSA’s independence from the very firms it is tasked with regulating.

Second, NHTSA should end its eight year hiatus from policing software risks in vehicle systems and undertake a thorough and widespread assessment of both deployed and planned telematics software from major automakers and suppliers such as Sirrius XM, Spireon and others, while engaging the help and expert advice of independent security researchers like Curry and others who have shone a light on lax security and development practices related to telematics systems.

Rather than simply responding to reports of flaws, NHTSA should get in the business of identifying and working to resolve as-yet undisclosed telematics weaknesses and exposures that could give cybercriminals or nation state actors the ability to launch attacks on U.S. automobiles, trucks and other transportation infrastructure.

Finally: the agency should engage constructively with parties on both sides to forge a path forward that supports both modern, connected features and independent- and owner repair and servicing of vehicles. Giving a nod to the “right to repair” while endorsing the notion that smart, connected features justify OEM monopolies on access to telematics software is a position that won’t stand up to scrutiny or the demands of vehicle owners. NHTSA should see the writing on the wall and adjust its position accordingly.

Clarification: an earlier version of this article misstated an aspect of the expanded automotive right to repair law that voters passed in 2020. The article has been updated to indicate that the law gives individuals access to - and the ability to share the telematics data produced by their vehicle. It also clarifies that the reference to access being provided by an entity unaffiliated with auto manufacturers applied to access to data transmitted via the vehicle’s physical OBD port.
