129 comments

[ 3.4 ms ] story [ 198 ms ] thread
This is a predictable consequence of federal regulators being beholden to industry.
Has that been a problem for NHTSA? I honestly don't know.
Watch the episode of PBS’s Frontline that dropped last week about the danger of trucks on US roadways because of the lack of underride prevention devices. They interview several former officials at NHTSA who talk about the agency being under a chokehold of regulatory capture.
Thanks for the reference. I knew about the under-ride story, but I wasn't aware of the regulatory-capture part.
Odd. I used to work there, and the subject matter here isn't really their wheelhouse. That would be Federal Motor Carrier Safety Administrative (FMCSA). They are the ones PBS should have interviewed.
It's a little weird right now, because Biden issued an executive order in 2021 backing existing right-to-repair rules. And last year he doubled down, making public statements in favor of enforcement. https://www.extremetech.com/extreme/330906-biden-formally-ba... The NHTSA is part of the administration, but it's also unlikely they totally went rogue here. Not sure what's up.
It took everything I had not to roll my eyes.
> They warned complying with the Data Access Law would require an automaker "to remove essential cybersecurity protections from their vehicles." The group declined to comment Tuesday on NHTSA's letter.

> "Vehicle manufacturers appear to recognize that vehicles with the open remote access telematics required by the Data Access Law would contain a safety defect," NHTSA said in its letter to General Motors, Tesla, Ford, Toyota, Rivian, Volkswagen and others.

I guess they’re just taking it at the manufacturers’ word that there’s just no way to implement this feature securely.

”We've tried nothing and we are all out of ideas!”

removing telematics is of course unthinkable.
Most of us are in software and so are well aware how hard making things work againt future attacks are. Either there is no remote connection at all, or security is hard. Given that I trust Ford more than random mechanic, even if the majority if mechanics are more honest than Ford, there is at least one bad actor mechanic who will abuse telematics to do something ththey shouldn't.
If a random mechanic can screw with remote access to your car, it should not be there at a first place. Like Windows 98 login prompt with "Cancel" to login anyway.
The pre-NT login prompts weren't for authenticating with _your_ computer, they were for authenticating with network services. The fact that they kept a casual intruder out was just a bonus.
The obvious answer to me is to have no remote connection.
the full potential of opening current telematics systems is devastating. the collection of data is an issue of itself, the problem of allowing malign operational parameters to be pushed remotely from [someone] is one i dont want, and i would turn it off, given a switch.

what would be good is to assure such mods were benign, and be able to tweak steering, and breaking, based on current performance, and location, be it steep winding mountain pass, or desert straightways. this should have some local override to a safe default.

(comment deleted)
How would they sell you that subscription for heated seats, if there would be no connection to begin with!
i think this is a valid point regarding monetizing vehicles. data can be used to profile usage, and personalise ads, according to location, usage, and seated occupants.

an insurance contract could work with highly granular , per-risk billing based on usage data, maybe even pushing a change in performance if your driving is too risky for too long.

But because it will be likely you who will be paying for the internet connection, it is like buying a rope for your enemy to hang you with it.
> I guess they’re just taking it at the manufacturers’ word that there’s just no way to implement this feature securely

I think it is more that manufacturers say, and NHTSA agrees, that there is no way to securely comply with the state law quick enough to do so by the time the law goes into effect. At least that's what I recall from another article on this.

Was just buying a new Toyota thats supposed to be delivered in about a month and was thinking about how to hit them with the "So about that new law..."
Do we have a copy of the letter?

If this is based on law, the NHTSA doesn't have a choice. It has to enforce federal law, and federal law trumps state law. If it is based on a rule, the NHTSA has discretion and something screwy is going on.

Massachusetts could probably double down and say “no car can be registered in the state of Massachusetts not in compliance with right-to-repair by 202X”.

Then, even with federal preemption, the auto manufacturers would be forced to comply.

It sounds like that would become a game of chicken.

For it to work, I'm guessing that additional states would need to join Massachusetts.

Unfortunately, as we've seen with New York, that would probably be opposed by significant back-room sleaze.

https://www.bostonglobe.com/2023/06/15/business/subaru-buyer...

“ Subaru and another automaker, Kia, have been especially aggressive in resisting the law. While other companies are counting on a long-running federal lawsuit to overturn the statute, Kia and Subaru opted to shut off the features in their vehicles that are covered by the law.”

So in massechutses my car doesn't send any telemetry to the manufactorer or random dealerships, and can't receive remote signals to start, stop brake or turn on its own? Sounds like a pretty good win. Also rich hearing about security concerns coming from Kia at the moment.
> say “no car can be registered in the state of Massachusetts not in compliance with right-to-repair by 202X"

I'm not familiar with Massachusetts politics. It's a game of chicken between Boston and the NHTSA (or Congress), not the automakers--they have to comply with the law.

But the claim is that the federal law preempts the state one, which would be true if it's impossible comply with both at once. But you could comply with both at once by not selling cars in Massachusetts, couldn't you?

At which point people are going to notice, and ask why, and when they learn the answer is that the NHTSA is captured by automakers, maybe the NHTSA would like to avoid this hit to their reputation more than the commonwealth of Massachusetts would like to avoid looking like it's standing up to Big Auto.

> you could comply with both at once by not selling cars in Massachusetts

Massachussetts would be banning the registration of new cars. Manufacturers wouldn't have a choice because they can't comply with the Massachussetts law. Maybe consumers who don't want to register their cars will still buy, I don't know.

It's a high-stakes gamble at pressuring the NHTSA. There are likely better ways to do that than shutting down the state's car business.

> Maybe consumers who don't want to register their cars will still buy, I don't know.

You know perfectly well that hardly anybody is going to do that.

> There are likely better ways to do that than shutting down the state's car business.

Like what? You have to do something that gets people to notice enough to put pressure on the captured regulators.

> Like what?

Get the state's Congressional delegation to introduce a law that would explicitly protect state right to repair laws, taking it out of the regulators hands, moving the debate about cybersecurity claims vs right-to-repair to a different and more visible venue.

Obviously, the State gov can't compel that, but if the right-to-repair rule is sufficiently popular with the state electorate, it should be easy to convince the State's representatives in Congress to push on the matter.

> Obviously, the State gov can't compel that, but if the right-to-repair rule is sufficiently popular with the state electorate, it should be easy to convince the State's representatives in Congress to push on the matter.

Something can be popular (in the sense that a significant majority are in favor) without having enough interest or organization behind it to cause federal representatives to care. Moreover, Massachusetts is about 2% of the federal legislature. Even if their citizens and representatives care about it a lot, they may not have the votes to do anything at the federal level.

Whereas if they refuse to be cowed, it costs the automakers something. Maybe they'd like to be able to sell cars more than they'd like to be able to lock third party mechanics out of them, and stop pressuring federal regulators to keep doing what causes them to be prohibited from it.

> You know perfectly well that hardly anybody is going to do that

Which is why I said "Massachussetts would be banning the registration of new cars."

> Like what?

In the short term, their AG can sue under the Administrative Procedure Act. SCOTUS is re-working Chevron, and this case might thread the needle.

In the medium term, they could angle for DoT intervention. This would probably require coordination between their Senators and other like-minded states'. In the long term, the Congress must pass legislation that, if not granting a right to repair, at least explicitly enables it.

In summary, someone has to commit to making this one of the half dozen or so things one gets to do in office. I'm unconvinced Massachussetts voters would reward that.

Assuming A. Federal law takes precedent and B. Federal law indeed requires car manufacturers to keep some things secret, then it seems like they would have to stop selling cars in Massachusetts.
My understanding was that they can still sell cars without collecting all that data, and still satisfy both.

You know, all that data they were hoping to make money on.

No, as long as federal law (including valid regulations ubder federal law) says no, they would be prohibited from complying and Massachusetts would have effectively banned cars from being registered.
I'm sure we could still register are cars we just couldn't leave the commonwealth in our cars.
> I'm sure we could still register are cars

Not if manufacturers are federally prohibited from complying with the requirements of your registration conditions; there won’t be anything qualified for you to register.

I think it is a more of interstate commerce issue. We buy the cars make them legal to operate in the Commonwealth of Massachusetts and never use them outside the Commonwealth.
Wickard v. Fillburn (1942) says that's not how the Interstate Commerce power works.
Tell that to the cannabis is laws.
> Tell that to the cannabis is laws.

I would, but the US Supreme Court in Gonzalez v. Raich, 545 U.S. 1 (2005) already did; the current state of nonenforcement of federal prohibition agaimst state-authorized use isn't from a Constitutional limit due to the interstate commerce clause, but from a federal law adopted by Congress, specifically, an appropriations rider adopted in each spending bill since 2014 prohibiting DoJ from spending funds to enforce federal marijuana laws against certain acts whetr authorized by state law.

Great, thank you for the roadmap.

That is a pretty convoluted process to do not enforce a law.

Forced to not sell cars. Unless Massachusetts tries to play a game of "cars do not need to be certified under the FMVSS to be registered".
The response from the NHTSA highlights an interesting mismatch...

> The NHTSA said a malicious actor "could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently."

Yet, the Mass law is looking for...

> allow independent repair shops to access diagnostic data that newer cars can send directly to dealers and manufacturers to allow consumers to seek repairs outside dealerships.

It sounds like the same access to get data on the vehicles also allows control. For auto companies to comply with both laws could be possible but that it would require more fine grained access controls.

Or, am I missing something?

I'd guess that to get enough access to repair the vehicle you might have to be able to send certain commands to turn off alerts or update part information. Now that would probably only be a problem if the current set up for most car manufactures is a binary is dealer then be able to do anything setup.
But wouldn't that be trivially solved by only allowing such inputs via a physical interface (like say the physical OBD-II port) instead of Bluetooth or whatever they are using? Or if a physical socket is undesirable, at least a physical switch you have to use to allow such access?
Yes. That's why everyone is calling it regulatory capture.

Right now they have a system where automakers granted themselves a dangerous and unreasonable level of remote access to cars that aren't theirs. Now they're claiming that it would be dangerous and unreasonable for third parties to have that level of remote access to cars that aren't theirs.

No kidding.

But you could easily have a system where a remote access server has to be authorized by the owner, e.g. by having to press a button inside the car while the key is present. And could be revoked by the owner in the same way. Then the car could be repaired by anyone... who is inside the car and has the key. Which is not only completely reasonable, it's more reasonable than the thing they're doing now.

The buttons and keyswitch may be connected to the same CAN network which is the source of the vulnerability.
Modern cars have electronic keys that can use cryptography. You can't forge a digital signature by hotwiring the car.
Isn't that pretty much what immobilizer bypass modules have done for years?
Those are for cars with physical keys. In cars where the key switch is only telling the computer "is key present: [y/n]" they put a message on the bus that answers yes and the car starts. But if you're going to use the need for security as a defense then you don't start by designing your car like that.

Some car manufacturers have also attempted to use encryption and implemented it so poorly that it was easily cracked.

There is no technical reason that a car key can't effectively be a yubikey. The computer issues a challenge to the key, answering the challenge requires a secret stored in the key, so you need the key. It works as long as the encryption isn't broken.

And if "car can be remotely controlled" and the encryption is broken then that's a much bigger problem than anything your local mechanic is doing.

> The computer issues a challenge to the key, answering the challenge requires a secret stored in the key, so you need the key.

This is how most modern “smart key” systems work.

There are devices that plug into the obd2 and then allow remote access. I’ve heard of them being used by stalkers.
(comment deleted)
In my view, all they really need is to allow read-only data display through the OBD2, or via an authenticated web portal assuming the manufacturer has the data already. If you remove the wireless part of it (which the law doesn't say you mush access it wirelessly), then the remote operation is a non-issue.

Really seems like a lot of fuss about stuff that has plenty of possible options. I might even call it FUD or a miscommunication it's so sloppy.

Personally, I don't want a car sending data to anyone. I disconnected OnStar in the one vehicle that had it. Pretty simple to remove the bridge between the cell board and the rest of the electronics.

You're assuming Mass is important enough to be worth it. I'd guess it's more likely that Mass is the one that is forced to blink first.
It's a good assumption. Massachusetts is part of the Northeast Megalopolis[0] (part of the reason Acela makes economic sense in this area), and almost 25% of the most populous cities comprising that area are in Massachusetts. I don't think the automakers would be quite so willing to sacrifice all those customers.

[0] https://en.wikipedia.org/wiki/Northeast_megalopolis

(comment deleted)
Posted by another person here in this thread:

https://s3.documentcloud.org/documents/23846284/nhtsa-letter...

The letter only calls out one very specific part of the law around allowing open-access to send commands, which the letter states is an unacceptable security risk and would qualify as a "manufacturer defect", which manufacturers cannot knowingly include in their cars by federal law.

> The open remote access to vehicle telematics effectively required by this law specifically entails “the ability to send commands.” Open access to vehicle manufacturers’ telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking, as well as equipment required by Federal Motor Vehicle Safety Standards (FMVSS) such as air bags and electronic stability control. A malicious actor here or abroad could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently. Vehicle crashes, injuries, or deaths are foreseeable outcomes of such a situation.

Hopefully, the response to the letter by manufacturers is to say "Okay, we won't include that clear and obvious security flaw, but we will comply with the rest of the Massachusetts law and allow free access to other telematics such that they're available AND secure."

I wouldn't put money on that being their response though.

Thank you. The footnote 6 for why acting "in accordance with that law... would conflict with your obligations under the Safety Act" cites NHTSA recall notices.

It looks like this is at the NHTSA's discretion.

The ability to remotely send commands that spoof the accelerator pedal should probably be considered a safety defect. Not just if Jake's Auto Repair can do it, but if Ford Motor Company can do it.
More to the point, the problem here is if it could be done by someone not authorized by the vehicle's owner, rather than by someone not authorized by Ford Motor Company.

If the vehicle's owner wants to modify their car's code, or pay someone else to do it, there are many legitimate reasons to do that and it's no different than the mechanical modifications that people have been doing since cars were invented.

As the potential buyer of the car used in a few years I want to know if it was ever run non stock, as most modifications trade how long the car will last for more power.
There is no way to know that. Someone could remove the entire computer, put it on a shelf, operate the car with a modified one and put the original back in before they sell it to you.

Moreover, this rule is about remote access, not what someone can do who has direct physical access.

Yup. In fact, I have a vehicle where exactly that happened. Bought a used diesel pickup truck. A year later it wouldn't start: ECU was completely unresponsive and wouldn't even send anything over OBD. Had it towed to the dealership and during their analysis they found an aftermarket torque chip in the ECU and removed it. Truck started right up after that.

If the dealer hadn't mentioned that, I'd never have known. I don't even know if the person we bought it from knew about it since he was the second owner.

Giving the vehicle owner an easy button to crash their car remotely is going to be a liability for the manufacturer when the obvious happens and it's used as murder weapon.
This makes zero sense. It's like saying giving the owner a steering wheel they can use to crash their car into a pedestrian is going to be a liability for the manufacturer when the obvious happens and it's used as a murder weapon.

That's ridiculous. The person who is liable for the murder is the murder, not the car company. It's a transparent excuse because they want to force people to have their car repaired at the dealership. Nobody's buying it.

There is a legitimate use for a steering wheel. The ability to remotely command full throttle on a car is useful for what?
It's a computer. There are many legitimate reasons for the computer to control the throttle, from implementing a top speed governor when the car is in the hands of your children, to tuning the engine for unusual environmental conditions, to interoperating with aftermarket vehicle modifications.

"Remotely" is just how the code gets installed. But installing updates for any of those features over the air is perfectly fine when authorized by the owner of the vehicle.

The ability to command the accelerator pedal is important for many diagnostics tests. Sometimes the car is on a dyno for those tests which makes it impossible for the car to know it isn't on the road.
This access only needs to be physical. There is 0 argument for providing wireless access to the accelerator. Physically plugging into the car for accelerator control or having someone work the pedal are the only methods that make any sense.
The computer can do diagnosis if it can command that pedal. Often better than physical access as the computer can get the exact rpm it wants.
Yes, or if the police can do it. That would also be a defect, IMO. There should be NO control possible of safety critical systems by anyone not in the drivers seat.
I find this interesting, because "Sending commands to <systems>" is how aftermarket self driving works. I'm specifically thinking of George Hotz's venture. It connects up to OBD and can control steering, brakes, and gas if they're drive by wire. I know at least Toyotas allow this, and to a lesser extent Hondas.
> It has to enforce federal law, and federal law trumps state law.

This might be factually correct, but it's not how it works in practice.

The federal government exists at the behest of the states, not the other way around. When states start banding together in direct protest of the federal government, there's two paths forward: one escalates violence and leads to a civil war, the other peaceful strips the federal government of illegitimate power.

This is why the DEA cannot enforce their brain dead cannabis laws in California, and why the ATF cannot enforce their brain dead gun laws in Texas.

> The federal government exists at the behest of the states, not the other way around.

That is very fundamentally not true--it is the reason the US Constitution exists at all in the first place. In the US, it is neither the case that states exist at the behest of the federal government (that would be true in a unitary state, which most US states are, incidentally), nor that the federal government exists at the behest of the states (that would be true in a confederation, as the US was pre-1787). Instead, the US is a federal state, which means that the federal government and the constituent states have their own existences and loci of independent powers, and are in some sense co-equal.

And every time states decided they were going to disagree with the federal government by force, it is not the states who won that argument.

The constitution is ink on paper, it's not some magical document that compels people follow it by merely being in its presence like you seem to think. And clinging to one example from 150 years ago isn't a very convincing. If such a thing happened today the outcome would very clearly be different.

A rag-tag group of untrained goat herders and farmers kicked out the largest military force in the history of the world using basic fighting equipment. This is all despite their invaders having tanks, helicopters, jets, satellite imagery, night vision, body armor, and 10:1 ratio of boots on the ground.

The overwhelming majority of experienced combat veterans have been out of the US military for almost a decade and side themselves more with their state of residence than the federal government. There is an entire generation of Americans that have more combat experience than anyone currently in the armed forces.

Why exactly do you think the federal government is going to do anything again? The deck is stacked against them. It's much better if the federal government peacefully relinquished power and gave it back to the states.

The argument seems to be that anyone that disobeys the US federal government should be killed because it happened 150 years ago, therefore it will happen again the same way today.

No shocker here, car manufacturers typically have been trash at software. They don’t want to open up so they lean on security/their own incompetence to say they couldn’t possibly open up telematics safely.
$TSLA which NHTSA is in bed with (too). Just "tesla nhtsa probes" and look for those that concluded in actionable items, especially any for regulating their deadly FSD.

NTSB OTOH...take their responsibilities more (or at all) serious.

Driving is deadly. FSD makes it less so.
Citation needed, beyond Tesla's misleading attempt to push statistics that compare "a limited subset of driving conditions where conditions are sufficiently optimal that FSD will engage, including but not limited to weather, location, time of day and road condition" against "all drivers in all weather, locations, all times of day and all road conditions".
Wasn't there some sort of aircraft autopilot study that showed something like less actual control time ended up making pilots less skilled in the more dangerous conditions simply due to having fewer hours of actually controlling the aircraft? I wonder if something similar might be the case for FSD, if that study were to ever take place.
Not to mention, they purposefully disengage autopilot right before crashes, so they aren't included in crash statistics.
Crashes are included in the statistics, even if autopilot was disengaged immediately before.
The article is just speculating on how to interpret log files. A forced disengagement of AutoPilot puts up a screaming red warning to “Take Control Immediately”, and I can definitely see that happening ahead of a crash.

But Tesla is clear in their methodology;

“To ensure our statistics are conservative, we count any crash in which Autopilot was deactivated within 5 seconds before impact”

Which claim needs a citation? Mine or X3874s?
Both claims should be backed up.
Tesla does provide crash statistics.

Those stats used to be criticized on the basis that AutoPilot was driving predominantly highway miles and it’s safety record was being compared to overall driving crash statistics which have much more non-highway driving.

Now Tesla breaks out AutoPilot and FSD statistics and shows that FSD driving, noting that those miles are predominantly non-highway, still has 5x fewer crashes per million miles than average.

As you can see, the goalposts moved however. Now the “standard” for convincing stats includes controlling for road surfaces, weather patterns, and phase of the moon.

https://twitter.com/WholeMarsBlog/status/1650601088981307392...

> Now the “standard” for convincing stats includes controlling for road surfaces, weather patterns, and phase of the moon.

Much as you'd like to imply there is goalpost shifting, these are quite valid concerns, and not facetious.

Road surfaces: poor paint, marking, potholes, heavy use of crack filler - all things which will cause FSD to disengage as it can't determine where the road actually is.

Weather: FSD will disengage in sufficiently heavy rain/show/fog/hail. It will also be compromised by bright sunlight and road reflections hitting the "vision only" camera system.

> Now Tesla breaks out AutoPilot and FSD statistics and shows that FSD driving, noting that those miles are predominantly non-highway, still has 5x fewer crashes per million miles than average.

All of those factors above happen on all types of roads.

By absolutely no coincidence, many of these factors result in increased collisions. FSD gets turned off in these conditions, so "conveniently" it doesn't suffer the collision adjustment as a result. Human drivers have no such ability, and nor do NHTSA statistics say "Well, these crashes happened but they weren't under optimal and level playing field conditions so, well, they don't count".

Rephrased: to be actually comparable and worthy of anything beyond Tesla "marketing", crash stats should be looking at "similar constraints" between FSD and humans, i.e. if FSD can't or won't engage on a given stretch of road, or in given weather conditions, then the human crashes that happened on that same stretch of road or weather conditions shouldn't count for comparison, because you have no way of saying whether FSD would have driven better, because _it wouldn't even engage_.

Breaking it down to "highway vs non-highway" is certainly _easier_ but reductive to the point of near-meaninglessness.

The stats account for a 5s delay between deactivation and the accident. Meaning that crashes that happens in a 5s window after deactivation count as an FSD crash. Imo 5s is usually a lot in a crash situation.
I think you may be confused with how FSD works. FSD does not just disengage. For any of those reasons.

If the FSD stack crashes, or if it is completely unable to track its position on the road, you will get a forced disengagement - a loud alarm with a big flashing red “Take Control Now” alert.

That doesn’t happen if the lines get hard to see. That doesn’t happen if snow starts to fall. That doesn’t happen if the sun is at a bad angle. Forced disengagements of FSD are very rare.

The human driver of course can engage or disengage FSD at any time. The system will want a clear view of the lanes at the moment in time that FSD is first engaged, after which it will stay on until the driver decides to turn it off. You can engage FSD at night, in the rain/snow, etc.

But I can see how you might assume there are dangerous conditions that humans are compelled to drive where it’s unlikely FSD would be used. And let’s even presume without evidence that is true.

However the premise is flawed.

The vast majority of traffic accidents are not due to driving conditions, but rather are due to driver conditions. Drivers in accidents are usually either drunk, fatigued, or distracted. Drivers in accidents are likely to be inexperienced, or overly aggressive.

This is why the gap is so large (5x safer is an absolutely massive gap). Not because humans can’t be better drivers, but mostly because humans choose not to be better drivers because, frankly, humans make lots of really bad choices.

"It's so difficult for legacy car companies to get software right. You'd be surprised. Let me explain it quickly. To save probably 500 per vehicle, or let's say 350 quid a vehicle, we farmed out all the modules that control the vehicles to our suppliers because we could bid them against each other. So, Bosch would do the body control module, someone else would do the seat control module, someone else would do the engine control module, right? And we have about 150 of these modules with semiconductors all through the car. The problem is, the software is all written by 150 different companies, and they don't talk to each other. So, even though it says Ford on the front, I actually have to go to Bosch to get permission to change their seat control software. So, even if I had a high-speed modem in the vehicle and had the ability to write their software, it's actually their IP. We have 150, what we call, a loose confederation of software providers. 150 completely different software programming languages. All the structure of the software is different. It's millions of lines of code, and we can't even understand it all. That's why, at Ford, we've decided in the second-generation product to completely insource electric architecture. To do that, you need to write all the software yourself. But just remember, car companies have never written software like this. They've never written software. So, we're literally writing how the vehicle operates, the software to operate the vehicle, for the first time ever."

- Jim Farley

https://youtu.be/8IhSWsQlaG8?t=1476

It's been shown that people are able to rip headlights out of vehicles, plug into diagnostic ports behind them, unlock the doors and start the car. [1]

If criminals are able to figure out and exploit a relatively simple compromise, what other exploitable secrets are auto manufacturers hiding using obscurity that right to repair would expose to the public?

Any US residents know if the NHTSA is captured by corporate interests, or are they relatively free of corruption?

[1]https://www.thedrive.com/news/shadetree-hackers-are-stealing...

This is hardly a new problem though. Thieves used to be able to pull the wires from under the steering column and start a car.

For the more serious attacks mentioned, the automakers are essentially saying that they build extremely vulnerable systems and are afraid to disclose that fact.

I suspect we're in violent agreement though, that the correct outcome is to fix the vulnerabilities AND to document the repair methods.

Extremely vulnerable is a mischaracterization. Read up on how the CANBUS attack works, it’s actually quite sophisticated.

It’s the “evil maid” problem, and it’s extremely difficult to protect against, such that you pay huge premiums to get equipment hardened against these types of attacks.

> It's been shown that people are able to rip headlights out of vehicles, plug into diagnostic ports behind them, unlock the doors and start the car. [1]

Question about the U.S. legal system:

If that's true, and if NHTSA's position is based on rule rather than law, then can NHTSA be (successfully) sued because the rule is capricious?

IIRC courts have set a really low bar for the rationality of administrative rule-making, but I may not know what I'm talking about.

> can NHTSA be (successfully) sued because the rule is capricious

This is almost certainly what the Massachusetts AG will next do.

Physically plugging into a vehicle's CANBUS is not different from physically plugging into a computer's USB ports.

We accept that computer security has limits when the attacker has physical access to a machine. Why should this be different with a vehicle? In this example, attackers need to physically rip apart a vehicle to trigger a vulnerability.

It's not as though the headlight wiring harness is any more accessible than core components like the engine control unit.

> Physically plugging into a vehicle's CANBUS is not different from physically plugging into a computer's USB ports.

That's a bad example. If a computer can be taken over by a USB device, we would say there is a security vulnerability in its USB stack. Firewire is widely criticized for having a protocol based around DMA that naive implementations of are vulnerable in this way.

I'm not arguing that a flaw wouldn't be considered a vulnerability - it is. My argument is that cyber security has limitations when an attacker has physical access to the device.

Once you can start plugging random devices into random ports, there's bound to be a vulnerability somewhere. And how much is it really worth it to manufactures and customers to pen-test requests sent from a fuel pump?

Cyber security doesn't need to be perfect, it just needs to be more difficult than the the brute force solution - in this case, throwing the car on a flatbed tow truck.

It's not "request from a fuel pump". The CAN bus is a broadcast medium with addresses roughly equivalent to object type tags. So your ABS controller is sitting there repeatedly broadcasting messages like LEFT_FRONT_WHEEL_SPEED = 45mph, or whatever. But anything else connected to that pair of wires can send the same type of message, even though it's not the ABS controller.

Like ethernet, this points towards the paradigm for analyzing security of such buses. For example in an office environment, a link trunking a bunch of VLANs is going to be in server rooms or enclosed in conduit/walls/etc, whereas the ports in individual offices are going to be locked down to specific VLANs, perhaps only to specific MAC addresses, etc.

In other words, yes there are always vulnerabilities to certain types of physical access. But that does not mean that all physical access implies game over. For instance a computer should be secure against attacks attempted from the USB bus, then you might have a case tamper switch that kills the rig, preventing easy access to the PCIe bus which is much more privileged.

Translated to a car, this probably means that non-security-critical devices close to the periphery (like headlights) should be on a separate bus to things like door locks, keyfob receivers, etc. AFAIK my car already has two separate CAN buses, bridged by the gauge cluster. The distinction has to do with hard realtime messages from critical systems (engine, steering, ABS, etc), and less critical messages of turning lights on/off etc. We can imagine one or two more buses with distinctions based on security.

A computer can be taken over by a USB device, if that device emulates a keyboard.
"Taken over" implies operating outside the expected behavior of the system. Accepting keypress data from a USB keyboard is the expected operation.
Because federal conflicts with and therefore preempts the state law, "NHTSA expects vehicle manufacturers to fully comply with their Federal safety obligations."

Isn't that the exact opposite of how things actually work?

No; the Supremacy Clause [1].

[1] https://en.wikipedia.org/wiki/Supremacy_Clause

Right, insofar as those laws are made within the scope of the Constitution. My understanding is that the NHTSA and its authority aren't found within the scope of the Constitution except by the broadest of interpretations.
> My understanding is that the NHTSA and its authority aren't found within the scope of the Constitution except by the broadest of interpretations

This is legally incorrect. There are challenges to agency authority, which might change the status quo. But even in their most ambitious forms, the NHTSA pre-dates Chevron by two decades.

In any case, that's an aside in terms of what can and cannot be federal law. Federal law trumping state law was always intended.

And the constitution has a mechanism for determining what falls within the scope of the constitution and that mechanism says this falls within the scope of the constitution.
I think the more nuanced argument here is that while there are often federal agencies regulating various things, states have long been able to add additional requirements more stringent than the federal ones, so long as they do not conflict with the federal ones.

CA has stricter environmental regulations. Numerous states have stricter minimum wage laws. Labor laws. Etc.

(And yes, these can get challenged in court. In fact, the MA right to repair bill is being challenged presently.)

But these are the same bad-faith arguments (FUD around remote vehicle takeover, which is not required by the MA bill) the voters of MA heard during the election season that this bill was (overwhelmingly) passed during. MA voters do not expect auto-makers to not uphold their federal obligations: MA voters expect them to uphold both.

> MA voters do not expect auto-makers to not uphold their federal obligations: MA voters expect them to uphold both

If they’re in conflict, they cannot. State laws being stricter than federal ones don’t conflict.

Sure, but I haven't seen a salient argument that they do conflict yet, until then I'm Hitchen's razor on that; it's just been FUD about people doing remote takeovers of cars and crashing them.
> CA has stricter environmental regulations. Numerous states have stricter minimum wage laws. Labor laws. Etc.

A lot depends on how the federal law is written. Federal law can be written to completely preempt state law in some given area or it can be written to only preempt state law in the specific things in that area that the federal law actually provides rules on.

For wages federal law sets a minimum wage but does not prohibit states from setting their own higher minimum wage.

For many environmental laws federal law is written to completely preempt state law. States in those areas cannot set stricter standards. For some of those, such as car emissions, the federal law completely preempts (which would stop California from having stricter regulations) but the EPA is authorized to issue waivers to allow states to be more strict. There is such a waiver for California that allows them to set their own stricter standards and allows other states to choose to follow the California standard.

The Trump administration revoked California's waiver. (And then when several car companies announced they were going to continue to meet California's standard even if no longer required to do so the Trump administration threatened to sue them for antitrust).

The Biden administration restore California's waiver.

> Notwithstanding anything in the preceding paragraph, motor vehicle owners’ and independent repair facilities’ access to vehicle on-board diagnostic systems shall be standardized and not require any authorization by the manufacturer, directly or indirectly, unless the authorization system for access to vehicle networks and their on-board diagnostic systems is standardized across all makes and models sold in the Commonwealth and is administered by an entity unaffiliated with a manufacturer.

So the manufacturer cannot use their own software to manage authn/authz to their cars?

What would stop the unaffiliated entity from giving anyone access to anyone's car? They wouldn't even have a financial stake in making sure they implement proper authn/authz and internal access controls to stop employees/contractors from accessing this information improperly.

https://web.archive.org/web/20230510205950/https://malegisla...

The NHTSA complaint: https://s3.documentcloud.org/documents/23846284/nhtsa-letter... (bump from a comment further down by Simulacra )

Why couldn’t it be authorized by the owner of the car?
It sounds like the actual software that facilitates giving third parties access to remotely access car diagnostics can't be ran by the car manufacturer. So while they likely envision the user controlling the authorization for their car, my point is that this third party likely has little reason or obligation to safeguard access and authorization to this data and ensure only the user can authorize access to their car.

If the automaker themselves ran the software for this, they have a financial stake to make sure it's done right, since "hyundais being remotely controlled due to bad hyundai 2fa" is not a good headline. But with a third party, it'll have to be a de-facto monopoly over access to a manufacturer's cars, so once they have the contract and are years after the initial rollout, they might cut costs and leave the authorization/authentication system to rot, or have support agents incorrectly "recovering" user accounts for themselves or being phished into doing so.

Between industry capture and ideological capture, federal agencies seem to be the weakest part of America's democratic system as of late
It's almost like weakening the federal government has been a plank in a party platform for at least the last 47 years of my life...
Yeah but that only sorta solves the issue of agency overreach, which is typically the ideological part. I think it's more of an ideological/values based position than a practical "protect our democracy" position.
> NHTSA added that "open access to vehicle manufacturers’ telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking."

If this is accurate:

1. Manufacturers have created systems wherein they can murder their customers remotely. (I expect this to be true, at least to a degree, for Tesla, but other manufacturers should know better than to introduce something as insane as OTA brake control.)

2. What the fucking FUCK is NHTSA doing allowing manufacturers to create systems for remote steering, braking, and acceleration?

If I am understanding the article correctly, NHTSA asserts that to open up telematics to 3rd parties would allow remote attacks on multiple vehicles' safety-critical systems simultaneously. This implies telematics has remote control on those safety critical systems.

This raises a question for me: Why the actual fuck are safety-critical systems able to receive commands from anywhere other than the driver's controls or diagnostic port? Perhaps I am old-scool, naive, ignorant, etc, but given what "safety-critical" means, that strikes me as egregiously unacceptable.

I can sympathize with the idea of convenient remote diagnostic and repair, but in my opinion, this is a case where the saftey risk not just to the driver and passengers, but anyone else nearby, outweighs the convenience of logging into Ford's/BMW/Honda's website, click button, car works again.

Wouldn’t be easy for the gateway module to prevent incoming commands if the vehicle is moving?
This isn't out of the blue. During the legislative process there was back and forth among NHTSA and MA sentators and representatives:

https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/nhtsa_...

That frankly shows this was not unexpected. And there was responsible transparent discussion between relevant parties.

The NHTSA was doing their job.

Maybe the MA senators and representatives were lobbing them a softball, explicitly calling out cybersecurity instead of leaving review topics up to NHTSA, in hopes of this happening. But that is obviously paranoid and an avenue of discussion that is difficult to talk about. So, I'll just let that go.