Independent auto repair owner in Massachusetts (MA) are carefully watching a 2020 state ballot issue, for auto manufacturers to fairly provide and share automotive digital data collected by new vehicles. Cynical legislators recently had many questions while hearing testimony on 13 January 2020 as they weighed cyber ramifications for them to create new related laws.
The auto shop owners are seeking an update to the 2012 MA “right-to-repair” law that was originally passed to make sure auto manufacturers provide the same diagnostic repair information available at a reasonable cost to both dealerships “and” independent mechanics. The lobby who then persuaded the state legislature to pass that statute more than seven years ago, is back pushing lawmakers to guarantee the law is expanded to cover data that is being collected and transmitted to manufacturers wirelessly, and thus potentially used to give car dealerships a significant competitive advantage.
The MA Joint Committee on Consumer Protection and Professional Licensure heard testimony on a variety of right-to-repair proposals, including the proposed ballot question that is now before the Legislature for consideration. Proponents of a new “right-to-repair” law say it is about protecting consumer choice, but auto manufacturers counter that independent shops already have access to all the information they need to repair vehicles, though manufacturer repair codes. Some are claiming that the exclusion of remote telematics was a previous concession made by repair shop owners during past negotiations. The Right to Repair Coalition, told the legislative committee that their group of more than 2,000 independent auto repairers want to make sure that technological advances in vehicles do not stifle consumers in their choice of where to have their vehicles repaired. The coalition said, “This is about mechanical information necessary to diagnose, repair and maintain a car.”
Some repair shop owners are struggling to fully explain just “how” access to the telematics data could help them in proper repairs. Some mechanics fear about how auto manufacturers might restrict access to data in the future. This would hurt their independent business. Asked by legislators for an example of how their business are directly impacted, and one mechanic told the committee the story of one customer whose OnStar system identified a “check engine” light and gave her the option of bringing the vehicle to one of two dealerships for repair. Some say, “it sounds like it’s a competitiveness issue more than a [just] repair codes.” The 2012 law already guarantees independent repair shops with access to the same repair diagnostic information (codes) as dealerships and at the same cost. Yet the law does not address the two-way wireless diagnostic information flow.
Auto manufacturers report that most modern vehicles collect volumes of data on how those vehicles are functioning and being driven; even recording a driver’s weight, where they drive and how fast. Some of this collected data is deleted immediately, while some is anonymized and used to give consumers real time info on traffic or to help manufacturers identify and issue safety recalls. A small amount of data is tied to an identifiable user and can be used for emergency responses (like OnStar type technology). Some experts say expanding access to telematics data would create a greater risk of personal data being exposed or vehicle telematics systems being hacked. This is the heart of the cyber security issue.
Late last year, Popular Mechanics published a report on hacking auto Rf technology. One such example is hacking your car’s key fob to gain entrance. Similar hacking techniques could be utilized to steal auto diagnostics and possibly your proprietary information. It's convenient to open your car door without having to dig around in your bag or pocket for the key fob. It is certainly a great marketing pitch for push-to-start cars, but it is also making life extremely easy for cyber criminals. As with so many “advances” in technology; there have been serious unintended consequences for newer cars. According to the FBI, auto theft hit an eight-year high in 2017, with 773,139 reported cases, up from an all-time low of 686,803 in 2014. That is occurring in conjunction with an increase in keyless ignition systems. In 2018, 62 percent of cars sold use keyless ignition as standard equipment, up from 11 percent in 2008. So why is it possible to pull off any kind of theft? Keyless ignition systems come with a fob that transmits a unique low-frequency signal to the car's computer system, which then validates the correct signal has been sent and allows you to push a button on the dashboard or console to unlock the doors and start the engine. Hackers can take advantage of this by using a cheap relay box to copy and transmit the signal from your key fob while it is still inside your home or in your pocket. This is called a relay attack, and it is very easy for hackers to execute as long as they have a “friend.” Here is how the relay attack works. Each person carries a relay box, which can be purchased for as little as $20 online. The boxes can pick up the radio frequency from a car key fob that is sitting on a table inside, hung up on a key rack, or even resting in a purse. The relay boxes allow one person to stand near the home to pick up and amplify the key fob signal and then transmit it to the second box, which the other person holds outside the door of a car. Once the key fob signal reaches the second box, it unlocks the door, as the car thinks you're holding your key fob nearby. Now the criminals just have to drive away without getting caught and then change the various locks. If you have any computer equipment, smart phones or other valuables inside – you now have real problems.
Can these type attack methods be used to steal your automobile information? Maybe, maybe not. Time will tell; if and how stealing automobile diagnostics occurs. Cyber laws and regulations are always 5-10 steps behind keeping pace with technology and bad hackers’ malicious intentions. The MA pending law addendum will be an example of lawmakers trying to keep up with technology.
About Red Sky Alliance
Red Sky Alliance is in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization and offer RedXray and RedXray-Plus for cyber analysis and protection. For questions, comments or direct assistance, please contact Red Sky directly at 1-844-492-7225, or firstname.lastname@example.org