How Vehicles Right to Repair will Expose Massachusetts Residents to Cyberattacks

[fa icon="calendar"] Sep 29, 2020 3:15:58 PM / by Assaf Harel, Chief Scientist & Co-Founder

Assaf Harel, Chief Scientist & Co-Founder

The Massachusetts "Right to Repair" Initiative, which was introduced as a proposed state statute in 2012, was to require vehicle owners and independent repair facilities in Massachusetts to have access to the same vehicle diagnostic and repair information made available to the manufacturers' Massachusetts dealers and authorized repair facilities. The initiative passed with overwhelming voter support on November 6, 2012, with 86% for and 14% against. Motivation was clear: to enable vehicle owners to repair their cars and light trucks anywhere they’d like, hence reduce repair costs.

 

In 2019 new legislation was filed by both members of the Massachusetts House of Representatives and the State Senate to update the original law. This legislation updates the law to include wireless technology and 'telematic' information. The Massachusetts Coalition for Right to Repair has re-opened and the coalition has been active with the new legislation. 

On August 6th 2019, the Massachusetts Right to Repair Coalition filed paperwork with the Massachusetts Attorney General's office to have a question placed on the 2020 ballot. The petition would update a state law that requires car manufacturers to share diagnostic and repair information to independent repair shops.

In December of 2019 it was announced that enough signatures have been collected for the ballot measure to go on the November 2020 ballot.

Unfortunately, we believe that opening OEMs’ telematics and wireless protocols and communication credentials to unauthorized repair shops in the state will enable hackers to exploit the open protocols to take over vehicles’ telematics units, and at the minimum fetch customer personal information, which is stored on the telematics unit (e.g. vehicle recent location and routes) and very easily access the infotainment unit, which usually share the same network as the telematics unit, in order to steal credit card information, payment history, phone calls history and contact information, which are usually stored on the infotainment unit. Worse of all, using the communication credentials to the telematics and wireless unit, may enable hackers to  infiltrate the car, to access brakes and safety systems, for widespread attacks that can yield major fatalities  and collateral damage.

 

In 2020 the automotive industry has adopted strict cybersecurity measures and new standards were ratified such as ISO 21434 and UNECE WP.29. Those standards mandate car manufacturers to protect their electronic units against cyberattacks and to protect and authenticate wireless and cellular traffic into the telematics unit. It will be ironic if during the same year of rigid security enforcements, which were placed on OEMs, the State of Massachusetts will require automotive OEMs to give those authentication keys to any interested party, which can easily be a hacker, who may sacrifice car owners’ privacy and safety.

 

To learn more on reported and potential cyberattack scenarios download our full white paper here:

MA Right-to-Repair White Paper