Repair Is the Least of Auto Makers’ Security Worries

Repair Is the Least of Auto Makers’ Security Worries

A long-running tale of cybersecurity flaws in connected vehicles got a new chapter this week, after a security researcher revealed a serious security flaw in telematics software made by SiriusXM and licensed by leading automakers. Sam Curry (@samwcyo), a researcher who works at the firm Yuga Labs, said that he and a team of researchers accessed consumer information and executed commands on Honda, Acura, Nissan, and Infiniti vehicles using nothing more than the vehicle identification number (VIN) visible through the windshield of the vehicle to authenticate to the SiriusXM telematics system.

A tweet from Sam Curry about car hacking

The hack is reminiscent of the 2015 compromise of a Jeep Cherokee by researchers Charlie Miller and Chris Valasek, who discovered a flaw in the UConnect software that was used in Fiat-Chrysler vehicles, ultimately sending malicious commands that affected a vehicle’s steering, braking, acceleration, and environmental controls.

It is just the latest revelation to raise questions about the security of software running on modern vehicles, as well as the security and development practices of automakers themselves. In October, for example, Toyota acknowledged that information on some 300,000 customers was exposed after signing keys for its T-Connect telematics system were found to have been exposed in a public open-source repository for five years.

Despite these incidents, automakers cite the cybersecurity of their systems as a reason to oppose right to repair laws, like the measure approved by nearly three-quarters of voters in Massachusetts in November 2020, which would require automakers to make the repair and maintenance data transmitted via telematics systems accessible to vehicle owners and independent repair professionals.

Stephen McKnight, head of global product cybersecurity for North American Engineering at Stellantis, told a federal judge in Massachusetts that providing access to telematics systems as stipulated by the law “would require removing critical cybersecurity controls from its vehicles.”

SiriusXM said that it takes the security of its software seriously and operates a bug bounty program that allows security researchers to discover flaws in its software. However, like other makers of software-driven products, automobile manufacturers are shielded from scrutiny by laws like the circa 1990s Digital Millenium Copyright Act (DMCA), which makes it illegal to circumvent software locks for any reason, according to Cory Doctorow. “DRM exposes (security researchers) to legal risks, (so) many security experts simply avoid DRM-locked gadgets,” he wrote.

That promotes the illusion of “security through obscurity”—the notion that, by keeping prying eyes from scrutinizing software, manufacturers keep it secure. The truth is often just the opposite: a lack of scrutiny promotes loose software security practices and a lack of accountability. “Every DRM-restricted device is a potential reservoir of long-lived digital vulnerabilities that bad guys can discover and exploit over long timescales, while honest security researchers are scared off of discovering and reporting these bugs,” Doctorow wrote on Twitter.

Device Page

Car and Truck

Repair manuals and support for 4-wheeled passenger and cargo vehicles.

View Device

EU Adds New Repair Rules for Phones + Tablets

To minimize the environmental impact that devices like smartphones, tablets, and the like have our ecosystems, the European Union is implementing co-design rules for electronic devices.

While this is absolutely movement toward the right to repair, advocates believe it falls short of a true “right to repair” needed to extend the life of devices to the point they believe necessary to avoid environmental destruction

A leaked document shows a number of forthcoming policy changes for Europe, including the following:

  • Parts + Information: Access to necessary parts and guidance on how devices should be repaired will become a requirement for seven years.
  • Software updates: Digital maintenance of devices will be required for at least five years following the “retiring” of a device—though nothing is mentioned about throttling.
  • Durability: Requirements for battery capacity over time as well as withstanding everyday use such as accidental drops.
  • Repair labeling: Similar to France’s Repairability Index, the labeling of devices would offer consumers information on the effort and cost associated with repairs.

Right to Repair Europe, an advocacy organization, focused on repair in the EU, believes that in order to achieve the objectives of the EU’s Green Deal there need to be stronger policies in place. Their major critiques include:

  • Parts/information requirements are weak: Information on spare part pricing needs to be more specific to include things like taxes, given how important pricing is when it comes to the adoption of repair.
  • Software shenanigans: These rules have nothing to say about parts pairing, the practice of requiring software authorization to complete a repair.

These are no doubt good changes that will keep devices in people’s hands for longer, and out of landfills where they can spill toxic chemicals into the earth. However, given the urgency of the ecological problems we face because of our consumption, a sense of urgency is needed that isn’t captured in these policy changes.

“While having initial repairability rules for these products is a first important step, we regret a missed opportunity to introduce rules granting people a true right to repair.”

– Ugo Vallari, Policy Lead @ The Restart Project

Other News

Device Page

Samsung Galaxy S9

The Samsung Galaxy S9 is identified by its model number: SM-G960XU. It is the ninth generation of Samsung's Galaxy Series that was released in March 2018. Available in Lilac Purple, Midnight Black, and Coral Blue.

View Device
  • Samsung looks to expand self-repair: the electronics giant filed a trademark application in the US that suggests the company is working on a new mobile app called ‘Self Repair Assistant’ that would assist customers in repairing their devices, SAMMobile reports. The filing also suggests that Samsung could add tablets and earbuds to the list of its personal electronic devices designed for DIY repairs.
  • Apple using patents to restrict repair: As Samsung looks to boost repairability, its chief competitor Apple is going in the other direction. The tech behemoth is asking for a US judge to rule that patents should come with a “service and repair carve-out” to ensure they can monopolize repair over their products.
    • Plus: They were caught lobbying the EU Commission’s cabinet Vice President of digital policy to curb ecodesign regulations.
  • Billboard calls out NY Governor Hochul on repair: A new billboard, courtesy of iFixit, has been put up on NY Governor Hochul’s way to work to remind her about the right to repair bill sitting on her desk.
  • Schematics: I knew thee! Hackaday (one of our favorite sites) has a nice walk down memory lane looking at the many sources for device schematics and replacement parts that repair professionals once enjoyed and lamenting the demise of fixable stuff.
  • Telecom companies want disposable phones: Wireless company Manx Telecom has been caught pushing customers to toss their devices even before they break.
  • Congresswoman says R2R is consensus issue: Marie Gluesenkamp Perez, the newly elected representative of Washington’s 3rd district is making right to repair a central issue of her platform, saying the issue is common sense even amongst the country’s ideological divide.
  • Opinion – digital tractors are dooming us: Mark Daniels of Rural News argues that hackers and companies have the ability able to “wreak havoc” on farmers
    • Our thought bubble: There is no security in obscurity. If Deere can’t keep its customers safe, why should they lock out farmers to “protect” them from security flaws?
  • BMW charging extra for speed: Critics are piling on the German car maker for making customers buy a software subscription to get their car higher speeds.
  • E-bike repair: The rising popularity of battery powered e-bikes means that batteries should be easily replaced, but that isn’t the case due to product design and repair ecosystems.

Resources, Events, and Opportunities

  • Virtual Event: Repair Economy Summit 2022, “Repair. Reuse. Resilience.” Registration is now live. The event is being held on December 12th and 13th from 4-7pm (PST). Get your tickets here.