The headline is very clickbaitey. Here is the body of the actual letter sent to manufacturers:
The National Highway Traffic Safety Administration (NHTSA) is sending this letter to advise vehicle manufacturers of their obligations under the National Traffic and Motor Vehicle Safety Act (Safety Act), 49 C.F.R. Chapter 301, in light of a Massachusetts law that NHTSA believes poses significant safety concerns. That law, previously known as SD645 and now codified at Chapter 93K of the Massachusetts General Laws (the Data Access Law), requires open remote access to vehicle telematics.1 As explained below, the Data Access Law conflicts with and therefore is preempted by the Safety Act.
If you comply with the Mass. law, you may come into conflict with the Safety Act which preempts Mass.
While NHTSA has stressed that it is important for consumers to continue to have the ability to choose where to have their vehicles serviced and repaired, consumers must be afforded choice in a manner that does not pose an unreasonable risk to motor vehicle safety.2 In this case, NHTSA previously described its serious safety concerns with the Data Access Law’s requirement of open remote access in a filing in pending federal district court litigation that challenges the law. Alliance for Automotive Innovation v. Campbell, Case No. 1:20-cv-12090, Dkt. No. 202 (D. Mass) (“United States’ Statement of Interest”).3 The open remote access to vehicle telematics effectively required by this law specifically entails “the ability to send commands.”4 Open access to vehicle manufacturers’ telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking, as well as equipment required by Federal Motor Vehicle Safety Standards (FMVSS) such as air bags and electronic stability control. A malicious actor here or abroad could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently.5 Vehicle crashes, injuries, or deaths are foreseeable outcomes of such a situation.
While consumers should have access, this may open up a whole can of worms, safety-wise. A nefarious actor could misuse the system to remotely cause a crash.
Vehicle manufacturers appear to recognize that vehicles with the open remote access telematics required by the Data Access Law would contain a safety defect. Federal law does not allow a manufacturer to sell vehicles that it knows contain a safety defect. See 49 U.S.C. §§ 30112(a)(3); 30118(c)(1). Furthermore, as you are aware, the Safety Act imposes an affirmative obligation on vehicle manufacturers to initiate a recall of vehicles that contain a safety defect. 49 U.S.C. § 30118(c).
If you leave a backdoor open and not properly secured, you'll be doing a nationwide recall.
Given the serious safety risks posed by the Data Access Law, taking action to open remote access to vehicles’ telematics units in accordance with that law, which requires communication pathways to vehicle control systems, would conflict with your obligations under the Safety Act.6 “The purpose of the Safety Act . . . is not to protect individuals from the risks associated with defective vehicles only after serious injuries have already occurred; it is to prevent serious injuries stemming from established defects before they occur.” United States v. Gen. Motors Corp., 565 F.2d 754, 759 (D.C. Cir. 1977).
Make sure you have everything secured, so only the authorized users have access.
NHTSA is aware that certain vehicle manufacturers have stated an intent to disable vehicle telematics, presumably to avoid the application of the Data Access Law to their vehicles.7 This measure has its own adverse impacts on safety. For example, telematics-based safety features could facilitate better emergency response in the event of a vehicle crash. Telematics data can also be an important source of information for safety oversight and field performance monitoring by the authorities and vehicle manufacturers. NHTSA often utilizes telematics data in its investigations, and the inability to obtain these data from vehicles with this capability undermines the agency’s ability to fully examine safety-related issues. In addition, some vehicle manufacturers have the ability to fix safety problems by remedying recalls through vehicle telematics, which will be lost if those systems are disabled. Manufacturers should assess the impacts of any planned actions on roadway safety comprehensively.
You can't lock it all down, though. We may need access to the "black box" data for review of incidents. You may also need to leave openings to third parties that provide legitimate services, such as On-Star, etc.
One of the biggest concerns is when you start trying to see secure APIs and such, you quickly realize that what you did 5 years ago isn't nearly good enough today.
And most cars stay on the road for 14-some years.
I bet I could straight brute force any consumer grade security measure from like 2009 with the phone I'm typing on right now.
How can we expect auto manufacturers to secure their systems for 15 years?
While over-the-air updates are becoming a thing, it's not going to be financially attractive for auto makers to continue providing security updates for 15 year old cars.
I don't know what the solution it, but it's going to be challenging.
This is especially true as the break even point concerning EV vs ICE carbon footprints is at 89,000 miles. Many of us consider EVs for the environmental impact, so when you add into the lifetime of the product, the need for upgrades to keep them secure, it becomes a serious issue.
The headline is very clickbaitey. Here is the body of the actual letter sent to manufacturers:
If you comply with the Mass. law, you may come into conflict with the Safety Act which preempts Mass.
While consumers should have access, this may open up a whole can of worms, safety-wise. A nefarious actor could misuse the system to remotely cause a crash.
If you leave a backdoor open and not properly secured, you'll be doing a nationwide recall.
Make sure you have everything secured, so only the authorized users have access.
You can't lock it all down, though. We may need access to the "black box" data for review of incidents. You may also need to leave openings to third parties that provide legitimate services, such as On-Star, etc.
https://www.documentcloud.org/documents/23846414-nhtsa-letter
One of the biggest concerns is when you start trying to see secure APIs and such, you quickly realize that what you did 5 years ago isn't nearly good enough today.
And most cars stay on the road for 14-some years.
I bet I could straight brute force any consumer grade security measure from like 2009 with the phone I'm typing on right now.
How can we expect auto manufacturers to secure their systems for 15 years?
While over-the-air updates are becoming a thing, it's not going to be financially attractive for auto makers to continue providing security updates for 15 year old cars.
I don't know what the solution it, but it's going to be challenging.
This is especially true as the break even point concerning EV vs ICE carbon footprints is at 89,000 miles. Many of us consider EVs for the environmental impact, so when you add into the lifetime of the product, the need for upgrades to keep them secure, it becomes a serious issue.
https://www.reuters.com/business/autos-transportation/lifetime-carbon-emissions-electric-vehicles-vs-gasoline-cars-2021-06-29/