The NHTSA has stepped in to stop automakers from sharing data with third parties — all in the interest of safety
https://www.carscoops.com/author/sam-d-smith/
<!–
–>
by Sam D. Smith
3 hours ago
–> 
–>
The state of Massachusetts has some of the most stringent Right To Repair laws in the entire U.S., with the mandate stretching to cars in a bid to support independent repair shops. But, while on the face of it, allowing smaller auto shops the ability to repair modern automobiles may seem like a good thing, the NHTSA has written to automakers telling them not to comply with the state’s laws.
In 2020 a vote extended the state’s automotive right-to-repair law to include telematics and connected car services. What this would mean is sharing information with vehicle owners and independent workshops about how a car’s data services operated. The requirement was that all manufacturers operate a standardized open platform from the 2022 model year that could be accessed by users to retrieve mechanical data and run diagnostics.
Some manufacturers were concerned that this could potentially leave their vehicles open to attacks by bad actors. Automakers argued that to comply with the state’s requirements, it would mean that they would have to downgrade critical cybersecurity controls that relate to safety and emissions — both of which are mandated by the federal government.
See Also: 28 Attorney Generals Pressure Congress To Enact Right-To-Repair Protections
In an effort to comply, some automakers, such as Kia and Subaru, ended up deactivating their connected car services for those in the Massachusetts area. However, it was argued that such a move was not compliance and was instead, in effect, sidestepping the law.
Now the NHTSA has cited safety concerns for any company complying with the Massachusetts law — particularly as open access to vehicle manufacturers’ telematics could lead to attacks with the ability to send third-party commands to cars. They say that a malicious actor “could utilize such open access to remotely command vehicles to operate dangerously, including attacking multiple vehicles concurrently.”
advertisement scroll to continue
“Open access to vehicle manufacturers’ telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration, or braking. Vehicle manufacturers appear to recognize that vehicles with the open remote access telematics required by the Data Access Law would contain a safety defect,” NHTSA said in its letter to General Motors, Tesla, Ford, Toyota, Rivian, Volkswagen and others, reports Reuters.
Addressing the issue of automakers disabling connected car functionalities, the NHTSA said it is aware, and that “this measure has its own adverse impacts on safety.”
