Submitted by lurker_registered t3_yertok in boston
RelativeMotion1 t1_iu0gumo wrote
As an engineer in the auto industry who is very familiar with these systems, I can say that while I do support the spirit of this law, it is absolutely more complex than is being acknowledged, and a risk to user safety.
Automakers have spent the last few years trying to secure the embedded modems and software to protect customers. Creating a back door to these systems is counter to that effort. AND it doesn’t really give independent repair shops an advantage. They can already access all the data and functions of the vehicle modules with factory software that is already available to them (for a fee).
This sounds good in theory to the layman, but is less useful and less practical than is being touted.
IphtashuFitz t1_iu0hd9y wrote
> They can already access all the data and functions of the vehicle modules with factory software that is already available to them (for a fee).
Let me guess. Those fees are way higher than a small independent shop can afford to pay, especially when it's one fee to Toyota, another fee to Ford, yet another fee to Honda, and so on.
RelativeMotion1 t1_iu0hxeg wrote
I can only speak to certain manufacturers, but it’s generally not that exorbitant. A few thousand a year, which can easily be offset by performing lucrative services like key programming which are often done by dealers.
And IMO, that was the thing to target with legislation. Make the manufacturers offer the software for free or for a lower fixed cost. That would be far, far more effective for the shop and beneficial for the customer.
abhikavi t1_iu1dyt7 wrote
> A few thousand a year
...per manufacturer?
The mechanic I use is a one-man shop, and generally works on European imports. I could easy see him refusing to take my Honda if he had to pay a few thousand a year just to work on Hondas.
>Make the manufacturers offer the software for free or for a lower fixed cost.
Yeah, I'd be happy with that.
RelativeMotion1 t1_iu1p7gm wrote
Yeah, for a one-man shop, it’s not ideal. It’s worth mentioning that the “scan tool subscription” has been the case for over 20 years, long before embedded modems came along. It helps the manufacturers pay for development of the tool (millions of dollars in cost, often to a supplier like Bosch), and eventually becomes another profit center. Don’t take that as my endorsement, just relaying the facts.
There are also generic diagnostic tools that have 9/10 of the capability for less investment. That’s how smaller independent shops usually do it. One universal tool for most things, and possibly a few manufacturer tools for their most commonly serviced brands. However, with the increasing software complexity and increasing frequency of module updates, I expect they’ll raise prices as well.
It will take years for the independent service environment to adapt to all the changes we’re seeing, from this to electrification to autonomy. Almost none of the independent shops are equipped to service modern technology, and those that don’t invest soon will be relegated to replacing basic parts like suspension and brakes. And as oil changes become a thing of the past, businesses will close. The industry is in for quite a ride between now and 2030.
Bostonosaurus t1_iu0loaf wrote
What does "protect" customers mean? Like someone hacks into the car and floors it into an intersection or Mark Zuckerberg just knows where I am all the time?
RelativeMotion1 t1_iu0muj9 wrote
The module that they’re requesting access to is an embedded modem that essentially allows remote access to all of the vehicle modules. Including those that provide anti-theft/security functions, and all of the modules that operate every feature in the vehicle including the powertrain and airbags.
It’s not going to be very helpful in the diagnostic realm, relative to the diagnostic tool that the dealership would use and is available to the independent shops.
If they can find a way to do this without making the cars vulnerable to theft or interference from bad actors, then sure, have at it. But it’s almost never going to help them repair the vehicle, and they’ll still need a diagnostic computer to do much of anything with the data. That’s my point. The legislation is trying to solve the wrong issue, and in doing so potentially creates a security risk.
synthdrunk t1_iu1adwq wrote
So glad my vehicle has a cell modem, network stack.
Protect consumers by ending corpus collection from vehicles.
Bostonosaurus t1_iu8c9sk wrote
They need this data for my protection.
fendent t1_iu41n7o wrote
Security is about controlling risks in your threat model. There is nothing particularly complex about what they’re doing that isn’t already being done. It simply requires more effort and will be costly to retrofit them properly if they need any hardware changes on the device side. The fact that they can’t open up access to other authorized parties actually shows how poor of a job they’ve done and susceptible to compromise they are. The AG’s complaint actually details multiple AuthN/AuthZ models that the EFF helped them describe in their amicus brief! They’re simply putting up a fight because it’ll be expensive.
endlesscartwheels t1_iu4p3w0 wrote
> They can already access all the data and functions of the vehicle modules with factory software that is already available to them (for a fee).
Perhaps the solution is a law requiring that for a car to be sold in Massachusetts, its manufacturer must make that software available to Massachusetts mechanics for free.
Viewing a single comment thread. View all comments