Hack-Proofing How car hacking is leading the right to repair movement
A community of car hackers raises a critical question in mobility tech—what happens when you own a car (or other hardware) but not the software that makes it function? This article takes a look at the booming Right to Repair movement, the benefits of car hacking and the challenges for IoT data .
Many car owners have a fond memory of buying an older car in early adulthood and hours happily spent tinkering under the hood, exploring and learning by taking things apart and then putting them back together. These days you're more likely to use code than a wrench during your tinkering as electronics and sensors gradually consume car mechanics through the CAN Bus. The car as a computer on wheels raises fundamental questions about the right to repair. It has resulted in a quiet revolution in garages, parking lots, and maker spaces, of car hackers, seeking to understand what their car can do and could do with modifications to its hardware and/or code.
Car hacking in practice
Car hacking is nothing new, but what is new is the use of the internet to build a movement with everything from basic maintenance to how to start your car using the Ok Google command. There are pages dedicated to the cause on Reddit, a plethora of curated resources and open source development kits that lets you connect your car to the cloud via 3G, Wi-Fi, or Bluetooth. Considered the bible of the movement by many, Craig Smith's Car Hacker's Handbook details the benefits of car hacking and how it contributes to:
- The ability to modify a car, for example, improved fuel consumption or the use of third-party replacement parts.
- Bypassing the need for proprietary diagnostic tools to diagnose problems.
- The ability to create new functionalities.
Car hacking to secure your car
Car hacking plays a vital role in securing cars against security threats and vulnerabilities. Each year security conferences Blackhat and DefCon host the Car Hacking Village, run by volunteers, it's an opportunity for security researchers to gain hands-on experience working side by side with experts in the field.
At the 2015 Defcon, Charlie Miller, security engineer for Twitter, and Chris Valasek, a security expert for IOActive, demonstrated they were able to wirelessly take control of a Jeep using a Wi-Fi-connected laptop. This enables them to cut the breaks and transmission while the car was being driven. The original hack resulted in a huge recall and exposed serious problems with how the car companies planned to handle such software flaws.
In 2017 Charlie and Chris open-sourced all their research. Amongst other things, it details how they were able to hack a Jeep Cherokee after the firmware updates, that were rolled out in response to their original hacking. It's a great example of the value of the open-source community and the importance of security testing.
What are your rights to repair?
Is it really your car if you own the hardware but not the software that powers it? Or if you can only access information that is not considered proprietary knowledge? The right to repair your own car or choose your own mechanic has a complex history. As cars became digitized, hobbyists and private car mechanics found it harder to access manuals and manufacturer resources.
In response, In The Motor Vehicle Owners' Right to Repair Act passed in Massachusetts in 2014, which led to a national MOU with the auto industry. The law meant that vehicle owners and independent repair facilities became eligible to access the same diagnostic and repair resources made available to certified car centers and dealerships. This meant that anyone could repair their car themselves or choose a dealer of their preference. The EU has comparative legislation—under Motor Vehicle Block Exemption Regulation 461/2010.
The ubiquity of IoT brings another challenge to the Right to Repair
However, the law is struggling to keep up with IoT innovation. The Right to Repair legislation passed in the US excluded the right to access telematics (the data that is transmitted wirelessly from the vehicle to the manufacturer). Such data may include your location, driving behavior, fuel use, emissions, engine hours, and vehicle health. It's not the same as a manual or diagram of the inside of your car, but it's data insights generated by you the driver, which as it stands, is owned by the car manufacturer, not you and can be sold to third parties without your consent.
In 2018, the European Parliament's Committee on Legal Affairs voted against an amendment that would not make it possible for telemetric data from an autonomous vehicle to be subject to copyright. This meant that there's legal recourse for consumers seeking to access this data. But the EU does have GDPR. It introduced rights such as consent to data collection and processing, access, and request for deletion.
However, it will take some time (including time for car owners to read laborious privacy documentation) for consumers and car manufacturers to reach any kind of consensus about data rights and ownership of telemetric data. We might not see any real traction until consumers flex their muscles through the mechanisms of GDPR and many may never realize the value of what they are giving away.