Secure gateway module: Difference between revisions

Line 4:

A '''secure gateway module''' (SGW) is a digital firewall integrated into a vehicle's electrical architecture that restricts access to the on-board diagnostic (OBD-II) port by requiring internet-authenticated credentials before allowing bidirectional communication with vehicle systems.<ref name="youcanic">{{Cite web |url=https://www.youcanic.com/fca-security-gateway-module-explained-obd2-sgm-sgw/ |title=FCA Security Gateway Module Explained |publisher=YOUCANIC |access-date=2026-04-04}}</ref> Fiat Chrysler Automobiles (FCA, now [[Stellantis]]) introduced the technology across its vehicle lineup in 2017-2018, & Nissan, Mercedes-Benz, Volkswagen/Audi, & [[Hyundai]]/Kia have since adopted similar systems.<ref name="adasdepot">{{Cite web |url=https://adasdepot.com/blog/security-gateways-in-modern-vehicles-balancing-cybersecurity-and-repair-access/ |title=Security Gateways in Modern Vehicles: Balancing Cybersecurity and Repair Access |publisher=ADAS Depot |access-date=2026-04-04}}</ref> Independent repair shops must pay annual subscription fees to a third-party authentication service called AutoAuth, plus maintain separate scan tool software subscriptions, to perform repairs that dealerships can do without additional cost.<ref name="autoauth-pricing">{{Cite web |url=https://www.adasnetwork.org/industrynews/autoauth-announces-changes-to-it-s-pricing-structure-and-services |title=AutoAuth Announces Changes to its Pricing Structure and Services |publisher=ADAS Network |date=2025 |access-date=2026-04-04}}</ref>

The auto-glass & collision repair industries bear a disproportionate burden because every windshield replacement on an [[Advanced driver-assistance system|ADAS]]-equipped vehicle requires camera recalibration that the SGW blocks without active internet authentication.<ref name="rdn-adas">{{Cite web |url=https://www.repairerdrivennews.com/2026/03/04/industry-responds-to-federal-bill-requiring-nhtsa-guidelines-for-adas-calibrations/ |title=Industry responds to federal bill requiring NHTSA guidelines for ADAS calibrations |author=Teresa Moss |publisher=Repairer Driven News |date=2026-03-04 |access-date=2026-04-04}}</ref> The Federal Trade Commission found "scant evidence to support manufacturers' justifications for repair restrictions" in its 2021 report to Congress, & the GAO confirmed in 2024 that independent shops face repair information limitations resulting in fewer choices & higher costs for consumers.<ref name="ftc-nixing">{{Cite web |url=https://www.ftc.gov/reports/nixing-fix-ftc-report-congress-repair-restrictions |title=Nixing the Fix: An FTC Report to Congress on Repair Restrictions |publisher=Federal Trade Commission |date=2021-05 |access-date=2026-04-04}}</ref><ref name="gao">{{Cite web |url=https://www.gao.gov/products/gao-24-106633 |title=Vehicle Repair: Information on Evolving Vehicle Technologies and Consumer Choice |publisher=Government Accountability Office |date=2024-03-21 |access-date=2026-04-04}}</ref>

The auto-glass & collision repair industries bear a disproportionate burden because every windshield replacement on an [[Advanced driver-assistance system|ADAS]]-equipped vehicle requires camera recalibration that the SGW blocks without active internet authentication.<ref name="rdn-adas">{{Cite web |url=https://www.repairerdrivennews.com/2026/03/04/industry-responds-to-federal-bill-requiring-nhtsa-guidelines-for-adas-calibrations/ |title=Industry responds to federal bill requiring NHTSA guidelines for ADAS calibrations |author=Teresa Moss |publisher=Repairer Driven News |date=2026-03-04 |access-date=2026-04-04}}</ref> The Federal Trade Commission found "scant evidence to support manufacturers' justifications for repair restrictions" in its 2021 report to Congress, & the GAO confirmed in 2024 that independent shops face repair information limitations resulting in fewer choices & higher costs for consumers.<ref name="ftc-nixing">{{Cite web |url=https://www.ftc.gov/reports/nixing-fix-ftc-report-congress-repair-restrictions |title=Nixing the Fix: An FTC Report to Congress on Repair Restrictions |publisher=Federal Trade Commission |date=2021-05-01 |access-date=2026-04-04}}</ref><ref name="gao">{{Cite web |url=https://www.gao.gov/products/gao-24-106633 |title=Vehicle Repair: Information on Evolving Vehicle Technologies and Consumer Choice |publisher=Government Accountability Office |date=2024-03-21 |access-date=2026-04-04}}</ref>

== History of OBD-II & the shift to closed diagnostics ==

Line 26:

=== Authentication flow ===

Bypassing the SGW requires a challenge-response protocol managed by a cloud server:<ref name="eti-overview">{{Cite web |url=https://etools.org/wp-content/uploads/2024/09/AutoAuth-High-Level-Overview-Ver10.pdf |title=AutoAuth High Level Overview |publisher=Equipment and Tool Institute |date=2024-09 |access-date=2026-04-04}}</ref>

Bypassing the SGW requires a challenge-response protocol managed by a cloud server:<ref name="eti-overview">{{Cite web |url=https://etools.org/wp-content/uploads/2024/09/AutoAuth-High-Level-Overview-Ver10.pdf |title=AutoAuth High Level Overview |publisher=Equipment and Tool Institute |date=2024-09-01 |access-date=2026-04-04}}</ref>

# The technician connects an approved aftermarket scan tool to the OBD-II port. The tool detects the SGW & prompts for authentication.

Line 115:

==== [[DMCA Section 1201]] exemptions ====

The US Copyright Office first granted a vehicle repair exemption to [[Digital Millennium Copyright Act|DMCA]] Section 1201 in October 2015.<ref name="dmca-2024">{{Cite web |url=https://www.federalregister.gov/documents/2024/10/28/2024-24563/exemption-to-prohibition-on-circumvention-of-copyright-protection-systems-for-access-control |title=Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies |publisher=Federal Register |date=2024-10-28 |access-date=2026-04-04}}</ref> The 9th Triennial Proceeding in October 2024 broadened the exemption to explicitly grant vehicle owners & their designees the right to access, store, & share "operational data, including diagnostic and telematics data."<ref name="dmca-2024" /><ref name="autocare-dmca">{{Cite web |url=https://www.autocare.org/detail-pages/blog/aina/2024/11/01/new-exemption-to-digital-millennium-copyright-act-broadens-protection-for-vehicle-data-access |title=New Exemption to DMCA Broadens Protection for Vehicle Data Access |publisher=Auto Care Association |date=2024-11-01 |access-date=2026-04-04}}</ref> The FTC & DOJ filed a joint comment in March 2024 supporting the expansion.<ref name="ftc-dmca">{{Cite web |url=https://www.ftc.gov/news-events/news/press-releases/2024/03/ftc-doj-file-comment-us-copyright-office-supporting-renewal-expansion-exemptions-facilitating |title=FTC and DOJ File Comment Supporting Renewal and Expansion of ~~DMCA~~ Repair ~~Exemptions~~ |publisher=Federal Trade Commission |date=2024-03 |access-date=2026-04-04}}</ref>

The US Copyright Office first granted a vehicle repair exemption to [[Digital Millennium Copyright Act|DMCA]] Section 1201 in October 2015.<ref name="dmca-2024">{{Cite web |url=https://www.federalregister.gov/documents/2024/10/28/2024-24563/exemption-to-prohibition-on-circumvention-of-copyright-protection-systems-for-access-control |title=Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies |publisher=Federal Register |date=2024-10-28 |access-date=2026-04-04}}</ref> The 9th Triennial Proceeding in October 2024 broadened the exemption to explicitly grant vehicle owners & their designees the right to access, store, & share "operational data, including diagnostic and telematics data."<ref name="dmca-2024" /><ref name="autocare-dmca">{{Cite web |url=https://www.autocare.org/detail-pages/blog/aina/2024/11/01/new-exemption-to-digital-millennium-copyright-act-broadens-protection-for-vehicle-data-access |title=New Exemption to DMCA Broadens Protection for Vehicle Data Access |publisher=Auto Care Association |date=2024-11-01 |access-date=2026-04-04}}</ref> The FTC & DOJ filed a joint comment in March 2024 supporting the expansion.<ref name="ftc-dmca">{{Cite web |url=https://www.ftc.gov/news-events/news/press-releases/2024/03/ftc-doj-file-comment-us-copyright-office-supporting-renewal-expansion-exemptions-facilitating |title=FTC and DOJ File Comment with the U.S. Copyright Office Supporting Renewal and Expansion of Exemptions Facilitating Consumers’ and Businesses’ Right to Repair Their Own Products|publisher=Federal Trade Commission |date=2024-03-14 |access-date=2026-04-04}}</ref>

=== State ===

Line 137:

EU Regulation 2018/858 mandates non-discriminatory access to OBD & repair/maintenance information (RMI) for independent operators as a condition of vehicle type-approval.<ref name="eu-reg">{{Cite web |url=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:02018R0858-20240701 |title=Regulation (EU) 2018/858 - Consolidated |publisher=EUR-Lex |date=2018-05-30 |access-date=2026-04-04}}</ref>

In October 2023, the European Court of Justice ruled in Case C-296/22 (Carglass/ATU v. Stellantis Italy) that manufacturers can't require personal registration, internet connection to manufacturer servers, or paid subscriptions for OBD access beyond what Regulation 2018/858 permits.<ref name="ecj-ruling">{{Cite web |url=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62022CJ0296 |title=Case C-296/22 - CJEU Judgment |publisher=EUR-Lex |date=2023-10 |access-date=2026-04-04}}</ref> The court held that both read & write access to the OBD data stream must be granted to independent repairers & rejected the argument that UN Regulation 155 (vehicle cybersecurity) overrides EU access requirements.<ref name="ecj-analysis">{{Cite web |url=https://www.osborneclarke.com/news/ecj-decision-vehicle-manufacturers-may-not-restrict-access-vehicle-data-stream |title=ECJ decision: vehicle manufacturers may not restrict access to the vehicle data stream |publisher=Osborne Clarke |date=2023 |access-date=2026-04-04}}</ref> The court stated that if manufacturers could "limit at their discretion access to the direct vehicle data stream...it would be open to them to make access to that stream subject to conditions capable of making access impossible in practice."<ref name="ecj-analysis" />

In October 2023, the European Court of Justice ruled in Case C-296/22 (Carglass/ATU v. Stellantis Italy) that manufacturers can't require personal registration, internet connection to manufacturer servers, or paid subscriptions for OBD access beyond what Regulation 2018/858 permits.<ref name="ecj-ruling">{{Cite web |url=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62022CJ0296 |title=Case C-296/22 - CJEU Judgment |publisher=EUR-Lex |date=2023-10-05 |access-date=2026-04-04}}</ref> The court held that both read & write access to the OBD data stream must be granted to independent repairers & rejected the argument that UN Regulation 155 (vehicle cybersecurity) overrides EU access requirements.<ref name="ecj-analysis">{{Cite web |url=https://www.osborneclarke.com/news/ecj-decision-vehicle-manufacturers-may-not-restrict-access-vehicle-data-stream |title=ECJ decision: vehicle manufacturers may not restrict access to the vehicle data stream |publisher=Osborne Clarke |date=2023 |access-date=2026-04-04}}</ref> The court stated that if manufacturers could "limit at their discretion access to the direct vehicle data stream...it would be open to them to make access to that stream subject to conditions capable of making access impossible in practice."<ref name="ecj-analysis" />

The ECJ's holding that manufacturers can't require internet connections, personal registration, or paid subscriptions for OBD access covers the same conditions that AutoAuth imposes in North America.<ref name="ecj-analysis" />

@@ Line 4: / Line 4: @@
 A '''secure gateway module''' (SGW) is a digital firewall integrated into a vehicle's electrical architecture that restricts access to the on-board diagnostic (OBD-II) port by requiring internet-authenticated credentials before allowing bidirectional communication with vehicle systems.<ref name="youcanic">{{Cite web |url=https://www.youcanic.com/fca-security-gateway-module-explained-obd2-sgm-sgw/ |title=FCA Security Gateway Module Explained |publisher=YOUCANIC |access-date=2026-04-04}}</ref> Fiat Chrysler Automobiles (FCA, now [[Stellantis]]) introduced the technology across its vehicle lineup in 2017-2018, & Nissan, Mercedes-Benz, Volkswagen/Audi, & [[Hyundai]]/Kia have since adopted similar systems.<ref name="adasdepot">{{Cite web |url=https://adasdepot.com/blog/security-gateways-in-modern-vehicles-balancing-cybersecurity-and-repair-access/ |title=Security Gateways in Modern Vehicles: Balancing Cybersecurity and Repair Access |publisher=ADAS Depot |access-date=2026-04-04}}</ref> Independent repair shops must pay annual subscription fees to a third-party authentication service called AutoAuth, plus maintain separate scan tool software subscriptions, to perform repairs that dealerships can do without additional cost.<ref name="autoauth-pricing">{{Cite web |url=https://www.adasnetwork.org/industrynews/autoauth-announces-changes-to-it-s-pricing-structure-and-services |title=AutoAuth Announces Changes to its Pricing Structure and Services |publisher=ADAS Network |date=2025 |access-date=2026-04-04}}</ref>
-The auto-glass & collision repair industries bear a disproportionate burden because every windshield replacement on an [[Advanced driver-assistance system|ADAS]]-equipped vehicle requires camera recalibration that the SGW blocks without active internet authentication.<ref name="rdn-adas">{{Cite web |url=https://www.repairerdrivennews.com/2026/03/04/industry-responds-to-federal-bill-requiring-nhtsa-guidelines-for-adas-calibrations/ |title=Industry responds to federal bill requiring NHTSA guidelines for ADAS calibrations |author=Teresa Moss |publisher=Repairer Driven News |date=2026-03-04 |access-date=2026-04-04}}</ref> The Federal Trade Commission found "scant evidence to support manufacturers' justifications for repair restrictions" in its 2021 report to Congress, & the GAO confirmed in 2024 that independent shops face repair information limitations resulting in fewer choices & higher costs for consumers.<ref name="ftc-nixing">{{Cite web |url=https://www.ftc.gov/reports/nixing-fix-ftc-report-congress-repair-restrictions |title=Nixing the Fix: An FTC Report to Congress on Repair Restrictions |publisher=Federal Trade Commission |date=2021-05 |access-date=2026-04-04}}</ref><ref name="gao">{{Cite web |url=https://www.gao.gov/products/gao-24-106633 |title=Vehicle Repair: Information on Evolving Vehicle Technologies and Consumer Choice |publisher=Government Accountability Office |date=2024-03-21 |access-date=2026-04-04}}</ref>
+The auto-glass & collision repair industries bear a disproportionate burden because every windshield replacement on an [[Advanced driver-assistance system|ADAS]]-equipped vehicle requires camera recalibration that the SGW blocks without active internet authentication.<ref name="rdn-adas">{{Cite web |url=https://www.repairerdrivennews.com/2026/03/04/industry-responds-to-federal-bill-requiring-nhtsa-guidelines-for-adas-calibrations/ |title=Industry responds to federal bill requiring NHTSA guidelines for ADAS calibrations |author=Teresa Moss |publisher=Repairer Driven News |date=2026-03-04 |access-date=2026-04-04}}</ref> The Federal Trade Commission found "scant evidence to support manufacturers' justifications for repair restrictions" in its 2021 report to Congress, & the GAO confirmed in 2024 that independent shops face repair information limitations resulting in fewer choices & higher costs for consumers.<ref name="ftc-nixing">{{Cite web |url=https://www.ftc.gov/reports/nixing-fix-ftc-report-congress-repair-restrictions |title=Nixing the Fix: An FTC Report to Congress on Repair Restrictions |publisher=Federal Trade Commission |date=2021-05-01 |access-date=2026-04-04}}</ref><ref name="gao">{{Cite web |url=https://www.gao.gov/products/gao-24-106633 |title=Vehicle Repair: Information on Evolving Vehicle Technologies and Consumer Choice |publisher=Government Accountability Office |date=2024-03-21 |access-date=2026-04-04}}</ref>
 == History of OBD-II & the shift to closed diagnostics ==
@@ Line 26: / Line 26: @@
 === Authentication flow ===
-Bypassing the SGW requires a challenge-response protocol managed by a cloud server:<ref name="eti-overview">{{Cite web |url=https://etools.org/wp-content/uploads/2024/09/AutoAuth-High-Level-Overview-Ver10.pdf |title=AutoAuth High Level Overview |publisher=Equipment and Tool Institute |date=2024-09 |access-date=2026-04-04}}</ref>
+Bypassing the SGW requires a challenge-response protocol managed by a cloud server:<ref name="eti-overview">{{Cite web |url=https://etools.org/wp-content/uploads/2024/09/AutoAuth-High-Level-Overview-Ver10.pdf |title=AutoAuth High Level Overview |publisher=Equipment and Tool Institute |date=2024-09-01 |access-date=2026-04-04}}</ref>
 # The technician connects an approved aftermarket scan tool to the OBD-II port. The tool detects the SGW & prompts for authentication.
@@ Line 115: / Line 115: @@
 ==== [[DMCA Section 1201]] exemptions ====
-The US Copyright Office first granted a vehicle repair exemption to [[Digital Millennium Copyright Act|DMCA]] Section 1201 in October 2015.<ref name="dmca-2024">{{Cite web |url=https://www.federalregister.gov/documents/2024/10/28/2024-24563/exemption-to-prohibition-on-circumvention-of-copyright-protection-systems-for-access-control |title=Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies |publisher=Federal Register |date=2024-10-28 |access-date=2026-04-04}}</ref> The 9th Triennial Proceeding in October 2024 broadened the exemption to explicitly grant vehicle owners & their designees the right to access, store, & share "operational data, including diagnostic and telematics data."<ref name="dmca-2024" /><ref name="autocare-dmca">{{Cite web |url=https://www.autocare.org/detail-pages/blog/aina/2024/11/01/new-exemption-to-digital-millennium-copyright-act-broadens-protection-for-vehicle-data-access |title=New Exemption to DMCA Broadens Protection for Vehicle Data Access |publisher=Auto Care Association |date=2024-11-01 |access-date=2026-04-04}}</ref> The FTC & DOJ filed a joint comment in March 2024 supporting the expansion.<ref name="ftc-dmca">{{Cite web |url=https://www.ftc.gov/news-events/news/press-releases/2024/03/ftc-doj-file-comment-us-copyright-office-supporting-renewal-expansion-exemptions-facilitating |title=FTC and DOJ File Comment Supporting Renewal and Expansion of DMCA Repair Exemptions |publisher=Federal Trade Commission |date=2024-03 |access-date=2026-04-04}}</ref>
+The US Copyright Office first granted a vehicle repair exemption to [[Digital Millennium Copyright Act|DMCA]] Section 1201 in October 2015.<ref name="dmca-2024">{{Cite web |url=https://www.federalregister.gov/documents/2024/10/28/2024-24563/exemption-to-prohibition-on-circumvention-of-copyright-protection-systems-for-access-control |title=Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies |publisher=Federal Register |date=2024-10-28 |access-date=2026-04-04}}</ref> The 9th Triennial Proceeding in October 2024 broadened the exemption to explicitly grant vehicle owners & their designees the right to access, store, & share "operational data, including diagnostic and telematics data."<ref name="dmca-2024" /><ref name="autocare-dmca">{{Cite web |url=https://www.autocare.org/detail-pages/blog/aina/2024/11/01/new-exemption-to-digital-millennium-copyright-act-broadens-protection-for-vehicle-data-access |title=New Exemption to DMCA Broadens Protection for Vehicle Data Access |publisher=Auto Care Association |date=2024-11-01 |access-date=2026-04-04}}</ref> The FTC & DOJ filed a joint comment in March 2024 supporting the expansion.<ref name="ftc-dmca">{{Cite web |url=https://www.ftc.gov/news-events/news/press-releases/2024/03/ftc-doj-file-comment-us-copyright-office-supporting-renewal-expansion-exemptions-facilitating |title=FTC and DOJ File Comment with the U.S. Copyright Office Supporting Renewal and Expansion of Exemptions Facilitating Consumers’ and Businesses’ Right to Repair Their Own Products|publisher=Federal Trade Commission |date=2024-03-14 |access-date=2026-04-04}}</ref>
 === State ===
@@ Line 137: / Line 137: @@
 EU Regulation 2018/858 mandates non-discriminatory access to OBD & repair/maintenance information (RMI) for independent operators as a condition of vehicle type-approval.<ref name="eu-reg">{{Cite web |url=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:02018R0858-20240701 |title=Regulation (EU) 2018/858 - Consolidated |publisher=EUR-Lex |date=2018-05-30 |access-date=2026-04-04}}</ref>
-In October 2023, the European Court of Justice ruled in Case C-296/22 (Carglass/ATU v. Stellantis Italy) that manufacturers can't require personal registration, internet connection to manufacturer servers, or paid subscriptions for OBD access beyond what Regulation 2018/858 permits.<ref name="ecj-ruling">{{Cite web |url=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62022CJ0296 |title=Case C-296/22 - CJEU Judgment |publisher=EUR-Lex |date=2023-10 |access-date=2026-04-04}}</ref> The court held that both read & write access to the OBD data stream must be granted to independent repairers & rejected the argument that UN Regulation 155 (vehicle cybersecurity) overrides EU access requirements.<ref name="ecj-analysis">{{Cite web |url=https://www.osborneclarke.com/news/ecj-decision-vehicle-manufacturers-may-not-restrict-access-vehicle-data-stream |title=ECJ decision: vehicle manufacturers may not restrict access to the vehicle data stream |publisher=Osborne Clarke |date=2023 |access-date=2026-04-04}}</ref> The court stated that if manufacturers could "limit at their discretion access to the direct vehicle data stream...it would be open to them to make access to that stream subject to conditions capable of making access impossible in practice."<ref name="ecj-analysis" />
+In October 2023, the European Court of Justice ruled in Case C-296/22 (Carglass/ATU v. Stellantis Italy) that manufacturers can't require personal registration, internet connection to manufacturer servers, or paid subscriptions for OBD access beyond what Regulation 2018/858 permits.<ref name="ecj-ruling">{{Cite web |url=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62022CJ0296 |title=Case C-296/22 - CJEU Judgment |publisher=EUR-Lex |date=2023-10-05 |access-date=2026-04-04}}</ref> The court held that both read & write access to the OBD data stream must be granted to independent repairers & rejected the argument that UN Regulation 155 (vehicle cybersecurity) overrides EU access requirements.<ref name="ecj-analysis">{{Cite web |url=https://www.osborneclarke.com/news/ecj-decision-vehicle-manufacturers-may-not-restrict-access-vehicle-data-stream |title=ECJ decision: vehicle manufacturers may not restrict access to the vehicle data stream |publisher=Osborne Clarke |date=2023 |access-date=2026-04-04}}</ref> The court stated that if manufacturers could "limit at their discretion access to the direct vehicle data stream...it would be open to them to make access to that stream subject to conditions capable of making access impossible in practice."<ref name="ecj-analysis" />
 The ECJ's holding that manufacturers can't require internet connections, personal registration, or paid subscriptions for OBD access covers the same conditions that AutoAuth imposes in North America.<ref name="ecj-analysis" />