Secure gateway module: Difference between revisions

The auto-glass & collision repair industries bear a disproportionate burden because every windshield replacement on an [[Advanced driver-assistance system|ADAS]]-equipped vehicle requires camera recalibration that the SGW blocks without active internet authentication.<ref name="rdn-adas">{{Cite web |url=https://www.repairerdrivennews.com/2026/03/04/industry-responds-to-federal-bill-requiring-nhtsa-guidelines-for-adas-calibrations/ |title=Industry responds to federal bill requiring NHTSA guidelines for ADAS calibrations |author=Teresa Moss |publisher=Repairer Driven News |date=2026-03-04 |access-date=2026-04-04}}</ref> The Federal Trade Commission found "scant evidence to support manufacturers' justifications for repair restrictions" in its 2021 report to Congress, & the GAO confirmed in 2024 that independent shops face repair information limitations resulting in fewer choices & higher costs for consumers.<ref name="ftc-nixing">{{Cite web |url=https://www.ftc.gov/reports/nixing-fix-ftc-report-congress-repair-restrictions |title=Nixing the Fix: An FTC Report to Congress on Repair Restrictions |publisher=Federal Trade Commission |date=2021-05 |access-date=2026-04-04}}</ref><ref name="gao">{{Cite web |url=https://www.gao.gov/products/gao-24-106633 |title=Vehicle Repair: Information on Evolving Vehicle Technologies and Consumer Choice |publisher=Government Accountability Office |date=2024-03-21 |access-date=2026-04-04}}</ref>

In July 2015, security researchers Charlie Miller & Chris Valasek remotely hijacked a Jeep Cherokee through its Uconnect cellular connection, demonstrating the ability to control steering, brakes, & transmission from a laptop miles away.<ref name="jeep-hack">{{Cite web |url=https://fractionalciso.com/the-groundbreaking-2015-jeep-hack-changed-automotive-cybersecurity/ |title=The Groundbreaking 2015 Jeep Hack Changed Automotive Cybersecurity |publisher=Fractional CISO |access-date=2026-04-04}}</ref> FCA recalled 1.4 million vehicles in response.<ref name="jeep-recall">{{Cite web |url=https://www.computerworld.com/article/1628895/chrysler-recalls-14m-vehicles-after-jeep-hack.html |title=Chrysler recalls 1.4M vehicles after Jeep hack |publisher=Computerworld |date=2015 |access-date=2026-04-04}}</ref> Manufacturers cite this incident as the justification for SGW.<ref name="alliance-r2r" /> However, Miller & Valasek exploited the vehicle's cellular telematics connection, not the physical OBD-II port.<ref name="jeep-hack" /> The SGW gates the physical port that a technician plugs a scan tool into while standing next to the vehicle. The FTC noted in its "Nixing the Fix" report that manufacturers' cybersecurity justifications for repair restrictions lack empirical support.<ref name="ftc-nixing" />

Bypassing the SGW requires a challenge-response protocol managed by a cloud server:<ref name="eti-overview">{{Cite web |url=https://etools.org/wp-content/uploads/2024/09/AutoAuth-High-Level-Overview-Ver10.pdf |title=AutoAuth High Level Overview |publisher=Equipment and Tool Institute |date=2024-09 |access-date=2026-04-04}}</ref>

Mobile technicians working in rural areas, parking garages, or anywhere with poor cellular coverage can't complete the ADAS recalibration. The windshield is physically installed, but the safety system is disabled because the scan tool can't reach AutoAuth's server. No offline authentication mode exists.<ref name="adasdepot" /> The technician must either leave the vehicle with uncalibrated ADAS (a liability risk), have the customer drive to a location with internet service (shifting the burden to the consumer), or return later at additional cost.

ADAS calibration requires manufacturer-specific physical target boards: large panels with geometric patterns & reflectors that the camera system uses as reference points during the calibration procedure. There's no universal standard across manufacturers. A shop that calibrates cameras for Toyota, Honda, Stellantis, Ford, & Hyundai needs separate sets of targets for each, plus alignment frames & fixtures.<ref name="rdn-adas" />

If a technician replaces a windshield but can't bypass the SGW to recalibrate the ADAS, the vehicle may misinterpret road data. Documented consequences include false lane departure warnings, failure to detect pedestrians, & inappropriate deployment of automatic emergency braking.<ref name="rdn-adas" /> Handing an uncalibrated vehicle back to a consumer exposes the independent shop to legal liability in the event of an accident. The H.R. 6688 (ADAS Functionality & Integrity Act), approved by a House subcommittee in February 2026, would give NHTSA authority to develop ADAS calibration guidelines & require manufacturers to publish calibration procedures & validation metrics.<ref name="rdn-adas" />

The US Copyright Office first granted a vehicle repair exemption to [[Digital Millennium Copyright Act|DMCA]] Section 1201 in October 2015.<ref name="dmca-2024">{{Cite web |url=https://www.federalregister.gov/documents/2024/10/28/2024-24563/exemption-to-prohibition-on-circumvention-of-copyright-protection-systems-for-access-control |title=Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies |publisher=Federal Register |date=2024-10-28 |access-date=2026-04-04}}</ref> The 9th Triennial Proceeding in October 2024 broadened the exemption to explicitly grant vehicle owners & their designees the right to access, store, & share "operational data, including diagnostic and telematics data."<ref name="dmca-2024" /><ref name="autocare-dmca">{{Cite web |url=https://www.autocare.org/detail-pages/blog/aina/2024/11/01/new-exemption-to-digital-millennium-copyright-act-broadens-protection-for-vehicle-data-access |title=New Exemption to DMCA Broadens Protection for Vehicle Data Access |publisher=Auto Care Association |date=2024-11-01 |access-date=2026-04-04}}</ref> The FTC & DOJ filed a joint comment in March 2024 supporting the expansion.<ref name="ftc-dmca">{{Cite web |url=https://www.ftc.gov/news-events/news/press-releases/2024/03/ftc-doj-file-comment-us-copyright-office-supporting-renewal-expansion-exemptions-facilitating |title=FTC and DOJ File Comment Supporting Renewal and Expansion of DMCA Repair Exemptions |publisher=Federal Trade Commission |date=2024-03 |access-date=2026-04-04}}</ref>

In November 2020, Massachusetts voters passed Question 1 with 75% approval, expanding the law to require an interoperable, standardized, open-access telematics platform for model year 2022+ vehicles.<ref name="collisionweek-appeal">{{Cite web |url=https://collisionweek.com/2025/03/21/alliance-automotive-innovation-appeals-federal-judges-dismissal-massachusetts-right-repair-lawsuit/ |title=Alliance for Automotive Innovation Appeals Massachusetts Right to Repair Ruling |publisher=CollisionWeek |date=2025-03-21 |access-date=2026-04-04}}</ref> The Alliance for Automotive Innovation sued immediately (see ''[[#Alliance for Automotive Innovation v. Healey|Alliance v. Healey]]'' below). Rather than build open-access platforms, Subaru & Kia disabled telematics systems entirely on 2022+ vehicles sold in Massachusetts.<ref name="collisionweek-appeal" />

EU Regulation 2018/858 mandates non-discriminatory access to OBD & repair/maintenance information (RMI) for independent operators as a condition of vehicle type-approval.<ref name="eu-reg">{{Cite web |url=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:02018R0858-20240701 |title=Regulation (EU) 2018/858 - Consolidated |publisher=EUR-Lex |date=2018-05-30 |access-date=2026-04-04}}</ref> The Motor Vehicle Block Exemption Regulation (MVBER) was extended to 2028, maintaining these access requirements.<ref name="ecj-analysis" />

In October 2023, the European Court of Justice ruled in Case C-296/22 (Carglass/ATU v. Stellantis Italy) that manufacturers can't require personal registration, internet connection to manufacturer servers, or paid subscriptions for OBD access beyond what Regulation 2018/858 permits.<ref name="ecj-ruling">{{Cite web |url=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62022CJ0296 |title=Case C-296/22 - CJEU Judgment |publisher=EUR-Lex |date=2023-10 |access-date=2026-04-04}}</ref> The court held that both read & write access to the OBD data stream must be granted to independent repairers & rejected the argument that UN Regulation 155 (vehicle cybersecurity) overrides EU access requirements.<ref name="ecj-analysis">{{Cite web |url=https://www.osborneclarke.com/news/ecj-decision-vehicle-manufacturers-may-not-restrict-access-vehicle-data-stream |title=ECJ decision: vehicle manufacturers may not restrict access to the vehicle data stream |publisher=Osborne Clarke |date=2023 |access-date=2026-04-04}}</ref> The court stated that if manufacturers could "limit at their discretion access to the direct vehicle data stream...it would be open to them to make access to that stream subject to conditions capable of making access impossible in practice."<ref name="ecj-analysis" />

The Alliance for Automotive Innovation, the trade group representing most major automakers, filed suit in the U.S. District Court for the District of Massachusetts (1:20-cv-12090) in November 2020, challenging the Question 1 telematics expansion.<ref name="collisionweek-appeal" /> The Alliance argued federal preemption under the Motor Vehicle Safety Act & the Clean Air Act, unconstitutional takings of intellectual property, & cybersecurity risks from open data platforms.

Judge Denise Casper (who took over from Judge Douglas Woodlock) dismissed the Alliance's remaining claims on February 11, 2025.<ref name="collisionweek-appeal" /> NHTSA had initially expressed concern that the law's wireless data access requirements could create cybersecurity vulnerabilities.<ref name="securepairs" />

The Alliance for Automotive Innovation argues that SGW is necessary to protect vehicles from cyberattacks, citing the 2015 Jeep Cherokee hack as proof that open diagnostic access creates safety risks.<ref name="alliance-r2r">{{Cite web |url=https://www.autosinnovate.org/RightToRepair |title=Right to Repair |publisher=Alliance for Automotive Innovation |access-date=2026-04-04}}</ref> The Alliance has sued to block both the Massachusetts & Maine right-to-repair laws, arguing that requiring open telematics platforms would expose vehicles to remote exploitation.

In July 2021, the FTC adopted a policy statement targeting repair restrictions as potential violations of Section 5 of the FTC Act.<ref name="ftc-policy">{{Cite web |url=https://www.ftc.gov/news-events/news/press-releases/2021/07/ftc-ramp-law-enforcement-against-illegal-repair-restrictions |title=FTC to Ramp Up Law Enforcement Against Illegal Repair Restrictions |publisher=Federal Trade Commission |date=2021-07-21 |access-date=2026-04-04}}</ref> The GAO's March 2024 report confirmed that evolving vehicle technologies are restricting consumer choice & increasing repair costs for independent shops.<ref name="gao" />

Apple uses [[Parts pairing|parts pairing]] to lock replacement components to specific device serial numbers.<ref name="ftc-nixing" /> BMW charged monthly subscription fees for heated seats & other features already physically installed in the vehicle, documented in the [[BMW feature lockout scandal]].<ref name="ftc-policy" />

[[Category:Right to Repair]]

[[Category:Planned Obsolescence]]