Secure gateway module

The Clean Air Act amendments of 1990 mandated that vehicle manufacturers provide "any and all information needed" for emissions diagnostics to any person engaged in vehicle repair, codified at 42 U.S.C. 7521(m).^[7] The Environmental Protection Agency required standardized OBD-II connectors & diagnostic protocols in all vehicles sold in the United States starting with model year 1996.^[8] For two decades, any technician with a scan tool could plug into the OBD-II port & read fault codes, clear diagnostic trouble codes, & perform bidirectional controls without manufacturer permission.

Massachusetts passed the first automotive right to repair law in 2012, requiring manufacturers to sell independent shops the same diagnostic tools & repair information available to dealerships.^[9] That law prompted a national Memorandum of Understanding in 2014 between automakers & the independent repair industry, extending similar access provisions across all 50 states.^[10] A revised MOU was signed in July 2023 between ASA, SCRS, & the Alliance for Automotive Innovation.^[10] The MOU covered the physical OBD-II port but didn't address wireless telematics data, a gap that manufacturers would later exploit.

In July 2015, security researchers Charlie Miller & Chris Valasek remotely hijacked a Jeep Cherokee through its Uconnect cellular connection, demonstrating the ability to control steering, brakes, & transmission from a laptop miles away.^[11] FCA recalled 1.4 million vehicles in response.^[12] Manufacturers cite this incident as the justification for SGW.^[13] However, Miller & Valasek exploited the vehicle's cellular telematics connection, not the physical OBD-II port.^[11] The SGW gates the physical port that a technician plugs a scan tool into while standing next to the vehicle. The FTC noted in its "Nixing the Fix" report that manufacturers' cybersecurity justifications for repair restrictions lack empirical support.^[5]

The SGW divides a vehicle's Controller Area Network (CAN) bus into "public" & "private" sectors.^[1] The public sector includes the telematics unit & the Data Link Connector (DLC, the physical OBD-II port). Everything on the internal CAN bus is private: engine control modules, transmission controllers, body control modules, & ADAS processors. The SGW sits between these two networks & decides which commands pass through based on an approved, authenticated list.^[14]

Without authentication, technicians can still read basic emissions data & some diagnostic trouble codes. They can't clear those codes, perform bidirectional controls (manually triggering a fuel pump, cycling an ABS motor, or operating a window actuator), execute module programming or service resets, or conduct ADAS calibrations.^[4][1]

Bypassing the SGW requires a challenge-response protocol managed by a cloud server:^[15]

1. The technician connects an approved aftermarket scan tool to the OBD-II port. The tool detects the SGW & prompts for authentication.
2. The scan tool must have an active Wi-Fi or cellular internet connection at the moment of authentication.
3. The tool sends credentials to AutoAuth, which acts as the "SGW Authentication Bridge Server."
4. AutoAuth retrieves cryptographic information from the manufacturer's public key infrastructure (PKI) to validate the user's identity & the tool's authorization.
5. An unlock token is sent to the vehicle, opening the gateway for the duration of the diagnostic session.

For older FCA vehicles (2018-2021 Chrysler models), a physical workaround exists: technicians can use a "12+8 bypass cable" to unplug the SGW module under the dashboard & connect the scan tool directly to the CAN bus, though this requires invasive dashboard disassembly.^[14]

FCA/Stellantis was the first to deploy SGW at scale, starting on select 2017 models & expanding to nearly all 2018+ vehicles across Chrysler, Dodge, Jeep, Ram, Fiat, Maserati, & Alfa Romeo.^[1] Nissan & Mercedes-Benz subsequently adopted similar gateway restrictions routing independent access through AutoAuth.^[2]

Volkswagen & Audi use a different system called SFD (Schutz Fahrzeug Diagnose), which relies on time-limited tokens that temporarily unlock specific modules.^[2] Bosch unlocked secure gateway access for Hyundai/Kia/Genesis vehicles in June 2024, allowing its ADS-series scan tools to authenticate directly.^[16]

AutoAuth is a third-party authentication service that serves as the primary gateway for independent aftermarket access to SGW-equipped vehicles in North America.^[15][17]

AutoAuth charges an annual shop registration fee that was raised by $10 in June 2025.^[3] On top of the base fee, each vehicle manufacturer requires a separate annual subscription, also increased by $10 per year in the same pricing change.^[3] The per-manufacturer fee structure means costs compound with each new OEM that adopts SGW: a shop servicing three SGW-equipped brands pays three separate annual fees plus the base registration.^[15]

These fees don't include the scan tool itself. Aftermarket scan tool manufacturers (Snap-on, Autel, Bosch, Launch Tech, & others) require active software subscriptions for their tools to communicate with AutoAuth.^[15] The scan tool subscription is a prerequisite; without it, the tool can't initiate the AutoAuth handshake regardless of whether the shop has paid AutoAuth's fees.

Dealerships don't pay these fees; their factory diagnostic tools authenticate directly through the manufacturer's own systems.^[6]

SGW's impact extends beyond cost into vehicle safety. Advanced Driver Assistance Systems rely on networks of sensors: forward-facing windshield cameras for lane departure warning, lane keep assist, & automatic emergency braking; radar sensors for adaptive cruise control & blind spot monitoring; and in some vehicles, LiDAR, 360-degree cameras, & night vision systems.^[18]

The forward-facing camera on most ADAS-equipped vehicles is mounted to the windshield. When the windshield is replaced, the camera bracket is disturbed. Even a fraction-of-a-degree misalignment degrades system performance; a miscalibrated camera can cause automatic emergency braking to fire late or not at all.^[4] The Auto Glass Safety Council & vehicle manufacturers require recalibration after every windshield replacement to restore original safety performance, & insurers require documentation that the recalibration was completed.^[4]

The SGW classifies ADAS recalibration as a "bidirectional control" or "special function."^[4] A glass technician who has replaced the windshield can't command the vehicle's ECU to accept the new camera parameters without an active internet connection, an updated scan tool, & an active AutoAuth subscription. The vehicle leaves the shop with ADAS in an uncalibrated state, or the glass company subcontracts the recalibration to a dealer or specialty shop, adding cost & delay.

Auto-glass replacement is one of the most common mobile repair services. Technicians drive to the customer's location (home, workplace, roadside) & replace the windshield on-site. AutoAuth's cloud-based PKI authentication requires an internet connection at the exact moment of vehicle authentication.^[15]

Mobile technicians working in rural areas, parking garages, or anywhere with poor cellular coverage can't complete the ADAS recalibration. The windshield is physically installed, but the safety system is disabled because the scan tool can't reach AutoAuth's server. No offline authentication mode exists.^[2] The technician must either leave the vehicle with uncalibrated ADAS (a liability risk), have the customer drive to a location with internet service (shifting the burden to the consumer), or return later at additional cost.

Rural trucks, farm vehicles, & fleet vehicles on highways are the most likely to need windshield replacements from road debris, and the most likely to be in areas where the authentication server can't be reached.

ADAS calibration requires manufacturer-specific physical target boards: large panels with geometric patterns & reflectors that the camera system uses as reference points during the calibration procedure. There's no universal standard across manufacturers. A shop that calibrates cameras for Toyota, Honda, Stellantis, Ford, & Hyundai needs separate sets of targets for each, plus alignment frames & fixtures.^[18]

The GAO found that evolving vehicle technologies create repair information barriers for independent shops, reducing consumer choice & increasing costs.^[6]

If a technician replaces a windshield but can't bypass the SGW to recalibrate the ADAS, the vehicle may misinterpret road data. Documented consequences include false lane departure warnings, failure to detect pedestrians, & inappropriate deployment of automatic emergency braking.^[18] Handing an uncalibrated vehicle back to a consumer exposes the independent shop to legal liability in the event of an accident. The H.R. 6688 (ADAS Functionality & Integrity Act), approved by a House subcommittee in February 2026, would give NHTSA authority to develop ADAS calibration guidelines & require manufacturers to publish calibration procedures & validation metrics.^[18]

The total cost of SGW compliance for an independent repair shop compounds across multiple subscription layers:^[15]

• AutoAuth base subscription: Annual shop registration fee, increased in June 2025.^[3]
• Per-manufacturer fees: Each OEM brand requires a separate annual subscription on top of the base fee, also increased in the June 2025 pricing change.^[3] A shop servicing Stellantis, Nissan, & Mercedes-Benz pays three separate per-brand fees.
• VW/Audi SFD tokens: Purchased separately per session or in bundles, outside the AutoAuth system.^[2]
• Scan tool software subscription: The aftermarket scan tool itself requires an active annual software subscription from its manufacturer (Snap-on, Autel, Bosch, etc.) to communicate with AutoAuth.^[15]

These are all recurring annual costs. A shop that doesn't pay any one of them loses the ability to clear a check engine light on a 2022 Jeep Grand Cherokee. Dealerships pay none of these fees; their factory tools authenticate through the manufacturer's own systems at no per-session charge.

The GAO confirmed the cost disparity in March 2024, finding that independent shops face repair information limitations that leave consumers with fewer choices, higher costs, & longer wait times.^[6]

The Right to Equitable and Professional Auto Industry Repair (REPAIR) Act was reintroduced in February 2025 as H.R. 1566 (House) & S. 1379 (Senate).^[19][20] House sponsors include Rep. Neal Dunn (R-FL), Rep. Marie Gluesenkamp Perez (D-WA), Rep. Brendan Boyle (D-PA), & Rep. Warren Davidson (R-OH).^[21]

The bill directly addresses SGW by requiring vehicle owners & independent shops to have direct, real-time, in-vehicle access to vehicle-generated data, diagnostics, & telematics. It prohibits manufacturers from mandating specific tool brands & requires NHTSA to develop standards for cyber-secure standardized data access.^[22]

H.R. 6688 was approved by the House Subcommittee on Commerce, Manufacturing, & Trade in February 2026.^[18] The bill gives NHTSA authority to develop ADAS calibration guidelines, requires manufacturers to publish calibration procedures & validation metrics, & addresses the target board standardization gap that inflates costs for independent shops.

42 U.S.C. 7521(m) mandates that manufacturers provide "any and all information needed" for emissions diagnostics to any person engaged in vehicle repair & requires standardized OBD-II connectors.^[7] SGW doesn't block the read-only emissions data required under this statute, but it blocks the bidirectional controls needed to complete emissions-related repairs (clearing DTCs, performing system relearns after component replacement).

The US Copyright Office first granted a vehicle repair exemption to DMCA Section 1201 in October 2015.^[23] The 9th Triennial Proceeding in October 2024 broadened the exemption to explicitly grant vehicle owners & their designees the right to access, store, & share "operational data, including diagnostic and telematics data."^[23][24] The FTC & DOJ filed a joint comment in March 2024 supporting the expansion.^[25]

Massachusetts passed the first automotive right-to-repair law in 2012 (Mass. Gen. Laws ch. 93K), which required manufacturers to provide independent shops access to the same diagnostic tools & repair information available to dealerships.^[9] The original law didn't cover wireless telematics data.^[9]

In November 2020, Massachusetts voters passed Question 1 with 75% approval, expanding the law to require an interoperable, standardized, open-access telematics platform for model year 2022+ vehicles.^[26] The Alliance for Automotive Innovation sued immediately (see Alliance v. Healey below). Rather than build open-access platforms, Subaru & Kia disabled telematics systems entirely on 2022+ vehicles sold in Massachusetts.^[26]

Attorney General Andrea Joy Campbell began enforcement in mid-2023 while litigation continued. The federal district court dismissed the Alliance's remaining claims on February 11, 2025. The Alliance appealed to the First Circuit on March 14, 2025.^[26]

Maine voters passed Question 4, the Automotive Right to Repair Act (originating as LD 1677), by referendum in November 2023 with 84% approval.^[27] The law took effect January 5, 2025, mandating standardized access to on-board diagnostic systems & telematics across all makes & models.^[28] The Alliance for Automotive Innovation filed suit against Maine in January 2025 using arguments similar to the Massachusetts case.^[26]

EU Regulation 2018/858 mandates non-discriminatory access to OBD & repair/maintenance information (RMI) for independent operators as a condition of vehicle type-approval.^[29] The Motor Vehicle Block Exemption Regulation (MVBER) was extended to 2028, maintaining these access requirements.^[30]

In October 2023, the European Court of Justice ruled in Case C-296/22 (Carglass/ATU v. Stellantis Italy) that manufacturers can't require personal registration, internet connection to manufacturer servers, or paid subscriptions for OBD access beyond what Regulation 2018/858 permits.^[31] The court held that both read & write access to the OBD data stream must be granted to independent repairers & rejected the argument that UN Regulation 155 (vehicle cybersecurity) overrides EU access requirements.^[30] The court stated that if manufacturers could "limit at their discretion access to the direct vehicle data stream...it would be open to them to make access to that stream subject to conditions capable of making access impossible in practice."^[30]

The ECJ's holding that manufacturers can't require internet connections, personal registration, or paid subscriptions for OBD access covers the same conditions that AutoAuth imposes in North America.^[30]

Other jurisdictions have enacted similar access requirements. The UK implemented the Motor Vehicle Block Exemption Order (MVBEO) in 2023, & Australia launched the Motor Vehicle Information Scheme (MVIS) in 2022, both mandating that manufacturers provide repair data to independent shops.

The Alliance for Automotive Innovation, the trade group representing most major automakers, filed suit in the U.S. District Court for the District of Massachusetts (1:20-cv-12090) in November 2020, challenging the Question 1 telematics expansion.^[26] The Alliance argued federal preemption under the Motor Vehicle Safety Act & the Clean Air Act, unconstitutional takings of intellectual property, & cybersecurity risks from open data platforms.

Judge Denise Casper (who took over from Judge Douglas Woodlock) dismissed the Alliance's remaining claims on February 11, 2025.^[26] NHTSA had initially expressed concern that the law's wireless data access requirements could create cybersecurity vulnerabilities.^[9]

On March 14, 2025, the Alliance appealed to the First Circuit.^[26]

The Alliance filed a similar challenge against Maine's automotive right-to-repair law in January 2025, using the same preemption & cybersecurity arguments raised in the Massachusetts case.^[26]

Referred to the European Court of Justice by the Cologne Regional Court (Germany), this case asked whether EU Regulation 2018/858 prohibits manufacturers from imposing conditions on OBD access that go beyond what the regulation permits.^[31] The ECJ ruled in October 2023 that manufacturers can't require internet connections to manufacturer servers, personal registration, or paid subscriptions as conditions for independent repairer access to the OBD data stream.^[30] The court rejected the argument that UN Regulation 155 (vehicle cybersecurity) provides a basis for overriding the access requirements, holding that manufacturers must implement "security by design" without restricting third-party access.^[30]

The Alliance for Automotive Innovation argues that SGW is necessary to protect vehicles from cyberattacks, citing the 2015 Jeep Cherokee hack as proof that open diagnostic access creates safety risks.^[13] The Alliance has sued to block both the Massachusetts & Maine right-to-repair laws, arguing that requiring open telematics platforms would expose vehicles to remote exploitation.

The Auto Care Association & CAR Coalition argue that SGW & telematics monopolies are anti-competitive tools designed to steer lucrative repair work to franchised dealerships, not genuine cybersecurity measures.^[22] SEMA has called the 2023 national MOU between automakers & independent repairers insufficient, arguing it "distracts from the need to pass the REPAIR Act."^[32]

An alternative approach exists: the Secure Vehicle Interface (SVI) initiative proposes a standardized, secure diagnostic access protocol that would replace manufacturer-specific authentication with a universal standard, maintaining cybersecurity without requiring per-OEM subscriptions.^[33]

In its May 2021 "Nixing the Fix" report, the FTC found "scant evidence to support manufacturers' justifications for repair restrictions," dismissing claims that diagnostic lockouts are necessary for safety or cybersecurity.^[5] Restricting access to proprietary diagnostic software & steering consumers to manufacturer networks may violate the anti-tying provisions of the Magnuson-Moss Warranty Act (15 U.S.C. ch. 50, Sections 2301-2312), the report noted.^[34]

In July 2021, the FTC adopted a policy statement targeting repair restrictions as potential violations of Section 5 of the FTC Act.^[35] The GAO's March 2024 report confirmed that evolving vehicle technologies are restricting consumer choice & increasing repair costs for independent shops.^[6]

John Deere restricted access to its proprietary diagnostic software to franchised dealers, preventing farmers from repairing their own tractors. John Deere signed a Memorandum of Understanding with the American Farm Bureau Federation in January 2023 promising to expand diagnostic access, though right-to-repair advocates expressed skepticism about enforcement.^[36] Tesla requires its proprietary Toolbox 3 diagnostic software for repairs beyond basic OBD-II fault codes; until a price reduction, the software cost $3,000/year.^[37]

Apple uses parts pairing to lock replacement components to specific device serial numbers.^[5] BMW charged monthly subscription fees for heated seats & other features already physically installed in the vehicle, documented in the BMW feature lockout scandal.^[35]

• Right to repair
• Stellantis
• DMCA Section 1201
• Magnuson-Moss Warranty Act
• Parts pairing
• John Deere
• BMW feature lockout scandal
• Hyundai Ioniq 5 N brake pad repair restrictions
• Tesla