A bipartisan group of four House members has introduced legislation that would allow vehicle owners to use independent mechanics to repair their cars, including software and network-connected systems, without voiding their warranties or facing other penalties.
The Right to Equitable and Professional Auto Industry Repair, or REPAIR, Act, introduced Feb. 9, has reopened a debate in the cybersecurity and automotive industries because of concerns from some critics that third-party auto repair shops could introduce cybersecurity vulnerabilities. An earlier version of the bill failed to advance in the last session of Congress.
VIRGINIA’S VEHICLE INSPECTION SCAM EXISTS TO PROFIT REPAIR SHOPS
Other cybersecurity professionals are skeptical that a right-to-repair law would create cybersecurity problems. When a single and expensive provider is the only option, many car owners choose to ignore some problems, said Chris Clymer, chief information security officer of Inversion6, a provider of cybersecurity services.
“Many consumers already neglect to update the operating system and other software in their vehicles because most manufacturers require a costly trip to the dealer to make such updates,” Clymer told the Washington Examiner. “As the software becomes more integral to the vehicle’s operation, this is going to become more and more of a problem.”
The REPAIR Act would require vehicle manufacturers to provide in-vehicle data related to diagnostics and repair to the vehicle owner. Under the bill, a manufacturer, outside of a recall, would not be able to mandate or recommend the use of a particular manufacturer of parts, tools, or equipment.
The REPAIR Act is sponsored by Rep. Neal Dunn (R-FL). Its co-sponsors so far are Reps. Brendan Boyle (D-PA), Warren Davidson (R-OH), and Marie Gluesenkamp Perez (D-WA). Perez, first elected to the House in 2022, and her husband own an automobile repair shop in Portland, Oregon.
Some cybersecurity experts suggested that the cybersecurity risk may depend on the third-party repair shop that a car owner uses. Some mechanics may take more care than others when working on vehicle software, navigation, and other electronic systems, they suggested.
“The internet of things, including in vehicles, is an incredibly diverse, unregulated, and poorly secured digital space,” said Kyle MacDonald, director of operations at Force by Mojio, a GPS-based fleet tracking service.
“There are so many different protocols and formats in this space that it can be hard to identify good common security practices or protect against exploits. In this environment, taking your car to a third-party shop is definitely a security risk,” MacDonald told the Washington Examiner.
The right-to-repair movement has grown in recent years after some vehicle manufacturers have claimed that only they have the ability to fix problems. One major example involved farm equipment manufacturer John Deere, which in 2016 changed its end-user license to require that any repairs of embedded software in tractors be done by authorized technicians. John Deere finally relented to farmer criticisms earlier this year when it signed a memorandum of understanding saying it would provide diagnostic tools and software to repair shops outside its authorized list.
The right-to-repair debate raises complex questions about software copyrights and subscription-based business models for digital features in vehicles, noted Mike Pedrick, vice president of cybersecurity consulting at Nuspire, a cybersecurity provider. One of the questions is, who really owns the software in a vehicle?
“As vehicles become more and more connected to the world’s networks and more pressure is applied by various governments with regard to safety standards, it isn’t hard to see why manufacturers might view the fight against the right-to-repair movement as a risk mitigation measure,” Pedrick said. “At one end of the spectrum is competitive advantage; at the other end, the inevitable uphill court battle when an owner’s tweaks to their automobile or subpar repairs performed by an unaffiliated shop lead to a costly accident, or worse.”
CLICK HERE FOR MORE FROM THE WASHINGTON EXAMINER
Pedrick suggested vehicle manufacturers could broaden the field for repair and maintenance work instead of locking out “scores” of small and medium-sized repair shops.
“Perhaps it’s time to arm such folks with the tools and knowledge they need to perform such work safely, securely, and with the support of the manufacturers rather than playing with their cards clutched so close to the vest,” he added. “Not unlike the cybersecurity industry — we accomplish more if we work together against the common adversaries.”
