Wednesday, June 9, 2010

I just want to fix my car.

I'll close out my series of car rants with this one, on our ability to repair our cars.  This is not a new battle, but the front has moved into new territory.  The “Experimental Security Analysis of a Modern Automobile” paper touched on the subject briefly, pointing out that some of the “vulnerabilities” they reported could be addressed by locking down diagnostic and repair procedures.  They also stated that:

“...individuals desire and should be able to do certain things to tune their own car (but not others).”

Starts off good, then takes a dive.  So, who gets to decide what you can to to your car?  That is academic arrogance and lack of perspective there folks.  Yes, if I want to use my car on public roads, I have obligations to my fellow drivers and to the law.  If I am on a racetrack, the obligations are to my fellow drivers and the rules of the sanctioning body.  In the fields of my farm, the regulators, manufacturers, and pointy-headed academics can [insert your own creative answer here] themselves.

And on the commercial side:

“Similarly, how could mechanics service and replace components in a locked-down automotive environment? Would they receive special capabilities? If so, which mechanics and why should they be trusted?”

Once again, a little historical perspective…

Manufacturers have built vehicles requiring special tools for many years, and have tried to limit access to these tools to limit independent shops’ and do-it-yourself mechanics’ ability to maintain and repair vehicles.  Manufacturers have tried to restrict access by only allowing sales of some tools to authorized dealers, and when they can’t get away with that, they resort to making tools available at excessively high prices.  Special fasteners are the most obvious example, but there are few parts of an automobile which haven’t seen bizarre adaptations which require either serious creativity, or special tools, to access or repair.

Tools like these are easy to reverse engineer and duplicate.

With these physical components, we do have the ability to look at them and improvise- and tool manufacturers can make their own versions of the tools like the ones shown above.  Unless they run into patent issues, of course.

Going beyond repairs, tuning used to be a lot more obvious, too.  Changing some settings, swapping a few parts, these were commonplace tuning techniques.  Even the term “tune up” tells us something- we had to tune cars regularly, adjusting carburetors and points were regular service procedures.  One very common performance swap was replacing the carburetor, this was not done simply for performance, but for the ability to fine tune the aftermarket carburetors in a way we couldn’t tune factory systems.  For example, use of the ubiquitous Holley carbs meant that with some skill and patience, and a couple of boxes of jets we could precisely refine the fuel mixture fed to the engine.

Holley carburetor jet assortment.

We are now in a situation where a many routine repairs require interaction with the computer systems of the automobile.  Even tasks like changing fluids or servicing brake pads can require use of the computer systems.  Depending on make and model you may need one of these ~$18,000 (USD) systems to perform simple repairs:

Automotive diagnostic and repair computer

(Note: that’s a real system used by some European manufacturers, they really are about $18k, and are just a feeble Windows 2000 laptop in a user-unfriendly form factor).

Repair information is, and has been, a bigger problem.  Mechanical systems can be torn down, inspected, and independent publishers could (and still can) create repair manuals.  The diagnostics, and the underlying operation information, was always where we fought for information; the move to computerized systems has made this information both harder to find and more desperately needed.

We can’t just look at the problem and improvise, that’s why we need the manufacturers to cooperate in making information available, or at very least we can’t allow them to block access to information.  This is not easy, there are standards, but there are also proprietary implementations- so we are back in the awkward Intellectual Property/software patents/reverse-engineering-breaks-DMCA world that is familiar to those of us in the information security.

And it is more complicated than that- if you reverse-engineer proprietary software on your computer and alter its functionality, what are the consequences for society at large?  Altering automotive systems can have a profound impact on fuel economy, emissions, braking and other safety systems- that can have a real impact on society.  Or, at least have an impact on the car in front of you if you’ve screwed up your brakes.  Again, a little perspective: we’ve always been able to screw up our cars, we are just exposing new ways to do it. 

Let’s not ignore government’s role in this situation.  Much of the push to computerization of powertrain management systems was a reaction to ever-tightening emissions and fuel economy mandates.  It doesn’t stop with the design of the car, either; most automobiles have to undergo inspections, many modifications to the fuel and emissions systems are likely to cause your vehicle to fail.

I do think the paper has highlighted a couple of real issues, and implementing some basic safeguards such as limiting the conditions under which certain commands can be executed, and limiting which systems can issue certain types of commands should improve the security of automotive computer systems without compromising our ability to repair our vehicles.

If you are interested in this issue, check out Right to RepairH.R. 2057 (PDF) the proposed “Right to Repair” bill looks like a good starting point, it is proclaimed as

“A bill to protect the rights of consumers to diagnose, service, maintain, and repair their motor vehicles, and for other purposes.”

And we could all use a little protection.  Of course, we often want protection from the government, so protections mandated by the government will require a bit of scrutiny.