Secure Repairs applauds Tuesday’s ruling by US District Court Judge Denise J. Casper to reject a lawsuit filed by the Alliance for Automotive Innovation challenging the state’s automotive right to repair law.
Judge Casper’s prompt ruling in the case, upholding the legality of a 2020 ballot measure that expanded Massachusetts auto right to repair law to give vehicle owners access to wireless data needed for vehicle repair and maintenance respects the will of the 74% of Massachusetts voters who approved the ballot measure in November, 2020.
“This ruling has been a long time coming. We at Secure Repairs are happy to see that Judge Casper saw through empty arguments by the auto industry regarding cyber risks in vehicle repair and endorsed the will of Massachusetts voters,” said Paul Roberts, the founder of Secure Repairs.
Expert defeats industry lies about repair and cyber risk
Secure Repairs would also like to thank Craig Smith, a Secure Repairs member and expert in the cybersecurity of vehicle systems. Craig donated his time to provide expert testimony at the request of the Massachusetts Attorney General, using his deep knowledge of telematics and cyber security to defuse erroneous auto industry arguments that access to repair data via vehicle telematics systems posed a cybersecurity risk. Craig’s testimony in 2021 was critical to the court’s understanding that a system for providing owners and independent repair professionals secure access to telematics data for the purposes of repair and maintenance is achievable, and that industry arguments that it was “impossible” to build had no basis in reality.
“The ability to send commands to in-vehicle components can be given in a way that
preserves security and enables independent shops and vehicle owners to make
necessary repairs,” Mr. Smith testified.
“Craig’s testimony helped win the day. We here at Secure Repairs are deeply thankful to him for donating his time and cyber expertise on behalf of Massachusetts voters and defending our right to repair our stuff,” said Paul Roberts, the founder of Secure Repairs. “Bay State car owners who visit their corner repair shop, or repair their own vehicle in their driveway in the years ahead should tip their hat to Craig for his help defeating auto industry lies about cyber risk and repair that threatened to rob them of their right to decide who gets to fix their car.”
At issue in the case was whether the expanded automotive right to repair law’s call for standardized and independent system for accessing vehicle telematics networks posed a cyber security risk, or ran afoul of federal auto safety laws.
Craig testified that automakers were fully capable of building such a system, and that providing a standardized platform for access by independent repair shops and vehicle owners would not increase cybersecurity risks. Even noted auto cyber expert Bryson Bort who testified on behalf of the auto industry agreed that manufacturers could build such a secure system if they devoted the needed time and resources to modify vehicle telematics’ architectures to comply. In fact, automakers already possess the needed ingredients for such a system. Trial evidence showed that preexisting defined diagnostic functions used by companies like GM and FCA and the preexisting UDS protocol would hasten the process of creating the vendor neutral telematics platform called for by the law.
Auto industry cyber practices: a dumpster fire
While automakers pound their chest in the courtroom about their high standards for cybersecurity and commitment to data privacy, a string of reports by security researchers have exposed gaping holes in the cybersecurity of vehicle telematics systems in the months since the AAI filed its lawsuit in late 2020.
Those include a string of reports by the researcher Sam Curry, including the 2023 report Web Hackers versus the Auto Industry, and a report published in January 2025 that documented a now-patched flaw in Subaru’s STARLINK connected vehicle service that allowed him to access vehicle location information and driver data for millions of cars with nothing more than the vehicle’s license plate number, or the owner’s email address, Zip code and phone number.
Add to that the September, 2023 report from the Mozilla Foundation that declared cars “the Worst Product Category We Have Ever Reviewed for Privacy.”
As the Alliance for Automotive Innovation looks to appeal this case, Secure Repairs hopes that future courts look at the consensus among cybersecurity experts about the ability of OEMs to comply with the law, as well as the larger background of widespread industry disregard for accepted data- and application security practices as they weigh that appeal.
Secure Repairs: Cyber pros fighting for a right to repair
Since 2019, Secure Repairs members have donated their time and energy to advocate for a legal right to repair, and to dispel industry lies that repair poses a cybersecurity risk: testifying at countless state houses, the FTC’s 2019 Nixing the Fix symposium, and before the US Congress. Our members have provided powerful testimony that dispels the notion – promoted by industry – that a right to repair our stuff poses cybersecurity risks. Secure Repairs members make it clear that manufacturers have the knowledge and wherewithal to build smart devices that are both cyber secure and support owner- and independent repair – dispensing with harmful and expensive repair monopolies or “disposable tech” favored by industry.
Secure Repairs will continue its work to inform policy makers and the public about the true nature of cyber risk in the smart, connected stuff that populates their homes, workplaces and public spaces. The source of that risk? Low quality software and a lack of incentives for software publishers to prioritize security and data privacy over cool features and time to market.
Repair is not a cyber risk.
Paul Roberts, Founder
Secure Repairs
paul (at) securepairs (dot) org
Signal: paulroberts.18