“Access will not be given to alter features/functions in Audi vehicles. This decision comes from Germany.”
These two sentences, taken from an email to a longtime Audi customer, makes the stakes painfully clear. A policy decision drafted in Europe for European roads now dictates how safe you can be at an American stoplight.
Beginning with the 2024 model year, every new Audi sold in the U.S. auto-unlocks all four doors the moment you shift your car into park. Owners cannot turn this off.
The immediate cause is something called “Secure Feature Disablement 2,” a software gate that Audi created to satisfy Europe’s newer vehicle cybersecurity and software-update rules.
In prior years, a dealer technician could flip the unlocking convenience setting in minutes. Today, however, service departments acknowledge that they understand the setting but cannot implement changes without a manufacturer authorization process. Owners also report that they cannot switch off the auto-unlock behavior, as reflected in this Reddit discussion among Audi drivers.
These European rules treat every software tweak — to door locks, emissions, or headlights, for example — as a potential cyber-intrusion. Changing anything can require a one-time token from the manufacturer. That design may satisfy regulators overseas, but it handcuffs American mechanics and limits driver choice at the very moment many cities are confronting more brazen car crime.
Across major U.S. cities between 2019 and 2023 there was a 105 percent rise in motor vehicle thefts and a sharp increase in carjackings, according to the Council on Criminal Justice. An auto-unlocked vehicle gives criminals the seconds they need, especially in high-risk neighborhoods where drivers are most vulnerable.
This is not how good cybersecurity should work. I have spent more than 30 years in technology and cybersecurity and have seen rules backfire when they ignore street-level reality.
The current system treats a harmless change that keeps a thief out of your car the same as a malicious attempt to defeat an emissions test. Audi’s global process bundles door-lock behavior, emissions calibrations, and recall software under the same cybersecurity seal. A tweak that improves personal safety is classified alongside potential regulatory evasion. Compliance wins, personal security loses, and American owners are stuck with a risk they did not choose.
There is a practical way forward. First, automakers should restore local control over safety-adjacent convenience features. Audi can issue an over-the-air update that lets American owners keep doors locked while in park, and it can decouple that option from emissions and recall workflows so a safety preference does not require the same tokenized path as a regulated system change.
Second, regulators at the Department of Transportation and the National Highway Traffic Safety Administration should open a public docket on foreign-mandated software behaviors that reduce vehicle security, take public comment, and require an opt-out path for American owners when a setting has clear personal-safety implications and no effect on emissions compliance.
Third, dealers and technicians should disclose in writing whenever a once-adjustable feature has been frozen by these European cybersecurity rules. Transparency today prevents danger tomorrow. Finally, consumers should ask one question before buying, “Can I keep my doors locked when I put the car in park?” If the salesperson hesitates, walk away. Market pressure moves faster than bureaucracy.
Cybersecurity matters. Malicious attacks on the vehicle network known as the controller area network are real, and modern vehicles need strong defenses. But blocking drivers from choosing the safest door-lock behavior for their streets is not security — it is negligence hidden behind encryption.
If a foreign regulator can veto an American customer’s safety request, then U.S. regulators should be willing to veto European cars until there is a reasonable opt-out. Until Washington reasserts that authority, or Audi issues a patch that restores owner choice, Americans should favor brands that put safety and freedom ahead of international red tape.
Javier Ortiz is a partner at Falcon Cyber Investments with more than 30 years of experience in technology, cybersecurity, and law enforcement.
