Taking cybersecurity seriously could be an important part of keeping the automotive aftermarket from unwanted regulation, National Automotive Service Task Force Executive Director Donny Seyfer suggested last week.
Cybersecurity matters for reasons beyond the threat of hacked self-driving vehicles running rampant through the streets. As the famous “Jeep hack” demonstrated, even less advanced vehicles can be controlled remotely. More mundane concerns like identity theft based upon the information stored within a vehicle also exist.
Right to repair agreements and Massachusetts law currently allow the automotive aftermarket to fix vehicles, obtain repair procedures and access an OBD-II port freely. But there’s a concern that cybersecurity for what are becoming increasingly advanced vehicles would be grounds for an OEM to restrict vehicle repairability.
Seyfer also recalled Sen. Gary Peters, D-Mich., a member of an auto-related cybersecurity panel, telling repairers, “‘You guys need to come up with a solution'” or the government would produce one.
Seyfer said he’s been working with the Automotive Service Association, Auto Care Association and Automotive Aftermarket Suppliers Association on the issue and is being advised by cybersecurity experts (“six of the killers,” he described them) to develop a test shops could take to prove they’re taking cybersecurity seriously.
He outlined a vision of one similar to the testing approved by the Environmental Protection Agency as proof a shop is qualified to service air conditioning systems per Section 609 of the Clean Air Act. The popular EPA-approved Mobile Air Conditioning Society exam and certification is open-book and counts forever, qualities Seyfer described in discussing the cybersecurity exam and certification.
A hacker could use an phony OBD-II port to upload sharable, executable code into a diagnostic tool and turn an automotive service or repair facility into an “auto brothel,” Open Garages and I Am the Calvary founder Craig Smith demonstrated in a 2015 DerbyCon security convention. The tool would go on to infect all other vehicles introduced to the shop.
An uninfected scan tool connected to a Wi-Fi network also offers an opportunity for a hacker to access the vehicle, according to Seyfer. He said many hackers are looking for the car’s CAN to appear on a network.
Seyfer suggests a shop have at least three Wi-Fi networks. One is for the company’s customers. (Having your customers and the rest of your shop on the same network is a recipe for disaster.) A second is for its business machines and not accessible to the public. A third closed network is devoted to scan tools, alignment machines and other technology, Seyfer said. He said that in his shop, only he knows the password to add a piece of shop equipment to the third network.
Seyfer said some older technicians even still use a device with Windows XP, which is no longer supported by Microsoft and is therefore vulnerable. (The same goes for Vista.) He said their shop has “sort of locked them in time,” for “an update’ll kill them.”
You probably don’t want to let such devices connect to the Internet at all — or at least disconnect immediately after connecting — to avoid compromising shop or vehicle cybersecurity.
Ditto anyone using an older version of Internet Explorer. Microsoft quit patching all versions prior to Internet Explorer 11 effective Jan. 12, 2016, and it will ultimately drop the software entirely for successor Microsoft Edge. (Unfortunately, some OEM software still requires outdated versions of Internet Explorer — dating as far back as IE 8, according to Seyfer.)
“‘Hackers are lazy. Just don’t be a low-hanging fruit,'” Seyfer said one of his cybersecurity experts advises.
Even OEMs and device manufacturers might need to rethink cybersecurity, which could mean shops will encounter some changes in repair procedures.
“Diagnostic features should be limited as much as possible to a specific mode of vehicle operation which accomplishes the intended purpose of the associated feature,” according to October 2016 voluntary best practices recommended by the National Highway Traffic Safety Administration. “Diagnostic operations should be designed to eliminate or minimize potentially dangerous ramifications if they are misused or abused outside of their intended purposes.”
As Seyfer described it, it was a matter of OEMs considering how much control they should allow when developing a scan tool routine. Perhaps certain things shouldn’t be controllable by the scan tool, or an operation could only be performed with the hood up.
Taking cybersecurity seriously could be an important part of keeping the automotive aftermarket from unwanted regulation, National Automotive Service Task Force Executive Director Donny Seyfer suggested last week. (Lightcome/iStock)
A hacker could use an phony OBD-II port to upload sharable, executable code into a diagnostic tool and turn an automotive service or repair facility into an “auto brothel,” an expert demonstrated at a 2015 Derbycon security convention. (Provided by Craig Smith/I Am the Calvary)