ETI says OEM cybersecurity measures could affect aftermarket repairers
By onAssociations | Business Practices | Market Trends | Repair Operations | Technology
Correction: An earlier version of this article incorrectly described the outcome of a lawsuit against FCA. That lawsuit is still ongoing and has not been resolved, according to the OEM. The article has since been edited to address this.
The automotive aftermarket and OEMs have worked fairly well together for a while on diagnostic support and standardization, but the OEMs’ need for vehicle cybersecurity could create problems for independent repairers, an Equipment and Tool Institute leader warned.
Then-ETI Executive Director Greg Potter (now the organization’s CTO) at the January Collision Industry Conference gave the industry a rundown of the history of on-board diagnostic standardization and potential sore spots for the aftermarket going forward.
The California Clean Air Act of 1988 launched the standard which came to be known as “OBD-I” and was followed by many of its elements incorporated into the federal Clean Air Act of 1990, Potter said. The federal version actually mentions the ETI specifically as a data clearinghouse OEMs could use to be in compliance. A desire for information and standardized protocols and connectors in the California Air Resources Board led to the OBD-II standard in 1996, followed by a California bill in 2000 that clarified more items but stayed limited to only emissions-related items.
Under the 2002 Dorgan Letters, OEMs committed to provide more information besides emissions information as well, Potter said. The letters said the automakers would provide everything they gave dealers to the aftermarket, he said. After that came the 2012 Massachusetts Right to Repair bill making this sort of thing law, followed by the national OEM-aftermarket memorandum of understanding enacting a similar set of policies in 2014.
ETI stayed neutral in the battle over the Massachusetts law aside from pointing out to a need for the raw data from aftermarket scan tool manufacturers, a concept which made the final cut of the bill, Potter said.
Potter said scan tool information must be provided to third-party tool manufacturers a minimum of once a year, with some as much as six times a year. The toolmakers often find these uploads are missing pieces of needed information, and the ETI works with OEMs in a “constant process” to fix these gaps, he said.
Amid all of this, the International Standards Organization and Society of Automobile Engineers developed common standards so third-party tools could work with the diagnostic technology on OEMs’ vehicles, Potter said.
“The long established agreements and relationships with OEM service entities have provided a good strong working relationship between the OEM’s and Aftermarket tool and equipment suppliers,” a slide from Potter’s presentation states.
“The system has worked well for many years.”
Year after year, ETI has received the data from OEMs, toolmakers have incoporated it into their scanning devices, and people have been happy with the tools, according to Potter.
Cybersecurity
However, vehicles are now being hacked by what Potter said have so far been white-hat hackers. (Perhaps most memorably with the famous “Jeep Hack” of a few years ago.) Potter said some OEMs are also getting hit with lawsuits for making vehicles which are allegedly insecure. A Department of Transportation desire to adopt OBD-II dongles across the agency’s fleet led to it concluding that none were secure enough, and the entire industry has been “reacting to that,” Potter said.
A hacker also could use an phony OBD-II port to upload sharable, executable code into a diagnostic tool and turn an automotive service or repair facility into an “auto brothel,” Open Garages and I Am the Calvary founder Craig Smith demonstrated in a 2015 DerbyCon security convention. The tool would go on to infect all other vehicles introduced to the shop through their real OBD-II ports.
Vehicle manufacturers are being forced to make vehicles secure, Potter said, but “there’s good people out here … that need access”
OEMs appear to be developing cybersecurity measures unilaterally, and there’s “no standardization in this case event,” Potter said. Potentially dozens of diverse security protocols could hit the market.
“The standardization effort we have embarked on for the last 25 years stands to be broken,” Potter said.
Potter’s presentation followed the ETI’s November 2018 update of an ETI resolution outlining standards for data handling, digital certificates and tool specifications. He summarized a few of the organization’s beliefs in his presentation:
◦ A vehicles owner has the right to control who gets access to what data
◦ A vehicle owner has the right to choose their own service provider
◦ Vehicle diagnostic data is to be obtained by the service provider directly from the vehicle
◦ Vehicle manufacturers cannot designate who can, or who cannot, service vehicles they have produced
◦ A vehicles owner has the right to control who gets access to what data
◦ A vehicle owner has the right to choose their own service provider
◦ Vehicle diagnostic data is to be obtained by the service provider directly from the vehicle
◦ Vehicle manufacturers cannot designate who can, or who cannot, service vehicles they have produced (Minor formatting edits.)
It’s not necessarily realistic for some OEMs to attempt to restrict vehicle serviceability too tightly. Potter’s presentation reported that National Automobile Dealers Association in 2015 said only 27 percent of the automotive service business was done at franchised dealership, and the slide argued a lack of dealer capacity demanded aftermarket repairers exist to service the fleet.
The kinds of issues described here certainly matter for any repairer desiring to use aftermarket equipment to connect to the vehicle. Given liability concerns — only the OEM scan tool/software is likely to be bulletproof in that regard — this might not be a factor for some shops. However, one wonders if it could also complicate or add cost to third-party systems which connect to the vehicle but run OEM software. (For example, a laptop or scan tool with a J-2534 interface or technology like the asTech, which connects to a remote OEM scan tool.)
The Auto Care Association last fall unveiled the “Secure Vehicle Interface,” calling it “an internationally standardized technical design that provides for secure and standardized access to the In-Vehicle Networks (IVN) for access to operational, maintenance and driver behavioral data by the automotive aftermarket and vehicle owners.” In a September 2018 Auto Body Repair Network column, Auto Care Association regulatory and government affairs Vice President Aaron Lowe presented the interface as an alternative to every OEM doing their own thing and creating havoc for the aftermarket.
Privacy and data access
The privacy and data control issues flagged by Potter, the ETI resolution, and Lowe would seem to apply to all repairers.
OEMs — mostly in Europe — have also come up with an “Extended Vehicle Concept” in which all the data surrounding the vehicle is considered their domain, according to Potter. They will collect it on their own server and sell it back to whichever parties request it.
“Of course, the aftermarket does not like” that idea, Potter said.
“It is not just the independence of the repair industry that is currently threatened,” Lowe wrote in a March 19 column in ABRN. “The ability to control data will provide the manufacturers with a significant leg up on other entities include fleet owners, car rental companies and insurance companies, all of which could become beholden to the manufacturer for the data they need for their operations. Think about a fleet of vehicles and being forced to rely on the vehicle manufacturer to obtain the logistics and health data for the vehicles you own.
“While cybersecurity is clearly an important issue, the independent auto care industry cannot let the manufacturers argue that they now must control access to that vehicle from factory to junkyard. Instead, it is important that the issue of cybersecurity be addressed in a manner that is standards-based and ensures that the control of the data is with the owner of the vehicle.”
An Auto Care Association survey announced in October 2018 “found 86 percent of consumers said vehicle owners should have access to driver and vehicle data, also known as telematics. Additionally, the survey found 88 percent of consumers believe a vehicle’s owner should decide who has access to this data.”
Lowe promoted the SVI as a means of addressing this data control issue.
The ETI, for its part, resolved that it supported tools in which repairer (the “End User”) and customer information “shall not be provided to a Vehicle Manufacturer or designated third party vendor.”
“Institute membership acknowledges that vehicle security is of paramount concern to vehicle manufacturers, as design of electronic control unit and datalink communication networks now may include requirement from the cybersecurity community,” the ETI resolution summary states. “The Institute also acknowledges that a majority of vehicles in operation are diagnosed and serviced in an aftermarket repair center. By preparing these resolutions, the Institute is transparently sharing its requirement for diagnostic products to be included in the discussion with vehicle manufacturer electronic system and cybersecurity designers to ensure they can continue to provide diagnostic products to the aftermarket service centers which in turn can then continue to service the complex vehicles of today and in the future.”
More information:
Equipment and Tool Institute Collision Industry Conference presentation
CIC, Jan. 17, 2019
ETI “Secure Vehicle Communication Tool Authentication Resolutions” position
ETI, Nov. 13, 2018
“CYBERSECURITY: A THREAT TO REPAIR INDUSTRY THAT CAN’T BE IGNORED”
Aaron Lowe in Auto Body Repair Network, Sept. 28, 2019
“Auto Care Association and Partners to Unveil Secure Vehicle Interface at AAPEX 2018”
Auto Care Association, Oct. 9, 2018
Featured image: The automotive aftermarket and OEMs have worked fairly well together for a while on diagnostic support and standardization, but the OEMs’ need for vehicle cybersecurity could create problems for independent repairers, an Equipment and Tool Institute leader warned. Then-ETI Executive Director Greg Potter (now the organization’s CTO) at the January Collision Industry Conference gave the industry a rundown of the history of on-board diagnostic standardization and potential sore spots for the aftermarket going forward. (John Huetter/Repairer Driven News)