At the end of October, without much fanfare, the National Highway Traffic Safety Administration (NHTSA) published a “nonbinding guidance to the automotive industry for improving motor vehicle cybersecurity.”
The recommendation in the guidance, Cybersecurity for Modern Vehicles, has potentially broad implications for auto OEMs, auto finance companies, fleet managers, remarketers, auctions, and a number of suppliers to the above.
While the best practices listed are voluntary, the guidance shows that NHTSA is making cybersecurity its business and is setting the stage for becoming the regulating agency for cybersecurity matters. This is not only about the preservation of the safe mechanical and electronic performance of vehicles, but the paper also explicitly refers to the need to protect Personally Identifiable Information (PII).
Among the many best practices listed, NHTSA recommends limiting access to third parties, not only during development and debugging of the software but also during vehicle operation. Aftermarket devices such as mobile phones, USB devices, and especially dongles that plug into OBDII are specifically mentioned as risk factors.
And while “the automotive industry should provide strong vehicle cybersecurity protections that do not unduly restrict access by authorized alternative third-party repair services,” similar concessions are not made for other aftermarket services and applications.
The NHTSA position is supported by the auto OEMs.
Reading between the lines of the NHTSA document, if access becomes limited to cars’ “brains,” this would result in a significant reshaping of the telematics industry. One could also infer that regulators’ attention to the protection of PII stored in the car is destined to grow.
The past few years have witnessed a quick decreasing cost and a rapid expansion of in-car aftermarket devices for insurance, fleet management, theft security, and infotainment, to name a few.
The birth and rapid expansion of that industry has also democratized car hacking. For instance, a 14-year-old with $15 parts demonstrated that he could remotely activate a vehicle’s horn, lights, wipers, and locks at the 2015 Battelle Auto Challenge.
This spring, Carnegie Mellon University released a study commissioned by the Department of Homeland Security aptly called “On Board Diagnostics: Risks and Vulnerabilities of the Connected Vehicle,” stating that most OBDII aftermarket devices have significant security flaws — or no security at all.
The OBDII port standard was originally designed for those with physical access to the vehicle, such as emissions testing or vehicle service, but never for real-time, over-the-air “chattiness.” Hence it was never designed with security in mind.
Picking an OBDII port-based solution today carries new risks. Besides having to navigate the rapidly changing arena of aftermarket players and solutions, you must also consider the potential safety and liabilities. One must also ponder the potential shelf life of that investment in a world where port access may be severely restricted.
If the OBDII port is eventually locked, there are two new approaches fleets could take to manage vehicles: The first is implementation of a “data as a service” offering from an OEM, in which a fleet would pay the manufacturer to have access to the data via its on-board telematics system.
The second is an aftermarket solution that relies on software and sensors that are not plugged into the car. These aftermarket “unplugged” solutions will likely be less precise compared to what you can get from an in-car telematics solution, but they can be consistently rolled out to a fleet regardless of its makeup and are backwards-compatible to existing vehicles.
A small but growing number of companies are already pivoting to technologies that don’t rely on the OBDII port, but instead use sensors, computer vision, and algorithms to deliver fleet solutions. This is a trend to watch.