Tuesday 17th September 2019

Diagnostic data: Who owns your car’s information?

Published on May 23rd, 2018

Inside the average connected car you’ll find more sophisticated computer systems than inside some fighter jets. There are typically over 100 Electronic Control Units (ECUs), using more than 100 million lines of code to command in car systems. But who should control access to the diagnostic data generated by these systems? Should it be the driver? The manufacturer? Or should accessibility to that data be preserved to ensure a thriving competitive aftermarket? says Ken Munro, partner at Pen Test Partners.

As drivers, we’ve always enjoyed tinkering with our cars. Look online and you’ll find plenty of fora discussing how to hack the onboard diagnostics (OBD) port to make the windows open from the key fob and other tweaks. These hacks may not be strictly in line with manufacturer recommendations but they don’t break any laws; at worst, the driver may invalidate their warranty. In fact, many vehicle owners are happy to forego the assurance of the warranty if it means they can access and use that diagnostic data themselves.

In the US, owners of John Deere tractors, fed up with expensive repairs, have gone it alone, using unauthorised versions of software or hacking the firmware. Again, while this self-servicing is not illegal, these farmers are under increasing pressure to sign licensing agreements that would then find them in breach of contract with the manufacturer.

This has fuelled what is known as the ‘Right to Repair’ bill, a political movement that aims to ensure parts, diagnostic tools and repair manuals are publicly available to help vehicle owners navigate their way through these complex systems.

Hack attacks

Yet if we make it easier to access these systems, how do we protect them? That’s the argument being put forward by the manufacturing fraternity. Groups such as the European Automobile Manufacturers’ Association (ACEA) claim that manufacturers “invest heavily in the ability of vehicles to generate data and are ultimately responsible for the vehicle’s safety and integrity” and warn that “direct third-party access would facilitate hacker attacks”.

They have a point. While 100 million lines of code may sound impressive, Windows XP had 45 million lines of code and we all know how many vulnerabilities that operating system had. There’s no doubt that connected or autonomous cars will have software vulnerabilities which will need to be remediated, either remotely, with updates, physically in a service centre or via a factory recall.

Today, connected cars are vulnerable to attack over numerous touch-points. Mobile apps, infotainment media (USB/SD/CD), unsecured wireless communication protocols (Bluetooth, FM, DAB, Wi-Fi etc), update mechanisms, the CAN bus, certificate and key stores… The attack surface is huge. And it’s this that is lending weight to the automotive industry’s call to lock down data.

Understandably this has caused some consternation among independent service providers who view this as an attack on their right to access diagnostic data. Under the European Union Block Exemption Regulation (BER) manufacturers are required to allow independent garages to access repair and maintenance information to diagnose faults and implement fixes without this impacting the owner’s warranty. BER in its current incarnation comes to an end in 2023, leaving the field wide open.

Off-board access

ACEA suggests the solution to this is the “extended vehicle concept” or off-board access now referred to as‘Nevada’. This would see the use of open but protected interfaces such as the OBD, fleet management systems (FMS), remote diagnostic support (RDS – that is a web interface), and an interface for cooperative intelligent transport systems (CIT-S) for safety related applications all of which are controlled by the manufacturer.

There would no longer be any direct access and any data would be governed by “commercial agreements” between the manufacturer and the third party. Presumably the same type of agreements as those the US farmers objected to.

Ken Munro

The aftermarket argues this would give manufacturers direct first line access not just to car data but also the driver, squeezing them out. It would also allow the manufacturer to gain visibility of the work carried out during servicing which could see them put pressure on third parties to take certain services, parts and insurance policies.

It’s for these reasons that the Independent Automotive Aftermarket Federation (IAAF) believes Nevada could reduce competition and threaten innovation in the aftermarket. It cites the mandatory installation of the e-Call service, used to issue calls to the emergency and breakdown services, as an example. All new cars must have e-Call installed but while aftermarket providers have ready access to e-Call data today, will they have to rely on manufacturers to give it to them in the future?

The jury is out on who will govern access but it’s clear a method needs to be found to protect data without restricting access. If manufacturers have sole preserve we will also be reliant upon them to detect anomalies and as we’ve seen from the emissions scandal that may not be in their best interest.

Open access not only preserves a competitive market place; it also allows whistle-blowers to alert manufacturers to scary security vulnerabilities, providing a form of self-regulation which ultimately is in all of our interests.

The author of this blog is Ken Munro, partner at Pen Test Partners

Comment on this article below or via Twitter: @IoTNow OR @jcIoTnow