As OBD-II port access plays a larger and larger role in a number of new and traditional connected vehicle applications, concerns about security have grown. A number of widely publicized tests have show that hackers could potentially take control of critical vehicle systems by using infotainment or telematics systems as a gateway to the vehicle.
SAE has formed a Data Link Connector Vehicle Security Committee (SAE J3138) to develop standards for access, as well as best practices and reports to help automakers and third-party providers establish secure methods of utilizing OBD-II port access in their solutions.
The committee will leverage the work already conducted by SAE, which published its J3061 Cybersecurity Guidebook for Cyber-Physical Automotive Systems in 2016.
SAE’s actions were spurred, in part, by a letter sent last year from the U.S. House Committee on Energy and Commerce to the National Highway Traffic Safety Administration (NHTSA) to address these cyber-security concerns. According to the letter:
“In the past several years, information security researchers have discovered and demonstrated increasingly effective – and increasingly frequent – attacks on the internal networks of automobiles through the use of On-Board Diagnostic (OBD-II) ports and the devices that connect to them,” said the letter. “Researchers have been able to leverage either a direct connection to the OBD-II port, or devices that connect to the port, to cause a range of effects, from nuisances like digitally engaging the windshield wipers or car horn, to more consequential exploits such as remotely unlocking a vehicle’s doors or cutting a vehicle’s brakes or power steering.”
Committee chairman Fred Upton (R-Mich.) asked NHTSA to convene an industry-wide effort to address these risks.
According to Greg Potter, executive manager and COO of Equipment and Tool Institute (ETI), the key risk is remote hacking via wireless dongles. “If an un-secure dongle is attached to an in-vehicle network via the OBD-II port this dongle could be accessed (hacked) and the vehicle remotely controlled,” Potter says. ETI is participating in the standards-making process.
According to SAE, J3138 will focus on securing the in-vehicle network environment, including open access to communication busses, communication busses isolated via a gateway, and any hybrid approaches. The organization may also develop joint standards with ISO.
OEMs have increasingly cited security concerns in their efforts to close off access to OBD-II port data, which could potentially restrict the use of third-party scan tools, telematics devices, and other solutions. Potter says this is poses a risk to the aftermarket.
According to Potter, if the OEMs are able to limit connectivity, then legitimate access for everything from diagnostics, prognostics, fleet management, insurance monitors and vehicle owner convenience features will only be provided by the vehicle manufacturer. “This will impede competition in the marketplace, and only the manufacturer will control the access to your vehicle,” Potter says.
ETI would like to see open standards that follow the Secure, Managed, Bounded Domain (BSMD) approach, as is being developed for vehicle-to-vehicle (V2V) and vehicle-to-everything (V2X) communications for the Intelligent Transport Systems (ITS) model.
“This secure and managed communications structure can work for many use-cases besides ITS,” Potter says. “By sharing in this ITS based hardware and software, vehicle manufacturers and the aftermarket can both save time and money on a workable solution.”
Draft standards from SAE are expected by the end of the year. The Trump administration has not yet nominated a new director for NHTSA, so it’s unclear what role they might play in securing OBD-II port access.
