The connected vehicle and telematics market is increasingly data-intensive, which has raised a number of security and privacy concerns in the automotive industry, for insurance companies and among consumers. While a number of efforts are underway to help ensure the safety of these telematics and other systems, approaches by automotive OEMs and telematics providers remain uncoordinated and lack any sort of standardization.
There are now mobile apps and vehicle systems that could potentially allow hackers to unlock car doors or even control safety systems remotely.
In 2016, NHTSA issued guidance on cybersecurity for vehicles, recommending a layered approach to reduce the probability of attacks, as well as timely detection and rapid response to potential cybersecurity incidents. So far, the federal government has not created any new regulatory authority around vehicle cybersecurity, but it could be coming if industry efforts are seen as insufficient.
Any security approach will require balancing safety with access requirements. There is already some indication that OEMs are hoping to restrict OBD-II access (in a few cases, they have made it physically difficult to keep a dongle-type device plugged into the port during vehicle operation).
While this could make the data more secure, it would impede mandated access to emissions information, as well as aftermarket and third-party provider access to vehicle operational and maintenance data. That debate will likely get much louder as the universe of telematics technologies expands.
"There were early attempts by the manufacturers to simply block access to the OBD port, but those approaches have matured," says Ben Miners, vice president of innovation at Intelligent Mechatronic Systems (IMS), which offers the DriveSync connected car platform. "No they are managing the secure delivery of information from their own back-end servers, which at least puts control of the content with the manufacturers or a contractor."
That's why the aftermarket is trying to have an active voice in this discussion. The Auto Care Association has been working with vehicle manufacturers and other industry trade groups to create a secure vehicle interface (SVI) standard that could be turned into an official Society of Automotive Engineers (SAE) standard.
"It would allow data communicated through the OBD port or through a wireless method to be transmitted from the vehicle such that vehicle systems are protected but data is available to be used," says Aaron Lowe, senior vice president of regulatory and government affairs at the Auto Care Association. "That would provide security, but still allow the industry to have access to the diagnostic data."
That collaborative effort should hopefully keep open access part of the discussion. "There seems to be willingness to look at some methods like SVI to make sure it happens in a way that doesn’t close off the OBD port," Lowe says. "It’s challenging but we think we are addressing those challenges.