Sacred Cows & Hamburger
Some people are going to have a leg injury from knee jerk reactions if they're not careful. While Edwin's comment in Matt's EcoSport post (FDRS) was the deciding impetus for this post, he is far from the only one expressing some sort of concern. On iATN, some people jacked their jaws about Chrysler and how they'll do this or that because of the SGW. ("Oh, look what they did. Arrest them" type responses. Just so we're clear, I made up the content in the scare quotes as an illustration.) A classic …e of not knowing what they don't know and wearing their ignorance like a badge of honor.
Maybe, we should slay a sacred cow or a few of them. The old saw about making laws and sausage applies to hamburger also. I'll try to not go too far in the weeds but everything below is easily verified. Ok, Congress' letter to NHTSA is somewhat mysteriously absent from the official archives, so I'll post that. I'll also attempt to keep things in chronological order though that is a bit difficult since these type of things don't live in a vacuum. A certain overlap between different groups and time periods tends to happen.
The J1962 connector is a lot like a Social Security Number (SSN). The SSN was designed for just one purpose. We know how that’s gone. The J1962 connector was also designed for just one purpose. It was approved for “passenger cars and light and medium duty trucks, to be equipped with a standardised connector for purposes of access to on-board diagnostic information by "generic" test equipment.”
As you know, the government “owns” cavities 2, 4, 5, 6, 7, 10, 14, 15 and 16. The OEMs are free to use the others, however they like. And boy, do they like. Since that time, God and everybody has tried to slither into that connector. At the SAE World Congress in 2001, people were coming out of the woodwork extolling the virtues of telematics. It was the new buzzword. Telematics were the new century’s equivalent of cupholders in the 70s.
There were some very interesting presentations. Many of them have come to fruition. I managed to scare one presenter off of the stage simply by asking a question, civilly (granted, it was through clenched teeth), about the aftermarket being locked out of repairs due to OnStar type systems directing vehicle owners to their franchisees (dealerships). That’s how I met the Motor Age people.
By 2002, there were concerns about keeping the genie in the bottle. AutoSAR was created by the German stakeholders because of the complexities starting to show. Actually, there were concerns before that because CAN wasn't designed to be "locked down". When it was envisioned by Bosch in 1985, it was unencumbered with its hair blowing in the breez while riding down the highway on its scoot, throttle wide open.
A decade after that World Congress (2011), GM was recognized for publicly being the first to be hacked wirelessly. The weak links? OnStar and Bluetooth. This was 4 years before the Jeep. Don’t recall ever hearing much about it? Yeah, what’s up with that? NHTSA’s later response to a lack of a requested recall, unlike what they did with Chrysler, was precious. (For fun, look up David Strickland and Mark Rosekind’s tenures at NHTSA. It’s been said that correlation isn’t necessarily causation. What isn’t said is that it could be.)
Apparently, it got some people’s attention though. The transportation bill passed in 2012 made it a bit of a mention. “(a) INGENERAL.—Not later than 2 years after the date of enactment of this Act, the Secretary shall complete an examination of the need for safety standards with regard to electronic systems in passenger motor vehicles. In conducting this examination, the Secretary shall— (1) consider the electronic components, the interaction of electronic components, the security needs for those electronic systems to prevent unauthorized access, and the effect of surrounding environments on the electronic systems; and (2) allow for public comment. (b) REPORT.—Upon completion of the examination under sub-section (a), the Secretary shall submit a report on the highest priority areas for safety with regard to the electronic systems to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives.”
In December, 2015, NHTSA finally issued their required report to Congress. (There was no Administrator in 2014. That’s OK, I guess. There hasn’t been one since he left at the end of 2016.) From …, NHTSA worked on rule-making, primarily dealing with V2V. In March, 2016, the GAO issued their “requested” report to Congress. A dog & pony Oversight hearing was held in April, 2016. Congress put NHTSA on the spot again in September, 2016. That letter was widely reported as being the impetus for a standard by SAE.
The only part wrong about that last sentence is, um, everything. This standard (J3138) was started in 2012 to pick up the slack in an existing standard. It’s up for a vote now, having been moved for approval not too long ago. There have been articles written on it, editorials written on it, “lobbying” on it, etc. Discreet, it hasn’t been.
One of the dictated duties of NHTSA is to provide guidance (rule-making) to OEMs. It has been acknowledged for 15 years, more or less, that gateways are a viable (critical) part of a layered cyber-security strategy. NHTSA, DOT, GAO, many of the OEMs, SAE and many vendors have acknowledged as much. A NHTSA report in October, 2016 came out and explicitly said so. Why, with this kind of notice, anyone is surprised that secure gateways would be implemented is beyond me.
Again, this hasn’t been discreet. NHTSA’s job is to be the responsible adult in the room. While I won’t go so far as to say that they got drunk and fell asleep on the couch while the kids are out joyriding, I’m hard pressed to say that they’ve offered guidance, even when it was requested by the OEMs.
I sell diagnostic equipment. I’ve worked for a Tier 1 supplier. I’ve sold (and still do sell) factory scan tools and aftermarket scan tools. Aftermarket scan tool manufacturers spend their R&D money on 3-year and older vehicles. That’s their sweet spot. It’s where they get the biggest return and customer base for their money. I would do the same thing.
Remember that J3138 vote? If you’re designing tools, wouldn’t you want to know what the security guidance is going to be before you spend your R&D money? Most of them belong to eTI. The OEMs and vendors belong to eTI. They're the clearinghouse for licensing issues.
Just in …e anyone jumps to the conclusion that I'm an apologist for the OEMs, nothing it further from the truth. There is no doubt that they've been kicking and screaming all of the way. They've also had quite a bit of help behind the scenes. (Venable has a well deserved reputation.) I'm not an attorney, nor do I play one on the internet. My understanding of constitutional construct is that if 2 laws bump heads, deference is given to Congress that they knew this and the later position is the one they want to be taken. While NHTSA is writing the "guidelines", they are doing this due to a request by Congress. Since reports are/were issued to Congress, if Congress doesn't squawk then they countenance the new guidance (rule-making).
Now, if you want to know my take, it's this: If you're walking down the street while texting and fall into an open manhole, it's on you. A lot of people prefer to be reactionary instead of "actionary" (if that's not a word, it is now). I guess that old saw is true. "Everyone loves the firefighter but no one likes the fire inspector (preventer)."
(After re-reading this, I've decided to add links below for some of the documentation leading to what was written above. I'll give you fair warning, They should come with warning labels because it is not safe to drive after reading these. For your safety, no refills are available.) Please note that while you may find this boring and droll, every "stakeholder" knows this stuff cold.
It took people understanding that simple concept to get service information, security release information and the like, first with the Arizona Pilot Project and then the creation of NASTF. It took understanding the rules, how they're promulgated and being there to testify (either in person or by letter) when necessary and filing an "official complaint" with the correct people when things weren't above board. Knee-jerk doesn't cut it.
While these issues are somewhat provincial for us in the US, our Canadian and members from OZ, would do well to pay attention. Their access was directly related to how things were done here. They got to see the potholes encountered in the US and how they were successfully (and unsuccessfully) navigated around.
govinfo.gov/content/pkg/PL….pdf (See sections 31401 & 31402.)
ecfr.io/Title-40/pt40… (Please note this is from July 1, 2014.)
I understand what youre saying. The info was out there for years,everyone knew this was coming. However,those of us in the deepest,darkest and dirtiest of trenches were/are still ignorant to these facts. There are so many day to day activities involved in what we do on the ground level,that the vast majority of us simply don t have the time(let alone the wherewithal) to keep up with the
Guido and Diagnostic Network, First off, I admit to being one to knee-jerk certain topics more then I would like, but not as much as I used to. I just finished up reading through the articles. I do have a couple thoughts/questions. Some of this I've researched before, and I had come across mention of the Evita Project & Bosch's relationship with them on making vehicle software safer. It
Hi Chris: I hope you were wearing PPE while digging that deep in the mine. I find the Infineon/STMicroelectronics (In/STM) piece interesting. I don't have a clue what "fully EVITA-compliant for attack prevention, detection, and containment techniques" means. It doesn't appear that anything has been done with EVITA since 2012. evita-project.org/deliverables.h… The
Guido, I was in full PPE, equipped with boot taping as directed by MSHA, and it was an interesting dive. I'm still wrapping my head around some of these concepts and their implications so I decided to play devil's advocate in my post. As you know, I take no offense at anything, and I am glad for the additional information you put out. My goal was to attempt to get some more conversation going…
Hi Chris: Conferences can be a somewhat non-offensive way of exposing potential products to a potential marketplace. I think of them as in-person press releases. The product could be physical or IP. At the end of the day, if it is not salable, it either gets kicked to the curb or placed into storage for another look later on down the road. Argument is logical discussion of thought. It's needed
Guido, "Growing up in Darby", that's all you need to say. I come from Lancaster County originally, and spent the rest of the time in Montgomery County. I understand where your coming from.
Thank you! This is a wonderful compilation of many of things that matter to our industry. The concept of the secure gateway has been discussed at ETI for quite a few years. The Germans were actually pushing back on that whole concept proposing what is generally understood as extended vehicle. That means the vehicle phones home, you log into the manufacturer and diagnose through that path. Many
Hi Bob: I considered adding ExVe (ISO20077, 20078 & 20080) into it. I was on the fence though. Parts of the standard were just updated a few weeks ago. I've not had a chance to read them. If you aren't paying attention, ISO standards can make you broke in a quickness. The 3 standards are broken down into the various subsets. ($$$$) I miss not having easy access to standards. Before my now
The notion of a "scan tool" will be going away soon and fast. We have to rethink our entire industry. You mention the standards. By the time they become published it is almost too late for anyone to be successful using them in an innovative fashion. I never did my turn in the barrel with SAE. I regret that a bit but hey, I am only 57 YO and and still can contribute some. Watching from the
This Car Data Facts article seems to suggest that the AM “solution” will be a neutral (independent) and licensed server that will gain access to the OE server for data. Is this document compiled by a division of ISO ? If I’m interpreting that correctly, aftermarket diagnostic tool makers would establish their own licensed servers and provide internet-based diagnostic access to us in that means…
Hi Rusty: Some things need to be kept in perspective. 1: To the best of my knowledge, no OEM is using ExVe. 2: The ISO standard changes were just published last month. I don't have a clue what those changes entail. 3: ISO is primarily EU and is non-US. While there are some cooperating standards, by and large, they are separate from SAE. 4: J-3138 has not been approved yet, to the best of my
Hi All, Just to set the record straight from above: “In December, 2015, NHTSA finally issued their required report to Congress. (There was no Administrator in 2014. That’s OK, I guess. There hasn’t been one since he left at the end of 2016.) From …, NHTSA worked on rule-making, primarily dealing with V2V. In March, 2016, the GAO issued their “requested” report to Congress. A dog
Bob, Just for my own clarification, as SAE confuses me at times, the current standard is Diagnostic Link Connector Security J… correct? Also listed in the documentation list for J3138 is a document in progress started …, and J3146, also started at the same time. My question is, will these be updates to the current standard? Unfortunately, people such as me don't fully
Chris – yes this is the current published standard. There is a new “Work in Progress” (WIP) that started shortly after publication, as is normal in the standards world, especially in hot areas. Still takes a while (sometimes glacial) to get to the next level, but we do work pretty hard at it. I have passed along my authoring duties on J3138 to people who are smarter than me in the new areas
Bob, This is the one link I came across in my searches. I agree that it is probably a typo, as a search for J3138 WIP brings up a date of 6/23/18, but links back to the site I provided here, which labels it as 2012. This is the documentation list, my term, I had found based off the Data Link Connector Vehicle Security Committee works. profiles.sae.org/tevds20
OK, I see this is the Mobilus site. Probably a typo. That is the original Rationale that I wrote before the second workshop on the 30th of January 2018. The Rationale is required to start a WIP... Cheers, Bob
Hi Bob: Thank you for the correction. Guido
No problem, I think that's why Bob Augustine pulled me in to DN... :-) Cheers, Bob
Hello Bob G. Please stay in the barrel! Tightening the electrical specifications surrounding the connector is in the best interest of everyone if you look at the life cycle of the vehicle today. There is so much infrastructure surrounding it that making a major physical change does not much sense. Can still get adequate data rates across and by the time its just not enough the vehicles will be
Hey Robert! I agree, and with new GHG requirements from CARB coming, it's going to get dicier... Yes, I have all of my reservations set for TT. Hope to see you in NC, then Cheers, Bob