By Jeff Sanford
Toronto, Ontario — March 14, 2016 — Cybersecurity is a growing concern in the automotive aftermarket. The targets may be the vehicles themselves, or repairer or recycler data. The latest Guild 21 conference call zeroed in on the issue, bringing on guest speaker John T. Ellis, founder and Managing Director of Ellis & Associates. He offered a provocative look into the emerging world of digitally connected cars.
Ellis is more than qualified to speak on the subject. He has worked as Global Technologist and Head of the Ford Developer Program with Ford Motor Company, where he was involved with the creation of SmartDeviceLink, an open source version of Ford’s AppLink technology. Ellis came to the auto sector after a period working at phone maker Motorola. He occupies an interesting niche in the industry at the point where autos, consumers, connectivity and software intersect. Today he runs his consulting firm and is the designer and lead instructor of the Connected Vehicle Professional certificate course. This makes him uniquely situated to talk about the issues arising as a result of ever more digitally-connected vehicles.
“I’m not a car guy; I’m a software guy and I work with cars,” he said on the call. That is, he understands the trajectory for software as it involves vehicles. He went on to discuss four key events that occurred over the past year that will help determine the shape of how digital connectivity in the auto industry will work over the years to come.
The first event was the Jeep hack. This incident involved two security researchers working for tech industry magazine Wired, Charlie Miller and Chris Valasek, demonstrating how it was possible to remotely access a car’s digital system and control the vehicle remotely.
“They showed how an unmodified vehicle could be hacked into, and began to mess with the car. From a remote location they changed the radio and turned on wipers. Then they shut the engine off on the freeway. This unveiling of the security hole resulted in the fastest recall ever. Almost one and a half million vehicles were recalled within 72 hours,” said Ellis. “Chrysler is pissed at Chris and Charlie. They are still talking about taking legal action against them.”
Ellis says this is the wrong approach. In his presentation, Ellis went on point out that another car company is taking a more enlightened and intelligent approach to dealing with connected cars, highlighting his viewpoint with an anecdote about a less well-known incident at an important hacker convention known as Defcon. Two researchers at Defcon talked about a hack they had performed on a Tesla vehicle. According to Ellis, halfway through their address the two hackers stopped their presentation and invited an executive from Tesla onstage. The Tesla executive got up, addressed the crowd and told the assembled hackers that, “We’re hiring. If you think you can hack us, come and let us know.” As the executive was walking offstage he thanked Tesla owners and mentioned the vulnerability had been patched. It was the smart, intelligent approach to take in terms of dealing with hackable vehicles. Needless to say, of the two reactions, the “Tesla model is the model to follow. Chrysler is not the example,” says Ellis.
The other incident in the past year that points to the newly emerging auto future is the so-called Diesel Gate incident. “What this pointed out to people was that cars will behave differently if something is done to the on-board diagnostics (OBD) system,” says Ellis. “No regulatory body has tested this, but we have cars on the road that could be behaving differently as a result of changes to the OBD.”
He points out that there are now insurance dongles that plug into the OBD. Companies are offering chiptuning services by modifying the OBD. “It has become a tool which it was never intended to be,” says Ellis.
Another key event of the last year: In 2015 the Library of Congress opened up the rules around patents. A digital activist organization, the Electronic Frontier Foundation, submitted briefs on the case backing the right of auto owners to hack and revise software on their vehicles. GM argued that the owner of the car does not own the software and supplied opposing briefs arguing that modifications by the “owner” of a car’s software was illegal.
“The auto industry came hard and said, ‘No way. This should not be allowed,’” says Ellis. The argument was that the software is part of the safety system and the car owner does not own the right to change the software. But this fight over who has rights and access to the software on a car is an important one, according to Ellis. “This fight is not close to over. And it’s coming hard and fast,” he says. “Coalitions are popping up.”
The other concern Ellis mentioned was the rise of something called “Geo-coding” of auto parts. This is a way of digitally imprinting the part so that only that only an OEM approved replacement part can be used. “This has chilled the repair market and has limited the ability to get parts and put them in the car,” says Ellis. Given the history of the consumer sector in other industries (where replacement parts have been limited to OE sources only), “We have to be conscious of how this behaviour manifests itself. One day we’ll wake up and not own our car, or not have the right to change that software,” says Ellis. “Geo-coding will limit functionality to one brand. The OEMs want to make sure the part is original and is leading us to a world where you can no longer swap parts. You will only be able to get certain parts from certain suppliers. If we’re not careful we’ll be in a world so controlled by the OEMS (that) we have issues in terms of choice.”
He goes back to the Chrysler hack. “There is an expansion of corporate powers around the Jeep hack, in that it was considered illegal and the people who did it are subject to prison for their work. Instead of recognizing these guys for their contribution to culture and helping to making cars safer, Chrysler would have them punished,” says Ellis. “Where do the solutions lie? How is this going to work?”
It’s not quite clear yet according to Ellis. But there are big questions looming. “Technology is wonderful, but we need to be vigilant. We need to look at the consumer industry in terms of limiting choice and say we don’t want to go there,” says Ellis.
