MOTOR Magazine

A MOTOR Magazine Newsletter
May 10, 2018

Contributed by Bob Chabot
NASTF to Launch All-New SDRM v2.0 on Sept. 15, 2018

Built to benefit vehicle security professionals

SDRM v1.0 Was Getting Long in the Tooth
The original SDRM — a collaborative effort by automakers, the independent service/repair community, locksmiths, insurers and law enforcement — was first implemented in 2007. It is now 11 years old; ironically, the same age as the average vehicle in operation in America.

Originally designed to facilitate access by bona fide and vetted aftermarket vehicle security professionals to the automakers’ security-related information and resources, v1.0 also simultaneously protected the safety and security of consumers and the integrity of automobile security systems. Examples include key codes, immobilizer resets, theft-related parts and others.

To enable access, v1.0 required prospective users to apply for a Locksmith Identification Number (LSID). After individual bona fides were vetted (e.g. background check, bonding, etc.), successful applicants were added to the NASTF’s Vehicle Security Professional Registry (henceforth, Registry), which had an administrative manager.

Since its inception, substantial advances in technology, service procedures and security measures have continued to emerge. Despite the SDRM’s longevity, proven value and service to the industry, NASTF recognized that a major update was necessary. The time is now.

Images in this article are for demonstration purposes only. All current LSID holders will need to obtain the new VSP credential before Sept. 15, 2018. (All image — NASTF)

Say Hello to SDRM 2.0
In late 2016, NASTF engaged Stroz-Freidberg — a respected cybersecurity consultant specializing in security science, digital forensics, and incident response — to conduct a risk analysis of the SDRM, the Registry and LSID process. After its review, the firm reported several concerns, a number of potential attack vectors and other vulnerabilities.

For example, although there had been very few incidents with LSID holders, NASTF recognized it was unreasonable to expect that dynamic to continue. The SDRM team then went to work — like sorting wheat from chaff — to determine what still was viable and what needed to be rebuilt.

“On the human side, we will continue to screen applicants to ensure they are a legitimate business doing what they’ve said they’re doing,” advised Donny Seyfer, NASTF executive officer. “So we’ll still Google the applicants’ businesses, make phone calls to them and continue many of the hands-on measures that have worked for us in the past. We’ve also added several new tests and automated processes that will be built into the electronic application process to improve security and quicken the process.”

Some major revisions to the VSP (former LSID background) application process and terminology have already been made. Others are in the final stages of development and will be integrated with SDRM 2.0’s launch. For example, former LSID holders will be called Vehicle Security Professionals (VSPs). In addition, the former LSID designation will now be recognized as the Vehicle Security Credential (VSC).

Confusion in the marketplace prompted the terminology changes. There were different terms being used by different user groups, so commonizing made sense. New terms — VSP (for the actual professional), VSC (as the validation designation), and D1 form (formerly the Automotive Key Generation and/or Immobilizer System/Anti-Theft Services Form) — will be used going forward, as they are more intuitive and relevant to the influence security has in all things automotive today. The new terminology also harmonizes language and meets privacy laws in U.S. and Canadian jurisdictions.

SDRM v2.0 will also require VSPs to use “two form factor authentication,” a cybersecurity measure designed to help thwart keycode brokers and other hackers.

SDRM Users: What’s in it for you?
The underlying architecture of the SDRM v2.0 has been modernized and more stringently secured. In addition, processes have been streamlined, automated and digitized to provide numerous benefits for VSPs.

For example, the SDRM v2.0 is:

  • Online — Automated online processes now enable documents (e.g. background checks) and communications to be exchanged digitally, rather than via snail mail, email, paper or phone conversations.
  • Faster — Version 2.0 will be quicker for VSPs to use, meaning they will have more time to be productive in their businesses generating income.
  • Connected — Think convenience. VSPs will be able to use their smart devices to access SDRM resources and check transaction statuses wherever they are connected.
  • Safer — NASTF has completed a total rewrite of the Registry’s software and hardware architecture — details won’t be disclosed here — to vastly improve the security and privacy of automaker information, users and the public.

“VSP applications will now be done entirely online to obtain a password,” Seyfer advised. “Applicants will now be able to fill in all the data required, engage the background check and upload required documents online. In particular, background checks for applicants will now be an all-online process. In addition, VSPs will use their own login to access the system and automaker websites, but much differently than when they used their former LSID."

"VSPs will be the administrators of their own information," Seyfer added. "For instance, because all necessary documents will be uploaded, when something needs to be updated (e.g. a VSP’s insurance expiry date is reached), the system will automatically send an alert to the VSP, who can then upload the update digitally."

“SDRM v2.0 will also require VSPs to use “two form factor authentication,” another cybersecurity measure that thwarts keycode brokers and other hackers,” he continued. “VSPs won’t have to expose their unique VSC password when accessing the Registry for vehicle security information. Instead, they will be able to request a unique passcode — without divulging their VSC password — via Authy, an app on their phone or connected device of choice. Authy will generate and send a unique passcode back to the VSP, who then enters it to gain access. Note that the Authy passcode is generated on the fly, has a built-in timeout and can only be used once.”

VSP dashboards will facilitate categorized online transactions and will also be able to handle some exceptional situations.

VSPs Get Their Own Administrative Dashboard
The VSP Dashboard will be the primary administrative tool used to communicate and process security-related transactions. To begin any SDRM transaction, VSPs must upload a D1 form. “D1s will be an integral reference point for all v2.0 transactions,” Seyfer emphasized. “D1 forms can be filed online and they are required for all SDRM transactions. The D1 form will also be color-coded to guide the flow of certain communications. And the D1s are dynamic. For example, they easily accommodate the differences between Canadian and U.S. privacy regulations.”

There will be three D1 forms to categorize the type of authorization. These include:

  • Custom Authorizations — Used by a VSP performing service directly with a customer (e.g. shop technician or locksmith VSP with their customer at the shop). In this case, the customer provides the required documents and signatures.
  • Contracting Authorizations — Used by a VSP providing service for another business (e.g. mobile diagnostician VSP working at another shop). In this case, the VSP obtains and provides the required documents and signatures.
  • Auction Authorizations — Used when the VSP is operating at an auction house (e.g. performing service on behalf of the lien- or vehicle-holder).

“Dashboards will facilitate a compartmentalized online D1 transaction process,” Seyfer stressed. “Individual VSPs will be able to view all of their own transactions on their dashboard. They can check the status, verify or ask questions related to any of their D1s, without having to contact the Registry manager of NICB for information. Likewise, registered business accounts with multiple VSPs will be able to view the transactions of all of their employees. Each automaker will only be able to see D1s specific to its brands. And at the forty-thousand foot level, all D1s will be visible to the SDRM Registry manager and the National Insurance Crime Bureau (NICB), which greatly improves our ongoing audit checks.”

Seyfer noted that v2.0 is able to handle exceptional situations. “Version 2.0 requires filed D1s to be at least partially filled. For example, we run into situations where a VSP may not be able to be online. They can fill out a manual form, take a picture of it and upload the photo to the system. They still have to acquire and provide the customer and vehicle information and tie it back to their D1 transaction initiated on the system with the automaker involved, but at least they can proceed with the service.”

“If the D1 isn’t completely or partially filled, the system will not allow a transaction to continue,” he cautioned. For instance, if the missing criteria for a partial filing aren’t followed up, then our 5-day timeout limit will suspend the transaction until rectified. Chronic repeat offenders will be dealt with individually. In addition, if a mistake is made (e.g. entering the wrong VIN) the system will make a note of the error and notify the VSP and the Registry manager, so a correction can be made.”

Three different types of D1 forms can be filed online and they are required for all SDRM transactions. Note NASTF is considering a change of name for the D1 form.

If You Plan to be a Vehicle Security Professional, Please Read This
The NASTF realizes its single biggest challenge with launching SDRM v2.0 is communicating the upcoming changes and details to VSPs. It’s critical VSPs have the opportunity to be informed, aware of the inbound changes, and have time to prepare before SDRM v2.0 is released and activated.

“That’s why NASTF is starting to get the message out now in April, more than four months before the v2.0 launch date,” Seyfer shared. He cited other actions NASTF is undertaking before the launch next Fall:

  • Our brand ambassadors are attending industry trade shows and events to spread the word about v2.0.
  • We are responding to requests from advanced vehicle technology groups to speak or be interviewed.
  • A portal for VSPs is being built to provide v2.0 details, explanations, presentations and other resources.
  • A pilot group of VSPs will soon begin Beta testing v2.0, which will help us iron out any hiccups they experience before the launch.

“Our bottom line is we want everyone on board by the launch,” Seyfer emphasized. “That’s why we are using the time between now and mid-September to provide the resources to help VSPs get ready for SDRM v2.0.”

[Editor's note: Visit for the latest diagnostic and service insights.]

Important Links
MOTOR Current Issue
MOTOR Current Issue
MOTOR Magazine

MOTOR Information Systems • 1301 W. Long Lake Road, Suite 300 • Troy, MI 48098