MOTOR Magazine

A MOTOR Magazine Newsletter
April 14, 2017

Contributed by Bob Chabot
Data Shift: From Plug-In to the Cloud

The ISO's Extended Vehicle Concept is poised to shift all vehicle data to OEM cloud-based servers

At no time in the history of the automotive industry has technological change been so dramatic, so imaginative, so exciting and oh so fast. Such is the case with the way vehicle data, software and other information will be communicated to, from and within vehicles. Here’s what you need to know now, so you can begin to prepare.

In November 2017, the International Standards Organization (ISO) will vote on new vehicle communications architecture, known as the Extended Vehicle Concept (ExVe). If approved, as many expect it to be, technicians and service facilities will be impacted in ways most are not even aware of.

Modern vehicles and any service or device connected to them are increasingly at risk. In particular, because the J1962 vehicle communications interface is very insecure, new vehicle data communication interfaces with enhanced and more robust cybersecurity measures are inbound. (Image — Magneti Marelli S.p.A)

Emerging Technologies Have Passed J1962 By
The 30-year old underdash 16-pin OBD II interface that diagnostic, reprogramming, insurance and other aftermarket devices have been plugged into was never designed to provide the functionality that modern vehicle data requires. In addition, the emergence and implementation of telematics, connected cars and transportation systems, automated driving and cybersecurity technologies each overwhelm J1962’s capabilities. Data has also evolved beyond the binary 1s and 0s of traditional software code.

J1962 technology can only accommodate one user at a time, is very insecure from hacking and other cyber threats, and communicates far too slowly to meet the “need it now” demands of these new technologies. New data is more voluminous, uses different formats and needs faster transmission speeds, increasingly in real time. Radar and camera imaging data for advanced driver assistance systems (ADAS) is just one example.

“The J1962 connector as well as any electronic vehicle communication device that plugs into it — a scan tool, J2534 box, laptop, dongle or other device — are prone to attack and capable of easily being hacked,” shared Mohan Sethi, MAHLE Aftermarket’s head of Product Management & Business Development. “Both the connector and these devices lack adequate built-in cybersecurity defenses.”

“For example, if a J2534 tool has been infected with malware, then every vehicle and device that J-box is then connected to is at risk, until the attack is remedied,” he explained. “With the buildup and rollout of telematics, connected vehicles, automated driving and intelligent transportation systems, the industry needs complete solutions now.”

The various colors in the ISO’s ExVe logo, provided by the ISO, are defined as follows:

  • The Blue colored segment represents the OEM’s proprietary, off-vehicle, cloud-based web server, which is owned and controlled by each OEM, as defined by ISO Project 20078.
  • The yellow colored segment represents use cases for wireless time-critical communications (e.g., vehicle-to-vehicle communication).
  • The red colored segment represents use cases for retrieving information related to current mandated OBD-II exhaust-emissions data.
  • The grey colored segment represents other use cases within the extended vehicle that may or may not be standardized. (E.g. insurance, shop CRM and other aftermarket dongles).

Access to Vehicle Data, Software and Other Information Must be Controlled
In early 2015, a group of OEM members of the ISO (Audi/VW, BMW, Fiat-Chrysler, Opel, PSA Peugeot Citroën, Renault-Nissan and Volvo) presented the ExVe concept to the ISO for consideration. They say that the new ExVe concept is able to securitize vehicle data in an increasingly connected world, which J1962 cannot.

The ExVe solution addresses the shortcomings of J1962 and adds other useful enhancements. ExVe is much more cybersecure, allows for multiple users simultaneously, and can integrate emerging telematics, connected and automated driving technologies.

The ISO decided to pursue ExVe, and formed a technical committee (ISO TC/22 SC31 WG6) to administer and develop ExVe. Since then, TC/22 has managed two projects tasked with developing standards, as shown in the illustration above: (1) Project 20077, which is focused on ExVe methodology; and (2) Project 20078, which has been developing ExVe web services.

As currently written, ExVe builds an authentication and validation system for access to vehicle data that would be managed by each automaker. The automaker would control who gets access, as well as what level of access users would get to vehicle information, based on their “need to know,” subject to what information the automaker deems appropriate for the user to have.

As currently written, the ExVe solution gives automakers control of access to vehicle data, software and other information by requiring all data requests to be sent to the automaker’s server (left). Aftermarket organizations would prefer access to vehicle data to be shared equally between automakers and the aftermarket (right), and are working toward that goal. (Images — European Automotive Aftermarket Association)

Giving Data Security Teeth
The new vehicle communications architecture employs a two-stage security process. All requests for access to data must be sent to the automaker’s off-vehicle cloud-based server for authentication. If approved, the automaker then determines the level of access allowed. For example, an automaker’s engineer would get more access than a service technician, who would get more access than an insurance firm.

If authenticated and approved by the automaker, the data request would then be sent to the vehicle’s onboard gateway interface module (VCI), which safeguards the vehicle’s communication networks. Located between the current J1962 interface and the networks, the VCI gateway utilizes encryption codes and other security protocols to once again vet requests at the vehicle. Until authenticated and approved by both the cloud-based servers and the gateway VCI, data requests would be blocked, whether from wireless users or those trying to enter via the J1962 port — whether with good or bad intentions.

ExVe would enable the J1962 port to be eliminated entirely should regulators, who mandated J1962 VCI for OBD-II emissions related data, realize and accept that ExVe can provide that information in a more secure manner. Remember that only four pins on the J1962 connector are needed to provide OBD-II mandated information. The other dozen pins, which provide non-legislated diagnostic data, are not required by regulators.

Bosch recently introduced a secure vehicle communications interface it calls the Central Gateway (shown above). Of note, the CCG supports all current vehicle BUS communication networks up to and including Gigabit Ethernet. Click on the image to watch a Bosch animation showing the transition of tool and other data requests from plugged-in devices to the wireless cloud, a major shift from how data is requested, delivered and used now. (Image — Robert Bosch GmbH)

Shifting Data Access From Plug-In to the Cloud
Don’t be surprised if OEMs eventually use ExVe to manage all diagnostic requests, especially as they migrate to over-the-air software updates. That’s a paradigm shift that will impact how everyone does business — from automakers to suppliers to tool/equipment makers to service/repair facilities and technicians, to consumers.

Control of access to vehicle data has long been a priority for automakers. It was at the heart of Right-to-Repair; it was central to recent requests to the U.S. Copyright Office (which were denied); and it’s rooted in the ExVe Concept — all for good reasons from the automakers’ perspective. But certain aftermarket organizations want access to be shared jointly between automakers and the aftermarket. That’s a discussion that is heating up, but outside the scope of this article.

What is germane to shops and technicians is how they could be impacted by a shift to wireless, cloud-based data. For example, certain tools, service information and other day-to-day resources could transition from hardwired plug-in delivery to wireless cloud-based delivery. For that matter, mobile-ready data could be delivered to the device of your choice via a securitized app, that adds one more layer of protection to the original data housed separately on automaker servers. For shops, however, at what point might existing tool investments become redundant or useless?

As shown in the timeline above, the ISO votes in mid-November 2017 on approving the adoption and publication of ExVe standards for access to vehicle data, software and other information. (Image — The ISO)

Progress has its Cost
So don’t be surprised should automakers offering ExVe services require new cybersecurity-related prerequisites be met by shops and technicians before getting access to data — similar to the prerequisites necessary today for access to OE service information. Should tools become less plug-in and more cloud- based, will new subscription fees be required for data access requests, regardless of user or purpose? Or will shops be required to demonstrate they are securely locked down from hackers, so that a shop’s access to data doesn’t threaten other users or the automaker itself?

Case-in-point? The Automotive Service Association (ASA) is actively developing guidelines and policy to help shops become cybersecure. This initiative is new, so perhaps you haven’t heard of it yet. To further this effort, ASA Vice President Tony Molla told MOTOR the association has an upcoming meeting on cybersecurity scheduled for later this Spring. Covering all the bases is no easy feat.

Need a more specific example? Jeremy Fry, the CEO of Autologic, a remote diagnostic provider that helps shops diagnose and repair European brands, told MOTOR that subscriber connections to Autologic services are continually monitored for cyberthreats. “When we detect a customer connected to us has been compromised, we sever the connection immediately, take other in-house measures, and notify the customer of the issue they need to address before service can be re-established.” Of concern to MOTOR is that Autologic is one of a very few tool and equipment companies with online or cloud-based services that even has these types of cybersecurity initiatives in place.

The trend toward locking down data and locking out the unsecure has only just begun for legitimate data providers and users, but its scope will grow as emerging connected technologies are implemented. After all, just imagine the threat to your shop if an automaker, whose online services you used, was hacked. Or vice versa, consider the threat to automakers if your shop was hacked before or while connected to them?

The ISO’s adoption deadline for ExVe is now just seven months away. Regardless of what new communications architecture standards are adopted or who controls access to vehicle data, one outcome is certain: Service and repair shops, their technicians and customers will have to deal with the consequences. So let me ask: Is your preparation going to be proactive or reactive in nature?

[Editor's note: Visit for the latest diagnostic and service insights.]

Important Links
MOTOR Current Issue
MOTOR Current Issue
MOTOR Magazine

MOTOR Information Systems • 1301 W. Long Lake Road, Suite 300 • Troy, MI 48098