Vehicle Security Information Model Approved for Pilot Testing

NASTF UPDATEVehicle Security Information Model Approved for Pilot Testing LEESBURG, VA (Feb. 21, 2007) - After wrestling with numerous stakeholder issues, including customer privacy and security, the Vehicle Security Committee (VSC) presented an update of its proposed Secure Data Release Model (SDRM) to the National Automotive Service Task Force's (NASTF's) board of directors. The report by VSC Co-chairman Mark Saxonberg focuses on three areas: an explanation of the importance of the vehicle security issue to the industry; an overview of the SDRM model; and the current status in the development and release of the model. Following the presentation, the NASTF board then approved the pilot-testing phase for the SDRM. Driving toward a solution The VSC had to find solutions to a variety of issues, including locksmith/technician liability and insurability and balancing the needs of automakers, law enforcement, the professional locksmith community and independent repairers. The VSC vetted these issues with stakeholders and cooperatively developed the SDRM and registry concepts. CA Senate Bill 1542: The Migden Key Code BillThis bill requires, beginning Jan. 1, 2008, every motor vehicle manufacturer to provide the registered owner of a vehicle with a means to access the information necessary to permit the reproduction of a key or other functionally similar device that will allow the vehicle owner to enter, start and operate his or her vehicle.
(Source: California Senate)

As vehicle security measures have become more complicated, there has been a corresponding and increasing difficulty in supporting consumers through traditional channels. Furthermore, legislative pressures in several states were bringing forward a number of disparate solutions.

For example, the recently passed Migden Key Code Bill (SB1542) in California has set an aggressive compliance deadline of Jan. 1, 2008. But this and other bills pending in additional states could lead to many different solutions being developed. Even if they all work and don't compromise consumers, these multiple solutions make the work of automakers and independent automotive service professionals even more cumbersome.

"The spirit of the AAA-sponsored Migden bill parallels the intentions the VSC had over two years ago," says Saxonberg. He adds that while the bill's language was somewhat ambiguous and lacked a dispute resolution/regulatory element, "the SDRM complements the bill with solutions for both."

The VSC was formed to identify, prioritize and correct gaps in accessibility to vehicle security information necessary to reproduce functional vehicle keys in roadside environments, while maintaining the security and integrity of vehicle anti-theft systems. In 2003, the Associated Locksmiths of America (ALOA), most of whose members are not automotive technicians, raised concerns about vehicle security issues with NASTF.

Discussion ensued within the VSC, with the inclusion of the National Insurance Crime Bureau (NICB), culminating in the decision to develop a process that would ensure that vehicle security information could be shared between automakers and vetted locksmiths and automotive service professionals without compromising the safety and security of consumers.

VSC SDRM development timeline.
(Source: NASTF)Something for everybody The result of these discussions is the NASTF-approved SDRM, with its built-in, secure registry. "The VSC's efforts are apolitical," Saxonberg stresses. "We're doing this to support our customers." The SDRM is designed to provide a nationwide infrastructure for access to various types of security data and service support systems. "The SDRM and its automotive security professional registry will give automakers a flexible system to provide 24/7 access to vehicle security information for pre-approved locksmiths and technicians. It allows aftermarket service providers to support consumer needs without undermining the integrity and basic purpose of vehicle security systems," says Mary Hutchinson, NASTF's administrative director. The SDRM and its registry not only establish a nationwide solution, but they ensure the industry meets the Migden Key Code Bill's Jan. 1 compliance deadline.

VSC SDRM architecture model.
(Source: NASTF)

The registry and SDRM are designed to ensure that only vetted automotive service professionals will have access to the information needed to create and register new keys to a consumer's car when existing keys are lost or unavailable. Mandatory background checks, liability insurance, fidelity bonding and state licensing (if applicable) are required to gain entry into the registry and become an external user of security data.

Once in, the SDRM incorporates the transparent logging of all vehicle security information transactions by the NICB, including dealer and non-dealer networks by automakers. These "transaction trails" can be used by law enforcement authorities, if and when necessary.

The SDRM and Registry were developed following open standards for maximum flexibility by original equipment manufacturers (OEMs) and other entities. By following the STAR- and OAGI-based communication standards (Standards for Technology in Automotive Retail/Open Applications Group Initiative), interaction between the disparate systems becomes a relatively simple matter.

"We [the VSC] are trying to make it as simple as possible for all OEMs to use their existing service information Web sites and participate in the implementation of the SDRM," Saxonberg says.

In addition, the SDRM and registry provide for timely and secure repair for consumers wherever their vehicles are. The model also puts in place a means to close the service information gap for non-parts issues, such as immobilizer initializations, immobilizer resets, key codes, personal identification numbers and radio security codes.

"Dealing with security data is a very tough issue, because of the combination of consumer privacy, insurance and law enforcement issues," says John Cabaniss, director for Environment & Energy for the Association of International Automobile Manufacturers. "In fact, security data is the only remaining gap in the information automakers routinely provide to independent shops because of those issues. Now we have a system to do so without undermining vehicle security."

Planning for progress As shown in the timeline, pilot testing will begin in March. Final build-out of system components is to be completed by May. Registry acceptance testing will be conducted in July and August. Registration by automotive security professionals - qualified locksmiths and technicians - will begin in September, followed by live testing using real data. Final production testing will be completed by December, in time to be operational and in compliance with the Migden Bill deadline. "We [the VSC] are trying to make it as simple as possible for all OEMs to use their existing Internet systems and participate in the implementation of the SDRM."
- Mark Saxonberg

Eight automakers (Toyota, Ford, DaimlerChrysler, Honda, Volvo, Mitsubishi, Nissan and Subaru), two independent trade associations (the Automotive Service Association [ASA] and ALOA), and law enforcement (the NICB, with consultation with the FBI) have been actively engaged in developing the registry and the SDRM architecture. The architecture model and communication standards have been established.

These eight and other automakers are expected to join in the upcoming pilot testing. "Auto manufacturers are very pleased that the NASTF Vehicle Security Committee is ready to go with pilot testing the Secure Data Release Model," says Cabaniss.

The registry will be managed and maintained by the independent repair industry. ALOA and ASA are actively building it, funding its construction and promoting its use by all qualified independent automotive security professionals.

Interested parties who apply to the registry must agree to a series of requirements for inclusion, including a procedure for positive identification of all consumers to whom services are provided. Should a dispute arise regarding acceptance into, or removal from the registry, an appeal can be made to NASTF, wherein a subcommittee of the VSC will serve as a referee and make the final decision for any such dispute.

Hutchinson also explained that the newly redesigned NASTF Web site will see a number of changes by year's end. A link will be added to the NASTF site later this summer, pointing interested parties to registry information and its enrollment process.

"By the end of the year, more functionality will be built into the NASTF Web site," says Hutchinson. The process for handling service information requests, currently housed on the iATN Web site, as well as the Tool and Training Matrices, currently housed by the Equipment and Tool Institute, will be brought into the NASTF site.

The NASTF board, recognizing that many will want to see the SDRM architecture and the registry in action as soon as possible, has directed the VSC to provide a demonstration at the next NASTF general meeting, on April 17, 2007 at 1:30 p.m. at the Marriott Renaissance Center in Detroit.

(Sources: NASTF, California Senate)