Software disconnect between carmakers and dealers could lead to hacking disaster, reports Susan Kuchinskas. [Tele.Kuchinskas.2016.06.20]

In July, thieves in Houston, Texas, were seen on a security camera using a laptop to steal a Jeep Wrangler. The police think the crooks used dealer tools to marry a new key fob to the car, allowing them to drive off with the vehicle. One likely scenario is that someone with access to a car dealer’s computer systems sold key reset codes for specific vehicles. This method may also have been used in the thefts of four other Wranglers and Cherokees in Houston, police think.

One-off car thefts – or two, three or four-off – are bad enough but the theft of data from a car dealer’s CRM system could be much, much worse.
“If you buy a car, that dealership has all your non-public information – Social Security number, driver’s license number, your employment and your income,” says Max Zanan, president of Total Dealer Compliance (TDC), a compliance-auditing firm that also provides online training for dealers. “The amount of information the dealership has surpasses the amount of information your local bank has on you.”

TDC surveyed US auto dealerships in five states and found that their CRM software was not secure enough. It found that more than 70% of the dealers were not up-to-date on their anti-virus software. TDC also found that close to 85% of the dealers contracted with a vendor to handle more complex IT work, while only 30% had on staff a network engineer trained in computer security.

That’s understandable, Zanan says: “Dealers know how to sell cars, parts and service. They don’t know that much about computer security. You can’t blame them but you hope they will engage with a third party or put somebody on staff.” The stakes are high. When TDC surveyed consumers, 33% were not confident a car dealer could keep personal and financial data safe; 84% would not buy another care from a dealership that had compromised their data.

Dealers and the connected car

“You don’t need to do a survey to know that dealers are the weakest link in the security chain,” says Strategy Analytics analyst Roger Lanctot. “They’re interacting with the most vulnerable point in the car, the diagnostic port and they have all the codes.”

“Dealers are attuned to this issue,” says Brad Miller, director of legal and regulatory affairs for the National Automobile Dealers Association. “Some do a better job than others.”

Meanwhile, OEMs and third parties are every day exploring new ways to send data to persistently connected cars or to get data out of them. So far, Lanctot sees OEMs keeping dealers out of these loops. “To the best of my knowledge, there’s not a single car company that enables direct connectivity between car, dealer and customer,” he says. Instead, most connected cars report their status back to the OEM. The OEM can then notify the dealer that a car has, for example, crossed a mileage threshold for service. This approach is cumbersome but, Lanctot adds, “There are serious trust and business model issues at stake.”

Lanctot sees this as a fundamental flaw in the auto industry: “Carmakers want to control the customer relationship but they are not directly responsible for it; the dealer is.” He says that as cars become more connected, it’s magnifying this business-model flaw. And the recent demonstrations of car hacking illustrate just how deep this vein of dysfunction runs.

In an ideal world, according to Lanctot, dealers would act as fleet managers, directly overseeing the health of the car, as well as data services and security. That’s probably never going to happen, and maybe it’s a good thing, given that security seems to be a weakness with dealers.

NADA’s Miller says his organisation is working with dealers to help them understand how the increased data flow from cars and from manufacturers affects them and how they can prepare. It’s put out guidance for dealers about some of the more low-tech but also more prevalent kinds of security issues, such as password hygiene, recognizing phishing attacks and how to safely connect to the network.

He also notes that most dealers rely on third-party software vendors that provide data security, especially among the multiple entities that dealer networks communicate with. The biggest question, Miller says, is, “How will dealers and manufacturer work together to make sure they can handle this? Dealers do need help from manufacturer partners, and the smart ones are starting to explore ways to take more of an ownership role to make sure they have tools they need.”

Lanctot may be dismissive about the security of dealer systems but he does not minimise the role they can and should play in data security. He says: “Dealers probably know more than car makers do about how vulnerable their cars are and what those points of vulnerability are. It behoves the industry to get the dealers on board. While OEMs are trying to figure this out, they absolutely need to have a seat at the table for the dealer community.”

TU-Automotive Europe 2016

02 Nov 2016 - 03 Nov 2016, Munich, Germany

For 13 years, this event has grown enormously in size, scope and significance - totally reflecting the path that the connected car has taken from ‘concept’ to ‘reality’. To reflect how the future of the car is not only being defined by in-car connectivity, we have added two new areas of focus to our conference - new models of auto mobility and automated driving technology.