This article also appears in
Subscribe now »

The humble OBD-II port has moved beyond its originally designed intent as a port to check emissions and is now a potential gateway for vehicle security breaches. (PSA image)

Sharpening the focus on OBD-II security

SAE Standards News aims to update readers on the extensive activity in the SAE Global Ground Vehicle Standards development arena, by more than 800 ground vehicle committees comprised of volunteers from global industry stakeholders and SAE GVS staff who support the committee work.


In Fall 2016, the U.S. House Committee on Energy and Commerce reached out to the National Highway Traffic Safety Administration (NHTSA) in regards to addressing OBD-II security. The letter requested NHSTA to “convene an industry-wide effort to develop a plan of action for addressing the risk posed by the existence of the OBD-II port in the modern vehicle ecosystem.”

Enter SAE.

SAE International, at NHTSA’s urging, has started a working group that is ‘looking to explore ways to harden the OBD-II port’—that was their [NHTSA’s] language,” said Tim Weisenberger, SAE’s Project Manager, Technical Programs, Ground Vehicle Standards. SAE set to work by reaching out to a wide range of the industry. A working group was assembled to examine the issue with the goal of developing a set of recommendations.

“The OBD-II port has moved beyond its originally designed intent as a port to check emissions by regulators like the EPA and CARB,” Weisenberger explained. There are vehicle data access vs. vehicle security issues at hand. Many entities are requesting both legitimate and non-legitimate access to the port. The “legit” side include inspection and maintenance, workshop/service, insurance/other plug-in telematics and prognostics apps and performance tuners. On the malicious side are the hackers.

Triggering the industry

The group of approximately 40 gathered for the first workshops on December 1 and January 30 to identify common issues, needs and an approach to secure the OBD.

“The group included a couple of our experts that run various committees—Bob Gruszczynski from VW and Mark Zachos from DGTech were really the lead experts,” Weisenberger explained.

SAE staff were also present to facilitate and help to examine how the organization could move forward rapidly. They considered either standards development or expedited standards development that uses what SAE calls a Cooperative Research Project approach. This is a pathway for joint-venture research projects where two or more organizations pool their resources to study a pre-competitive technical area and share in the results.

“It was interesting that this was kind of a trigger for the industry to get together to create something that’s a little more open for the entire industry,’’ he said, “not just specific to company.”

The new OBD working group SAE has assembled is broad. It is comprised of eight automotive OEMs (BMW, Ford, GM, Honda, Hyundai, Isuzu, Toyota, VW), a few heavy truck OEMs and suppliers (Volvo, Cummins), various associations (MEMA, ETI), as well as representation from government and regulators (California Air Resources Board, NHTSA and the National Institute of Standards and Technology).

Get to know the TEVDS20

Through this effort, a new SAE committee was born: the Data Link Connector Vehicle Security Committee (TEVDS20). It is important to note that “data link connector” is the technical term for the OBD-II port (which is really more of an industry slang term, Weisenberger told AE). With the committee’s naming as a trigger, members will begin to use the technical term moving forward.

As this issue of Automotive Engineering went to press, the group was set to meet again to define the scope of work and engage a new Task Force under the committee to develop the technical work item (J3138). From there, the committee will continue to meet periodically to examine the issue and begin new work items as needed, Weisenberger explained.

“This new work item is a very specific use case,” he said. “It is a deep dive.” The potential is there for other work down the road, but for now the group has its very specific goal to meet the House Committee’s need of hardening the OBD-II port in sight.

We’ll keep you informed of their progress.

Continue reading »