Under Lock & Key

Don’t be clueless about wireless connectivity. Rapid advances in vehicle security technologies have put the industry on the cutting edge ‑ and on edge.

Working on modern vehicles equipped with such a wide variety of security systems is becoming more of a challenge than most people realize. Not only do shops have to understand and manage the numerous security technologies, but they also have to manage the security of our business systems and personal devices in a way that prevents cyber-attacks from wreaking havoc.

My observation has been that most automotive repair facilities choose to pass on servicing these technologies by sending the customer to a dealer or a locksmith. But if you’re not ready to manage the process for your customers, this is not being “service ready.”

From the simple security key with laser-cut technology to proximity keys coupled with telematics, shop owners and technicians should be aware of the risks involved in working on these vehicles so they can serve their customers without sending them back to the new vehicle’s dealer. Let’s look at these challenges in context.

Most of us remember the days when, if you needed a new key for your car, you simply went to the hardware store and the man behind the counter “cut” a new key from a key blank using a grinder that duplicated the cut. The cost was a couple of bucks, and it took just a few minutes.

As our society evolved, more and more vehicles were being stolen. The thief only needed a couple of seconds to pop the lock cylinder out of the steering column or in some cases, just like you see in the movies, they’d just reach under the dash and jump a couple inconspicuous wires and off they went.

As vehicle theft increased, manufacturers devised ways to prevent, or deter, would-be car thieves. Technologies such as car alarms – both factory and aftermarket – were added to alert bystanders of a theft in progress.

Then came the somewhat-smart keys that contained a chip or resistor that was decoded on board the vehicle, requiring a match that would allow it to start. They were followed by smart key fobs and proximity keys that recognize the proper keying through near-field communication, which allows the driver to insert the fob into a slot without a keyed tumbler and enabled the use of the push-button starters that are common today.

These last few technologies are worthy of discussion. Consider the same scenario as above but on a late model vehicle with a laser-cut key and fob. If you take that key to the hardware store, you won’t find a solution. Your choices are to take it to the dealer or call a locksmith. At least that’s the perception of most people.

The cost to create this new key often can run more than $200. And, as I mentioned above, most automotive repair facilities also think these are the only two options. It’s possible, though, for an aftermarket repair facility to offer these services to motorists, providing the business an opportunity for profit and improved customer service.

Providing parity with the dealer

The National Automotive Service Task Force (NASTF) is a cooperative effort among the automotive service industry, the tool and equipment industry and the automobile manufacturers (OEMs). It was founded in 2000 to ensure that automotive service professionals working in the aftermarket have the information, training and tools needed to properly diagnose and repair today’s high-tech vehicles.

NASTF is most noted for ensuring that OEMs provide the same access to service information to the aftermarket as their dealers receive. In 2007, NASTF’s Vehicle Security Committee launched the Secure Data Release Model (SDRM) project that was designed cooperatively by the independent repair, insurance, law enforcement and automaker communities, allowing the aftermarket to access sensitive security information related to automobiles.

That information includes items such as key codes used to allow locksmiths or independent shops to cut a security key blank using a code rather than another key, PIN numbers used to unlock components in a vehicle (such as a radio) or immobilizer reset and activation information so that a shop can replace a security-related module and introduce it to the vehicle network. This allows the vehicle to start and operate normally just like at a dealer.

Along with the SDRM, NASTF created the Vehicle Security Professional (VSP) Registry as a service that allows access to these security-related files, while protecting the safety and security of the motorist and the integrity of security systems.

What does all that mean? It means that any automotive repair facility can provide the same key and security services to their customers as the dealer does. The process is well documented at NASTF.org with security information located in the Locksmith/Vehicle Security section.

Consider the resources you need

As you might know, access to these security systems requires a level of responsibility and potential liability. If you decide to work in this field, you’ll need someone on your staff who does this type of work. The applicant will need to be a Vehicle Security Professional. Following a background check, the applicant agrees to the terms and conditions of use of the Registry. Fees are outlined on NASTF.org.

Once accepted, the applicant will receive a security credential known as a Locksmith Identification (LSID) number. This identification is required to access any of those secure data systems served up by the OEMs. Once registered, the VSP can log in to the appropriate OEM website and request key-cutting codes, PINs and immobilizer programming packets. Now their facility can offer the services, but there are a few things to consider regarding equipment and facility security before you begin.

First, you need to have a way to machine a key to offer key-cutting services. These are available in the aftermarket, and many new models are user-friendly. They can cut a security key from a code you access via the OEM site, or they can duplicate a key and automatically cut it with great precision. The same can be said for smart key fobs and proximity keys. These can be created from scratch, using a similar method via the OEM site, or, in many instances, they can be duplicated.

There are many resources for aftermarket key blanks and generic fobs that you can either stock or order just in time. When programming the immobilizer modules on the vehicle, you can use either the OEM scan tool or, in many cases, an aftermarket scan tool designed specifically for this purpose. Coupled with your secure access to the OEM data you can provide OEM dealer services.

Is there a cost of entry? Sure there is, as with any other service you provide. Can it be profitable? It can, but don’t allow the cost to the customer give you sticker shock. Compare what they pay at the dealer or to a locksmith today. You can certainly be competitive. These services aren’t difficult, as long as you follow the regulations and requirements of the Registry and the SDRM.

However, there are many operators out there that shortcut the process by using “code brokers” who go around the system by acting as a VSP but are not actually in front of the vehicle to validate the VIN and ownership. The NASTF VSP Registry audits hundreds of LSIDs each month and suspends those that do not follow the requirements.

The National Insurance Crime Bureau is a part of the SDRM and alerts NASTF and the OEM when a vehicle is stolen. Using code brokers or locksmiths who don’t have an LSID only supports these unlawful endeavors. Even if you decide to outsource your security needs to a locksmith, make sure they have a valid LSID. But wait, there’s more!

Why cybersecurity matters

So far we’ve been discussing how you get into the vehicle security business and leverage the SDRM and NASTF process. But I’m sure you’ve seen news reports about cybersecurity issues with new vehicle technologies, where hackers take control of vehicles using laptops wirelessly connected to a vehicle driving down the road.

How real are those scenarios? Very real. And although many will say wireless connectivity is impossible, there are new discoveries every day of attack surfaces on smart vehicles being hit. In addition, your business model may be enabling access to your customers’ vehicles. This can happen via your customer WiFi and through your network-enabled scan tool. They possibly can allow malware to be implanted in a vehicle without your knowledge.

Those potential security breaches can happen, and you must consider them when building your shop systems, business networks, diagnostics platforms, information and internet-access points. It would be wise for all shop owners to consult with security professionals with respect to your shop network to prevent unwanted outside access.

“Wow! This is a pain,” you might say. But it is reality. A large number of vehicles are driving with systems designed and built before OEMs really understood the relationship and risk to some of the systems. It’s safe to say this topic is one that will be discussed often from this point forward because the technology is not going away. Again, start your research at NASTF.org. Good luck!