TRAVERSE CITY, MI – Since its launch in 2000, Covisint has become an online automotive parts-procurement hub with 40,000 supplier members and 450,000 users worldwide. By 2004, when it was taken over by Compuware, a Detroit-based computer-service provider, the firm had branched out into health-care records management.
Covisint now is delving into cutting-edge connected-vehicle technology by providing management services that bind a vehicle owner’s phone identity to his vehicle identity.
"The ability to provision myself to the appropriate phone, to the appropriate vehicle needs to be the foundation of all the stuff (auto makers are) putting (into connected vehicles),’" Covisint Chief Security Officer David Miller tells Ward's at Center for Automotive Research’s Management Briefing Seminars here.
“‘If you try to bake it in afterwards, then you're going to end up having security issues. People find ways to take advantage of the least-secure interfaces.’”
Covisint is pitching its identity-management security scheme to auto makers, with hopes of implementing the service within the year.
The company contends advanced-vehicle-telematics features have security loopholes, because owner identities, and the way they are linked together with the technology systems, are not being managed properly.
Having the owner's identity associated with his vehicle lets him control various functions remotely, such as starting the car or setting the top speed. But such control could be detrimental in the wrong hands, Miller says.
For example, when an owner sells his car, some harmless user data may remain stored in the vehicle, such as favorite Pandora radio stations or restaurants. However, the former owner or an identity thief could disable the car so that it won’t start.
"How does a user get his identity? How do you provision someone? How do you de-provision someone?" These are tasks Covisint is prepared to tackle, Miller says.
Similar to what the company is doing in the health-care field, blocking a physician whose license has been revoked from accessing electronic medical files thanks to a partnership with the American Medical Assn., Covisint would use publicly available data to sever the relationship between an owner and his former vehicle.
"Who knows if I sell a car? The state," Miller says. "All that information is public. LexisNexis (search engine) has all this stuff. So I can check your ownership title record on a weekly basis.
And when you sell that car, the second it gets re-titled, I can say your ID isn't going to work with that vehicle. You don't have to do anything."
Covisint's identity-management system also could enable a rental car to instantly recognize the driver’s identity when his phone is connected via Bluetooth to the vehicle’s head unit, giving him access to his Pandora stations, preferred navigation app and other features stored in his own vehicle.
Miller sees such OEM-installed identity management as eventually making a vehicle secure enough to connect the owner to his medical history. Information such as blood type and allergies could be sent to the nearest emergency room in the event of an accident.
However, he cautions, "That's the one thing you can't do if you (don’t) take the security of identity seriously."