OBD Simulator Fraud A New Jersey Case Study I/M Solutions – Session #7 Salt Lake City April 2014

OBD Simulator Fraud New Jersey recently arrested three individuals from a decentralized Private Inspection Facility (PIF) for installing OBD simulators on vehicles to allow them to falsely pass the OBD emissions inspection. This represents the culmination of a joint effort with the Department of Environmental Protection (DEP), the Motor Vehicle Commission (MVC), and the Department of Criminal Justice (DCJ). The bulk of the work was done by Jeff Kennedy, one of our auditors and "skunkworks" software developers, who spearheaded the whole operation. IM Solutions - 4/28/20142

OBD Simulators and Their Use The simulators used are not pass-through devices but actual simulators which respond to requests for vehicle data with passing results as if they came from a vehicle. They can be used with an inspector’s knowledge where they plug the inspection equipment directly into the simulator. They can also be used without an inspector’s knowledge if the device is installed in place of the vehicle’s regular OBD connector and the vehicle’s MIL is turned off with a handheld scanner just prior to presenting it to be inspected by someone else. IM Solutions - 4/28/20143

NJ OBD Test Design and “Fingerprint” Capture New Jersey designed its OBD test with just such a situation in mind. Our OBD test is controlled by the software, not by the OBD module. The actual steps of the procedure are guided by the OBD responses that are received from the vehicle. We also capture as much information as we can from each vehicle. Because of this design we were able to create a database of OBD "fingerprints" from our inspection data. Fingerprint data includes: – Readiness information condensed to a profile number between 0 and 121 – Three Module IDs listed in ascending order – PID 00, PID 20, PID 40 hex responses – OBD "Type" (Mode 1 PID 1C) – eVIN availability – eVIN accuracy – CALID response – CVN data response – "Extended Data" responses – Warmups Since Codes Cleared, Time Since Codes Cleared, Miles Since Codes Cleared, Time with MIL On, Miles with MIL On – Hit Count – The number of times a vehicle was tested with a matching fingerprint (Cream rises to the top) IM Solutions - 4/28/20144

Fingerprint Data Capture and Analysis We created a list of about 93,000 fingerprints based on about 2.7 million inspection records from Jun 2010 through Nov Eventually, we found 6,078 simulated OBD tests from April 2010 through January 2014, with about half occurring in 2013 alone. The number was increasing rapidly during the later stages of the investigation. The analysis of the fingerprint data was a manual process that consisted of investigating the outliers. The fingerprint data had to be visually reviewed and different groupings of fingerprints were made. Patterns can be found by people quite easily, but before patterns can be found by computers they need to be programmed. Patterns can be found by people even where patterns are just there by coincidence. IM Solutions - 4/28/20145

Fingerprint Data Analysis In our first review one fingerprint showed up 38 times for a wide variety of different vehicles, but all had identical eVINs. We decoded the eVIN and it was for a 1994 Chevy Cavalier! Our procedure for handling a VIN mismatch at the time was to contact the customer about the discrepancy and ask that they have their ECU re-flashed with the correct eVIN. After about a month that particular fingerprint no longer appeared, most likely because our notification procedure got some attention. Apparently the individual using the simulator either stopped using it or became more sophisticated in its use by making changes to the fingerprint that were harder to detect. IM Solutions - 4/28/20146

Fingerprint Data Analysis (cont’d) We then focused on four different groups of fingerprints that were obviously invalid because they had values that were not to spec. For example, the OBD Type had values of FF or 00 which are not valid, or 06 which is for European OBD. The Module IDs were 10/18/28 which is not a real combination either. We looked for every facility that generated one of these fingerprints, and then we extracted all the vehicles these facilities inspected from Jan 2010 through Nov This extract included additional data elements (RPM, etc.) so we could look for more patterns. We then did a geographic distribution of vehicles that matched the fingerprints. They were virtually all from Passaic County. MVC Investigations suspected that the offending facilities were in Paterson. IM Solutions - 4/28/20147

Simulator Fraud Process The Private Inspection Facility (PIF) owner/inspector would install the OBD simulator in a vehicle and one of the employees would drive the vehicle to a centralized inspection facility (CIF) for inspection. They would return to the PIF shop and remove the simulator and set the vehicle back to normal. The customer was charged between $85 and $250 for this “service” depending on the failure condition. It appears that advertising was essentially by word-of- mouth. IM Solutions - 4/28/20148

Alert and Tracking Process We set up an alert system so that if any vehicle showed up that matched a fingerprint an alarm would sound and the Year/Make/Model/Plate info would be made available instantly to the task force. This data was relayed to MVC investigators who would then physically find the vehicle at the suspect shop. Once we had this preliminary information and a specific shop targeted, we were able to get DCJ involved. IM Solutions - 4/28/20149

Alert and Tracking Process (cont’d) We then created a trigger that worked from the VID data (within five minutes) that would send a text message to various participants every time the fingerprints appeared so DCJ could physically track the vehicles as they moved from one site to the other. DCJ installed surveillance cameras across from the targeted PIF, and evidence was accumulated. Eventually two MVC covert vehicles were equipped with internal cameras so we could obtain footage and record the suspects installing the simulators and then bringing the vehicles for inspection at the CIF. During the second covert operation one of the perpetrators actually met the detective and installed the device in the parking lot of the CIF. The final day a sting was set up and three suspects were arrested. IM Solutions - 4/28/201410

Evidentiary Issues In order for DCJ to make a case, the data to support the action had to meet certain evidentiary standards. The data we capture was solid enough for law enforcement purposes because our OBD test is both robust and repeatable. It is robust in that it can manage the responses from almost every vehicle in our fleet, with only a few vehicles in our exclusion list for readiness issues and no vehicles fully excluded from the OBD test. It is repeatable in that every vehicle will provide consistent responses every time it is inspected using workstations from either of our software vendors. IM Solutions - 4/28/201411

Emissions Impact After the arrests were made, we were curious as to what kind of environmental impact the use of these devices had on our air quality. Using the MOVES model we created a representative fleet for Passaic County and used a nominal failure rate of 10%. We then used our standard SIP inputs, and ran two scenarios: one with a standard IM program, and one without. The difference between the two shows the loss in benefit from the fraudulently inspected vehicles since that is equivalent to no I/M test. Our modeling showed that for the 3,142 vehicles passed fraudulently in 2013 using simulators, the loss in benefit was 111 tons/year of VOC + NOx. IM Solutions - 4/28/201412

Questions Bill Wanschura System Architect NJ Department of Environmental Protection Bureau of Mobile Sources P.O. Box 420 Mail code: E Trenton, NJ Phone: LinkedIn: Jeff Kennedy: Tom Dvorak (MOVES): IM Solutions - 4/28/201413