1 2 3 19

Fred Upton’s Bid at Protecting Automotive Security Negligence [Updated]

I’ve written about Ed Markey’s SPY Act, one of several efforts to respond to network insecurity in cars. Fred Upton, who represents Kalamazoo, MI, is pushing an alternative version as part of larger reform to the National Highway Traffic Safety Administration. It appears to be an attempt to forestall regulation from other directions. Update: Here’s a draft of the bill.

Take, for example, its call for a privacy policy. Whereas Markey’s bill requires manufacturers to provide a dashboard informing customers about their privacy policy (after all, all cars have an EPA report), Upton’s only requires it to be posted … somewhere.

More importantly, though, the bill establishes a $1 million cap on damages for manufacturers who refuse to have or violate their policy, and it pre-empts FTC action on unfair trade practices (of the sort that just got Wyndham Hotels in trouble).

This section provides that if a manufacturer does not file a privacy policy or violates any of the terms in its policy, the manufacturer is liable to the U.S. Government for a civil penalty of $5,000 per day, with a maximum penalty for a series of violations of $1,000,000. This section also provides that a manufacturer that submits a privacy policy identifying that it meets all seven of the privacy elements described in this section is not subject to civil penalties. It establishes a safe harbor from Section 5 of the Federal Trade Commission Act with respect to any unfair or deceptive act or practice relating to privacy for any manufacturer whose privacy policy and practices meet all seven of the privacy elements described in this section.

Car companies are going to opt to pay that $1M instead of telling their customers how they’re using their driving data.

The cybersecurity requirement likewise serves more to protect companies than to impose sound security on them. Whereas Markey’s bill would require certain things from a cybersecurity policy, Upton’s would let the industry to establish a standard, than permit manufacturers to submit their plans that would fulfill “some or all” standards. Once they submitted those plans they would disappear — they couldn’t be FOIAed, and couldn’t be sued by FTC if they violated those terms.

This section exempts vehicle security and integrity plans submitted by manufacturers from Freedom of Information Act requests.

This section provides that a manufacturer that violates its vehicle security and integrity plan is subject to civil penalties. A manufacturer is not subject to those civil penalties (but doesn’t get the liability protections) if it submits a vehicle security and integrity plan that is approved by the Administrator and implements and maintains the best practices identified in their plan. This section provides that the best practices issued by the Council may not provide a basis for or evidence of liability against a manufacturer whose cybersecurity practices are alleged to be inconsistent with the best practices if the manufacturer has not filed a vehicle security and integrity plan and if the plan does not include the cybersecurity practice at issue.

This section also establishes a safe harbor from Section 5 of the Federal Trade Commission Act with respect to the best practices identified and implemented and maintained in the vehicle security and integrity plan submitted by a manufacturer.

In other words, these plans don’t have to be sound if they can get NHTSA’s buy off on them (remember, NHTSA by it own admission doesn’t have software expertise, which was why Toyota got away with its acceleration problem for so long), and once they were in place if the company mostly fulfilled them they would be largely immune from regulation.

Which is why I believe this section does what I’m afraid it does: make it harder for independent researchers to review carmakers code.

This section establishes that it is unlawful for any person to access, without authorization, electronic control units or critical safety systems in a vehicle, or other systems containing driving data either wirelessly or through a wired connection. It establishes a civil penalty of $100,000 for a person who violates this section.

The actual language of the bill does not include a researcher’s exception.

(1) PROHIBITION.—It shall be unlawful for any person to access, without authorization, an electronic control unit or critical system of a motor vehicle, or other system containing driving data for such motor vehicle, either wirelessly or through a wired connection.

It also imposes a penalty for each thing hacked (so doing research would get really expensive quickly).

Update: NHTSA is no more impressed than I am.

The Committee’s discussion draft includes an important focus on cybersecurity, privacy and technology innovations, but the current proposals may have the opposite of their intended effect. By providing regulated entities majority representation on committees to establish appropriate practices and standards, then enshrining those practices as de facto regulations, the proposals could seriously undermine NHTSA’s efforts to ensure safety. Ultimately, the public expects NHTSA, not industry, to set safety standards.

Nor do the privacy people at FTC, which reads the privacy provisions to be even worse than I did.

Under this proposal, manufacturers can satisfy the requirements of this section without providing any substantive protections for consumer data. For example, a manufacturer’s policy could qualify for a safe harbor even if it states that the manufacturer collects numerous types of personal information, sells the information to third parties, and offers no choices to opt out of such collection or sale. Moreover, because the safe harbor exempts a manufacturer from FTC oversight, and Section 32402(d)(2) provides a separate exemption from civil penalties, a manufacturer that submits a privacy policy that meets the requirements of Section 32402(b) but does not follow it would not be subject to any enforcement mechanism.

Like me, it reads the hacking provision to prohibit research, thus leading to less cybersecurity.

By prohibiting such access even for research purposes, this provision would likely disincentivize such research, to the detriment of consumers’ privacy, security, and safety.

And it has the same concerns I do about providing immunity for crappy cybersecurity practices.

Finally, the proposed safe harbor is so broad that it would immunize manufacturers from liability even as to deceptive statements made by manufacturers relating to the best practices that they implement and maintain. For example, false claims on a manufacturer’s website about its use of firewalls, encryption, or other specific security features would not be actionable if these subjects were also covered by the best practices.

In sum, the Commission understands the desire to provide businesses with certainty and incentives, in the form of safe harbors, to implement best practices. However, the security provisions of the discussion draft would allow manufacturers to receive substantial liability protections in exchange for potentially weak best practices instituted by a Council that they control. The proposed legislation, as drafted, could substantially weaken the security and privacy protections that consumers have today.

Timeline: Is Volkswagen’s ‘Bug’ an EU Feature? [UPDATED]

[photo: macwagen via Flickr]

[photo: macwagen via Flickr]

Reports this last week that Volkswagen deployed “defeat devices” — software designed to cheat diesel passenger vehicle emissions controls tests — revealed more than an automobile manufacturing group run amok. One might suspect European Union’s emissions governance after looking at a timeline of events.

NOTE: This timeline is in progress and is subject to updating as new items are identified. [Update 7:00 pm EDT – note added about translation, and note added to citation [4]]

— 1970 —
February 1970 — The Council of the European Communities issued the Council Directive 70/156/EEC, which established a mutual baseline for technical specifications of vehicles sold across the member states. This included 3.2.20. Measures taken against air pollution.

— 1992 —
July 1992 — The first standard for passenger vehicle emissions, Euro 1 through 6, is implemented. Level Euro 1 for new diesel-fueled vehicles limited emissions of carbon monoxide (CO) to 2.72 grams per kilometer, with no initial limit on nitrous oxides (NOx) alone, but a combined limit of hydrocarbon+nitrous oxides (HC+NOx) at 0.97 g/km.

— 2004 – 2009 —
Dates Vary — Vehicle manufacturers phased in the remaining Euro 4 through 6 emissions standards.

19 October 2004 — European Environment Agency published a press release, Poor European test standards understate air pollution from cars, which summarized the problem:

Inadequate test standards are underestimating emissions of harmful air pollutants from new cars and evidence indicates that many diesel car owners are making things worse by modifying their engines to increase power, the European Environment Agency warned today.

No specific orders or directions were offered to resolve the problem with emissions test standards.

— 2007 —
(Month TBD) — Volkswagen subsidiary Audi launched its “Truth in Engineering” ad campaign. This tagline remains in use to present.

— 2008 —
(Month TBD) — VW announced its “Clean Diesel” (TDI model) technology, and began selling it in 4-cylinder diesel Jetta, Beetle, Audi A3, and Golf cars to the US market.

(Month TBD) — Green Car Journal named VW’s 2009 Jetta TDI “Green Car of the Year.”

— 2009 —
September 2009 — European emission standard Euro 5a for diesel passenger vehicles enacted, limiting CO to 0.50 grams per kilometer, NOx to 0.180 g/km , and HC+NOx to 0.230 g/km.

These levels are a reduction from Euro 4 standard implemented in January 2005 (CO=0.05, NOx=0.25, HC+NOx=0.30). Continue reading

Another Reason GM May Have Come Around to CISA

Last week, Wired had a story about a hack of GM vehicles that the car company took 5 years to fix. As the story explains, while GM tried to fix the vulnerability right away, their efforts didn’t completely fix the problem until GM quietly sent a fix to its vehicles over their Verizon network earlier this year.

GM did, in fact, make real efforts between 2010 and late 2014 to shield its vehicles from that attack method, and patched the flaws it used in later versions of OnStar. But until the surreptitious over-the-air patch it finished rolling out this year, none of its security measures fully prevented the exploit in vehicles using the vulnerable eighth generation OnStar units.

The article uses this is a lesson in how ill-equipped car companies were in 2010 (notably, right after they had been put through bankruptcy) to fix such things, and how much more attentive they’ve gotten in the interim.

GM tells WIRED that it has since developed the ability to push so-called “over-the-air” updates to its vehicles. The company eventually used that technique to patch the software in its OnStar computers via the same cellular Internet connection the UCSD and UW researchers exploited to hack the Impala. Starting in November of 2014, through the first months of 2015, the company says it silently pushed out a software update over its Verizon network to millions of vehicle with the vulnerable Generation 8 OnStar computer.

Aside from the strangely delayed timing of that patch, even the existence of any cellular update feature comes as a surprise to the UCSD and UW researchers. They had believed that the OnStar computers could be patched only by driving them one-by-one to a dealership, a cumbersome and expensive fix that would have likely required a recall.

GM chief product cybersecurity officer Jeff Massimilla hints to WIRED that performing the cellular update on five-year-old OnStar computers required some sort of clever hack, though he refused to share details. “We provided a software update over the air that allowed us to remediate the vulnerability,” Massimilla writes in an email. “We were able to find a way to deliver over-the-air updates on a system that was not necessarily designed to do so.”

What Wired doesn’t note is that GM was in the thick of recall hell by November 2014 because of its delay, during the same period, in fixing ignition problems. It’s not just the network problem GM wasn’t fixing, it was more traditional problems as well. Whatever hack GM pulled off, starting in November 2014 as a kluge to fix a long-running problem, GM did so while under great pressure for having sat on other (more obviously dangerous) problems with their cars. GM also did so knowing their recognizable Impala would be shown on 60 Minutes exhibiting this problem.

In late 2014, they demonstrated it yet again for a 60 Minutes episode that would air in February of 2015. (For both shows they carefully masking-taped the car’s logos to prevent it from being identified, though car blog Jalopnik nonetheless identified the Impala from the 60 Minutes demo.)

So GM had a lot more urgency to find curious hacks in November 2014 than they did in 2010.

Continue reading

Former Car Czar Steve Rattner Remains an Idiot about Cars

Screen Shot 2015-09-06 at 2.08.21 PMI really shouldn’t waste my time making fun of Steve Rattner, but I will.

He just tweeted a map showing the most popular vehicle in each state last year. He noted that in the Big 12 Ford rules, the Big 10 Chevy rules. If you ignore current conference memberships such a claim might be mostly true.

Then he said that on the coasts, “Honda/Toyota (imports) rule.”

Only, for the two main vehicles he was discussing, Camry and Accord (and to a lesser degree, CR-V), those vehicles aren’t imports. They’re made in the US.

In fact, if you account for the source of the parts in a vehicle, Camry has been — for several years — the most “American” car.

Indeed, of the cars he was discussing, only the Forester is primarily assembled in Japan — other “imports” are made in North America (Subaru keeps talking about bringing that production to IN, too, but it seems more likely they’ll just keep increasing Outback production there).

Maybe Rattner was just being sloppy, using the word “import” for the term “transplant” used within the industry. Though the comment seemed to be central his point — he added the word “import” to explain why this was interesting, it seemed.

Unless he was making a distinction about unionization — the transplants remain non-union, though UAW is working hard to change that — his comment was an odd betrayal of how unfamiliar he is with cars, even after serving as Obama’s Car Czar.

Tesla Patches Faster than Chrysler … and than Android [UPDATED]

Wired’s hack-of-the-day story reports that researchers hacked a Tesla (unlike the Chrysler hack, it required access to the vehicle once, though the Tesla also has a browser vulnerability that might not require direct access).

Two researchers have found that they could plug their laptop into a network cable behind a Model S’ driver’s-side dashboard, start the car with a software command, and drive it. They could also plant a remote-access Trojan on the Model S’ network while they had physical access, then later remotely cut its engine while someone else was driving.

The story notes how much more proactive Tesla was in patching this problem than Chrysler was.

The researchers found six vulnerabilities in the Tesla car and worked with the company for several weeks to develop fixes for some of them. Tesla distributed a patch to every Model S on the road on Wednesday. Unlike Fiat Chrysler, which recently had to issue a recall for 1.4 million cars and mail updates to users on a USB stick to fix vulnerabilities found in its cars, Tesla has the ability to quickly and remotely deliver software updates to its vehicles. Car owners only have to click “yes” when they see a prompt asking if they want to install the upgrade.

In my understanding, Tesla was able to do this both because it responded right away to implement the fix, and because it had the technical ability to distribute the update in such a way that was usable for end users. Chrysler deserves criticism for the former (though at least according to Chrysler, it did start to work on a fix right away, it just didn’t implement it), but the latter is a problem that will take some effort to fix.

Which is one reason I think a better comparison with Tesla’s quick fix is Google’s delayed fix for the Stagefright vulnerability. As the researcher who found it explained, Google address the vulnerability internally immediately, just like Tesla did.

Google has moved quickly to reassure Android users following the announcement of a number of serious vulnerabilities.

The Google Stagefright Media Playback Engine Multiple Remote Code Execution Vulnerabilitiesallow an attacker to send a media file over a MMS message targeting the device’s media playback engine, Stagefright, which is responsible for processing several popular media formats.

Attackers can steal data from infected phones, as well as hijacking the microphone and camera.

Android is currently the most popular mobile operating system in the world — meaning that hundreds of millions of people with a smartphone running Android 2.2 or newer could be at risk.

Joshua Drake, mobile security expert with Zimperium, reports

A fully weaponized successful attack could even delete the message before you see it. You will only see the notification…Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

Zimperium say that “Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that’s only the beginning of what will be a very lengthy process of update deployment.”

But with Android the updates need to go through manufacturers, which creates a delay — especially given fairly crummy updating regimes by a number of top manufacturers.

The experience with this particular vulnerability may finally be pushing Android-based manufacturers to fix their update process.

It’s been 10 days since Zimperium’s Joshua Drake revealed a new Android vulnerabilitycalled Stagefright — and Android is just starting to recover. The bug allows an attacker to remotely execute code through a phony multimedia text message, in many cases without the user even seeing the message itself. Google has had months to write a patch and already had one ready when the bug was announced, but as expected, getting the patch through manufacturers and carriers was complicated and difficult.

But then, something unexpected happened: the much-maligned Android update system started to work. Samsung, HTC, LG, Sony and Android One have already announced pending patches for the bug, along with a device-specific patch for the Alcatel Idol 3. In Samsung’s case, the shift has kicked off an aggressive new security policy that will deploy patches month by month, an example that’s expected to inspire other manufacturers to follow suit. Google has announced a similar program for its own Nexus phones. Stagefright seems to have scared manufacturers and carriers into action, and as it turns out, this fragmented ecosystem still has lots of ways to protect itself.

I make this comparison for two reasons. One, if Google — the customers of which have the hypothetical ability to send out remote patches, even if they’ve long neglected that ability — still doesn’t have this fixed, it’s unsurprising that Chrysler doesn’t yet.

But some of the additional challenges that Chrysler has that Tesla has fewer of stem from the fragmented industry. Chrysler’s own timeline of its vulnerability describes a “third party” discovering the vulnerability (not the hackers), and a “supplier” fixing it.

In January 2014, through a penetration test conducted by a third party, FCA US LLC (“FCA US”) identified a potential security vulnerability pertaining to certain vehicles equipped with RA3 or RA4 radios.

A communications port was unintentionally left in an open condition allowing it to listen to and accept commands from unauthenticated sources. Additionally, the radio firewall rules were widely open by default which allowed external devices to communicate with the radio. To date, no instances related to this vulnerability have been reported or observed, except in a research setting.

The supplier began to work on security improvements immediately after the penetration testing results were known in January 2014.

But it’s completely unclear whether that “third party” is the “supplier” in question. Which means it’s unclear whether this was found in the supplier’s normal testing process or in something else.

One reason cars are particularly difficult to test are because so many different suppliers provide parts which don’t get tested (or even adequately specced) in an integrated fashion.

Then, if you need to fix something you can’t send out over a satellite or Internet network, you’re dealing with the — in many cases — archaic relationships car makers have with dealers, not to mention the limitations of dealer staff and equipment to make the fix.

I don’t mean to excuse the automotive industry — they’re going to have to fix these problems (and the same problems lie behind fixing some of the defects tied to code that doesn’t stem from hacks, too, such as Toyota’s sudden acceleration problem).

It’s worth noting, however, how simplified supply and delivery chains make fixing a problem a lot easier for Tesla than it is for a number of other entities, both in and outside of the tech industry.

UPDATE — 4:30 PM EDT —

Hey, it’s Rayne here, adding my countervailing two cents (bitcoins?) to the topic after Marcy and I exchanged a few emails about this topic. I have a slightly different take on the situation since I’ve done competitive intelligence work in software, including open source models like Android.

Comparing Fiat Chrysler’s and Google’s Android risks, the size and scale of the exposures are a hell of a lot different. There are far more Android devices exposed than Chrysler car models at risk — +1 billion Android devices shipped annually around the globe as of 4Q2014.

Hell, daily activations of Android devices in 2013 were 1.2 million devices per day — roughly the same number as all the exposed Chrysler vehicles on the road, subject to recall.

Google should have a much greater sense of urgency here due to the size of the problem.

Yet chances of a malware attack on an Android device actually causing immediate mortal threat to one or more persons is very low, compared to severity of Chrysler hack. Could a hacker tinker with household appliances attached via Android? It’s possible — but any outcome now is very different from a hacker taking over and shutting down a vehicle operating at high speed in heavy traffic, versus shutting off a Phillips remote-controlled Hue lamp or a Google Nest thermostat, operating in the Internet of Things. The disparity in annoyance versus potential lethality may explain why Google hasn’t acted as fast as Tesla — but it doesn’t explain at all why Chrysler didn’t handle announcing their vulnerability differently. Why did they wait nearly a year to discuss it in public? Continue reading

GM Supports Obtaining Cybersecurity Immunity Just after Hack Vulnerability Revealed

Dianne Feinstein just gave a long speech on the Senate floor supporting the Cyber Information Sharing Act.

She listed off a list of shocking hacks that happened in the last year or so — though made no effort (or even claim) that CISA would have prevented any of them.

She listed some of the 56 corporations and business organizations that support the bill.

Most interestingly, she boasted that yesterday she received a letter from GM supporting the bill. We should pass CISA, Feinstein suggests, because General Motors, on August 4, 2015, decided to support the bill.

I actually think that’s reason to oppose the bill.

As I have written elsewhere — most recently this column at the DailyDot — one of my concerns about the bill is the possibility that by sharing data under the immunity afforded by the bill, corporations might dodge liability where it otherwise might serve as necessary safety and security leverage.

Immunizing corporations may make it harder for the government to push companies to improve their security. As Wyden explained, while the bill would let the government use data shared to prosecute crimes, the government couldn’t use it to demand security improvements at those companies. “The bill creates what I consider to be a double standard—really a bizarre double standard in that private information that is shared about individuals can be used for a variety of non-cyber security purposes, including law enforcement action against these individuals,” Wyden said, “but information about the companies supplying that information generally may not be used to police those companies.”

Financial information-sharing laws may illustrate why Wyden is concerned. Under that model, banks and other financial institutions are obligated to report suspicious transactions to the Treasury Department, but, as in CISA, they receive in return immunity from civil suits as well as consideration in case of sanctions, for self-reporting. “Consideration,” meaning that enforcement authorities take into account a financial institution’s cooperation with the legally mandated disclosures when considering whether to sanction them for any revealed wrongdoing. Perhaps as a result, in spite of abundant evidence that banks have facilitated crimes—such as money laundering for drug cartels and terrorists—the Department of Justice has not managed to prosecute them. When asked during her confirmation hearing why she had not prosecuted HSBC for facilitating money laundering when she presided over an investigation of the company as U.S. Attorney for the Eastern District of New York, Attorney General Loretta Lynch said there was not sufficient “admissible” evidence to indict, suggesting they had information they could not use.

In the same column, I pointed out the different approach to cybersecurity — for cars at least — of the SPY Act — introduced by Ed Markey and Richard Blumenthal — which affirmatively requires certain cybersecurity and privacy protections.

Increased attention on the susceptibility of networked cars—heightened by but not actually precipitated by the report of a successful remote hack of a Jeep Cherokee—led two other senators, Ed Markey and Richard Blumenthal, to adopt a different approach. They introduced the Security and Privacy in Your Car Act, which would require privacy disclosures, adequate cybersecurity defenses, and additional reporting from companies making networked cars and also require that customers be allowed to opt out of letting the companies collect data from their cars.

The SPY Car Act adopts a radically different approach to cybersecurity than CISA in that it requires basic defenses from corporations selling networked products. Whereas CISA supersedes privacy protections for consumers like the Electronic Communications Privacy Act, the SPY Car Act would enhance privacy for those using networked cars. Additionally, while CISA gives corporations immunity so long as they share information, SPY Car emphasizes corporate liability and regulatory compliance.

I’m actually not sure how you could have both CISA and SPY Act, because the former’s immunity would undercut the regulatory limits on the latter. (And I asked both Markey and Blumenthal’s offices, but they blew off repeated requests for an answer on this point.)

Which brings me back to GM’s decision — yesterday!!! — to support CISA.

The hackers that remotely hacked a car used a Jeep Cherokee. But analysis they did last year found the Cadillac Escalade to be the second most hackable car among those they reviewed (and I have reason to believe there are other GM products that are probably even more hackable).

So … hackers reveal they can remotely hack cars on July 21; Markey introduced his bill on the same day. And then on August 4, GM for the first time signs up for a bill that would give them immunity if they start sharing data with the government in the name of cybersecurity.

Now maybe I’m wrong in my suspicion that CISA’s immunity would provide corporations a way to limit their other liability for cybersecurity so long as they had handed over a bunch of data to the government, even if it incriminated them.

But we sure ought to answer that question before we go immunizing corporations whose negligence might leave us more open to attack.

Was Chrysler’s Vehicle Hacking Risk an SEC Disclosure Reportable Event?

[photo: K2D2vaca via Flickr]

[photo: K2D2vaca via Flickr]

Remember the data breach at JPMorgan Chase, exposing 76 million accounts to “hack-mapping“? Last October, JPMorgan Chase publicly disclosed the intrusion and exposure to investors in an 8-K filing with the Securities and Exchange Commission. The statement complied with the SEC’s CF Disclosure Guidance: Topic No. 2 – Cybersecurity.

Other companies whose customers’ data have been exposed also disclosed breaches in 8-Ks, including Target, TJX Companies, Heartland Payment, EMC and Google. (Firms NASDAQ, Citigroup and Amazon have not.)

Disclosure of known cybersecurity threats or attacks with potential material risks allows investors to make informed decisions. Stock share pricing will fluctuate and reflect the true market value once risk has been factored by investors — and not remain artificially high.

Fiat Chrysler America (FCA; NYSE:FCAU) has known for nearly a year about the risk that Chrysler vehicles could be hacked remotely, according to Fortune magazine Thursday.

Yet to date no filing with the SEC has been made, disclosing this specific cyber risk to investors, customers, and the public.

The SEC’s Disclosure Guidance, though, is just that — guidance. There aren’t any firm rules yet in place, and the guidance itself was published in October 2011. A lot has happened and changed about technology and cybersecurity risks since then; the guidance has not reflected the increasing threats and attacks to business’ data.

Nor does the SEC’s guidance distinguish between cybersecurity threats to service products (like banking services), versus hardlines or manufactured goods (like automobiles which offer software as an additional, non-essential feature). The software industry’s chronic security patching confuses any distinction; should software companies likewise include all security patches in their SEC filings, or continue as they have without doing so? It’s easy to see how revelations about Adobe Flash after Hacking Team was hacked have materially hurt Adobe and all companies relying on Flash — yet Adobe hasn’t released a statement at its website. (Only a statement addressing the 2013 threat to customer accounts is posted.)

Are financial services firms any more obligated than software firms? Are automobile companies, which claim ownership of on-board software, any more obligated than software companies? Continue reading

Why Apple Should Pay Particular Attention to Wired’s New Car Hacking Story

This morning, Wired reports that the hackers who two years ago hacked an Escape and a Prius via physical access have hacked a Jeep Cherokee via remote (mobile phone) access. They accessed the vehicle’s Electronic Control Unit and from that were able to get to ECUs controlling the transmission and brakes, as well as a number of less critical items. The hackers are releasing a report [correction: this is Markey’s report], page 86 of which explains why cars have gotten so much more vulnerable (generally, a combination of being accessible via external communication networks, having more internal networks, and having far more ECUs that might have a vulnerability). It includes a list of the most and least hackable cars among the 14 they reviewed.

Screen Shot 2015-07-21 at 8.37.22 AM

Today Ed Markey and Richard Blumenthal are releasing a bill meant to address some of these security vulnerabilities in cars.

Meanwhile — in a remarkably poorly timed announcement — Apple announced yesterday that it had hired Fiat Chrysler’s former quality guy, the guy who would have overseen development of both the hackable Jeep Cherokee and the safer Dodge Viper.

Doug Betts, who led global quality at Fiat Chrysler Automobiles NV until last year, is now working for the Cupertino, Calif.-based electronics giant but declined to comment on the position when reached Monday. Mr. Betts’ LinkedIn profile says he joined Apple in July and describes his title as “Operations-Apple Inc.” with a location in the San Francisco Bay Area but no further specifics.


Along with Mr. Betts, whose expertise points to a desire to know how to build a car, Apple recently recruited one of the leading autonomous-vehicle researchers in Europe and is building a team to work on those systems.


In 2009, when Fiat SpA took over Chrysler, CEO Sergio Marchionne tapped Mr. Betts to lead the company’s quality turnaround, giving him far-reaching authority over the company’s brands and even the final say on key production launches.

Mr. Betts abruptly left Fiat Chrysler last year to pursue other interests. The move came less than a day after the car maker’s brands ranked poorly in an influential reliability study.

Note, the poor quality ratings that preceded Betts’ departure from Fiat Chrysler pertained especially to infotainment systems, which points to electronics vulnerabilities generally.

As they get into the auto business, Apple and Google will have the luxury that struggling combustion engine companies don’t have — that they’re not limited by tight margins as they try to introduce bells and whistles to compete on the marketplace. But they’d do well to get this quality and security issue right from the start, because the kind of errors tech companies can tolerate — largely because they can remotely fix bugs and because an iPhone that prioritized design over engineering can’t kill you — will produce much bigger problems in cars (though remote patching will be easier in electric cars).

So let’s hope Apple’s new employee takes this hacking report seriously.

GM’s New CEO: This Model Has Titanium Features

Mary Barra, CEO-General MotorsThe woman in the photo at the right has big titanium ovaries — not malleable brass or rusting iron. Do I know Mary Barra personally to attest to this fact? No. But I have a pretty damned good idea where GM’s new CEO has been, and it takes a pretty tough set of specifications to survive the road she’s traveled.

Like her I grew up in the I-75 corridor in Michigan, where much of the automotive industry’s OEM facilities and Tiers 1 through 3 suppliers could be found. Like her father, my father worked in the automotive business; if her household was like mine, there were copies of Car and Driver, Road & Track, machinist, tool-and-die, and metalforming magazines cluttering coffee tables or in dad’s man-cave. The smell of machine oil and the grit of metal chips are familiar, as are an ever-present collection of safety glasses, hearing protection, and greasy jumpsuits. Picture a garage like that in Clint Eastwood’s movie Gran Torino; I’ll lay good money her dad probably spent a lot of his free time between shifts in a home shop like that, and where she might have been found as well if he needed a hand or she needed a tool to fix something.

It was in her blood, I’m sure; I’ll bet she could taste it. I’m pretty certain this is why she went into engineering, and likely why she went to that particular private engineering school.

After working for a couple years as a high school engineering co-op student I had been accepted at the same school, but I went a different road, preferring business and then-nascent computing technology over engineering. My daughter, though, is at that school now. She could taste it, too; we have pictures of her at age nine, wearing safety glasses, proudly holding her first aluminum machined part. She’s the first person her dad asks for help when working on the cars at home.

I wish now I’d taken pictures of her the time she was so damned mad at her brother and his friend for accidentally breaking the sibling-shared PlayStation 2 console. She ripped it down, diagnosed it using internet research, fixed and reassembled it on her own in an afternoon.

Driven to identify and solve the problem — that’s what it takes to choose engineering as a career, particularly if you are a woman.

Sure, men too must be driven to pursue the same field, but they don’t face the hurdles that women faced then or even now, 30 years after General Motors’ new CEO first started college at the former General Motors Institute. Nobody ever questions a boy’s right to pursue engineering, or a man’s right to practice that discipline. Nobody ever questions the gender of a man with an engineering degree when he makes it to the pinnacle of the corporate ladder. Continue reading

The Internet Didn’t Kill the Middle Class; Laxity and Apathy Did

KodakBldgAtlanta_mcclanahoochie-Flickr_modIn tandem with the release of his book, Who Owns the Future?, Jaron Lanier’s interview with Salon generated a lot of hand-wringing across social media. It seems Lanier, one of our so-called intellectual visionaries, believes that the collapse of Kodak and its 140,000 jobs, and the rise of Instagram and its 13 jobs, exemplifies the killing field of the internet. Lanier theorizes good paying jobs that once supported a thriving middle class have disappeared as internet-enabled firms replaced them. As these jobs vaporized, so did necessary benefits. Here’s a key excerpt from the interview:

“Here’s a current example of the challenge we face,” he writes in the book’s prelude: “At the height of its power, the photography company Kodak employed more than 140,000 people and was worth $28 billion. They even invented the first digital camera. But today Kodak is bankrupt, and the new face of digital photography has become Instagram. When Instagram was sold to Facebook for a billion dollars in 2012, it employed only 13 people. Where did all those jobs disappear? And what happened to the wealth that all those middle-class jobs created?”

What a crock of decade-late shit.

Where the hell was Lanier in the late 1990s and early 2000s, when the U.S. manufacturing sector nose-dived due to government policies created by corporate-acquired elected officials and appointees?

It wasn’t the internet that killed the middle class. The apathy of intellectuals and the technology elite did; too few bothered to point out the potential repercussions of NAFTA and other domestic job-depleting policies. In the absence of thought leaders, corporatists sold the public and their electeds on job creation anticipated from globalizing policies; they just didn’t tell us the jobs created wouldn’t be ours.

It wasn’t the rise of digitization that killed the middle class. It was the insufficiency of protests among U.S. brain power, including publicly-funded academics, failing to advocate for labor and home-grown innovation; their ignorance about the nature of blue collar jobs and the creative output they help realize compounded the problem.

Manufacturing has increasingly reduced man hours in tandem with productivity-increasing technological improvements. It wasn’t the internet that killed these jobs, though technology reduced some of them. The inability to plan for the necessary shift of jobs to other fields revealed the lack of comprehensive, forward-thinking manufacturing and labor policies.

It all smells of Not-My-Problem, i.e., “I’m educated, technology-enabled, white collar; those stupid low-tech blue collar folks’ jobs aren’t my problem.”

Until suddenly it is. Continue reading

1 2 3 19
Emptywheel Twitterverse
emptywheel @ThusBloggedA A testament to the fact that GOP will avoid hurting authoritarian Dem like Daley over partisan advantage.
emptywheel @zmanian Commenter suggested that's more abt being able to get info on a spooks local DUI. Otherwise, IGs would be monitoring Agency abuse.
emptywheel How had there not already been a DOJ investigation of Chicago given the torture and disappearances?
emptywheel @umbyrella LOL. Sorry about that.
emptywheel Clarification: James Clapper is only going to read your Tweets if you're spook, want to be one, or want to sell Gatorade on base commissary.
emptywheel @umbyrella Well, only if you're a spook, want to be one, OR plan to work in a commissary on a base.
emptywheel Oops! James Clapper ALSO directed to read your social media! DEFINITELY don't talk abt EFF t-shits on Twitter.
emptywheel I'm sort of curious what would happen if a bunch of tiny Lavabits committed to throwing away records at 17.5 months.
emptywheel Section 307 requires Clapper to give Congress a list w/in 30 days of ANY Electronic Comm Service Provider not hoarding your records 18 mos.
emptywheel @ErrataRob Well just in case Congress is mandating that Clapper go thru every spook's hoodie stack to be sure. Can never be too safe.
emptywheel Last year @AramRoston busted top NSA officer for on-the-side company. Intel auth would eliminate rept on conflicts
December 2015
« Nov