Posts

‘Picking on’ Volkswagen: Why Follow Dieselgate?

[photo: macwagen via Flickr]

[photo: macwagen via Flickr]

One of our commenters described my attention to Dieselgate as ‘picking on’ Volkswagen. It’s not as if there haven’t been scandalous problems with other automotive industry manufacturers, like General Motors’ ignition switches or Takata’s airbag failures, right?

But Volkswagen earns greater attention here at this site because:

1) A critical mass of emptywheel readers are not familiar with the automotive industry, let alone manufacturing; they do not regularly follow automotive news. Quite a number are familiar with enterprise information security, but not car manufacturing or with passenger vehicle security. Many of the readers here are also in policy making, law enforcement, judiciary — persons who may influence outcomes at the very beginning or very end of the product manufacturing life cycle.

2) This is the first identified* multi-year incidence in which an automotive industry manufacturer using computer programming of a street-ready vehicle to defraud consumers and willfully violate multiple U.S. laws. This willfulness wholly separates the nature of this risk from other passenger vehicle vulnerabilities, ex: Fiat Chrysler’s hackable Uconnect dashboard computers or Nissan’s unprotected APIs for keyless remotes. (These latter events arose from inadequate info security awareness though responsiveness of vehicle manufacturers after notification may be in question.)

3) Volkswagen Group is the single largest passenger vehicle manufacturer in Europe. This isn’t a little deal considering half of all passenger vehicles in Europe are diesel-powered. Health and environmental damage in the U.S. from 600,000 passenger diesels has been bad enough; it’s taking lives in the tens of thousands across Europe. 75,000 premature deaths in 2012 alone were attributed to urban NO2 exposures, the source of which is diesel engines. It was testing in the U.S. against U.S. emissions standards which brought VW’s ‘cheating’ to light making it impossible for the EU to ignore any longer. The environmental damage from all Volkswagen passenger diesels combined isn’t localized; these additional non-compliant emissions exacerbate global climate change.

These are the reasons why Dieselgate deserved heightened scrutiny here to date — but the reasons why this scandal merits continued awareness have everything to do with an as-yet unrealized future.

We are on the cusp of a dramatic paradigm shift in transportation, driven in no small part by the need for reduced emissions. Development and implementation of battery-powered powertrains are tightly entwined with artificial intelligence development for self-driving cars. Pittsburgh PA is already a testing ground for a fleet of self-driving Uber vehicles; Michigan’s state senate seeks changes to the state’s vehicle code to permit self-driving cars to operate without a human driver to intervene.

All of this represents a paradigm shift in threats to the public on U.S. highways. Self-driving car makers and their AI partners claim self-driving vehicles will be safer than human-driven cars. We won’t know what the truth is for some time, whether AI will make better decisions than humans.

But new risks arise:

  • An entire line of vehicles can pose a threat if they are programmed to evade laws, ex: VW’s electronic control unit using proprietary code which could be manipulated before installation. (Intentional ‘defect’.)
  • An entire line of vehicles can be compromised if they have inherent vulnerabilities built into them, ex: Fiat Chrysler’s Uconnect dashboard computers. (Unintentional ‘defect’.)

Let’s ‘pick on’ another manufacturer for a moment: imagine every single Fiat Chrysler/Dodge/Jeep vehicle on the road in 5-10 years programmed to evade state and federal laws on emissions and diagnostic tests for road-worthiness. Imagine that same programming exploit used by criminals for other means. We’re no longer looking at a mere hundred thousand vehicles a year but millions, and the number of people at risk even greater.

The fear of robots is all hype, until one realizes some robots are on the road now, and in the very near future all vehicles will be robots. Robots are only as perfect as their makers.

An additional challenge posed by Volkswagen is its corporate culture and the deliberate use of a language barrier to frustrate fact-finding and obscure responsibility. Imagine now foreign transportation manufacturers not only using cultural barriers to hide their deliberate violation of laws, but masking the problems in their programming using the same techniques. Because of GM’s labyrinthine corporate bureaucracy, identifying the problems which contributed to the ignition switch scandal was difficult. Imagine how much more cumbersome it would be to tease out the roots if the entire corporate culture deliberately hid the source using culture, even into the coding language itself? Don’t take my word for how culture is used to this end — listen to a former VW employee who explains how VW’s management prevaricates on its ‘involvement’ in Dieselgate (video at 14:15-19:46).

Should we really wait for another five to 10 years to ‘pick on’ manufacturers of artificially intelligent vehicles — cars with the ability lie to us as much as their makers will? Or should we look very closely now at the nexus of transportation and programming where problems already occur, and create effective policy and enforcement for the road ahead?
_________
* A recent additional study suggests that Volkswagen Group is not the only passenger diesel manufacturer using emissions controls defeats.

Wednesday Morning: Wonderful, Just Wonderful

I debated about posting Jonny Lang’s Lie to Me. Nah, we’re lied to every day, might as well ask for the truth for once, even if it’s ugly. The truth is that nothing’s okay though we wish like hell it were otherwise.

That said, let’s forge on into the fraught and frothing fjords…

‘Nope.’ That’s what California Air Resources Board said
Huh-uh, no way, nada — CARB told Volkswagen in response to VW’s proposed recall plans for emissions standard-cheating 2.0L vehicles sold into California. Because:

  • The proposed plans contain gaps and lack sufficient detail.
  • The descriptions of proposed repairs lack enough information for a technical evaluation; and
  • The proposals do not adequately address overall impacts on vehicle performance, emissions and safety

Wonder if CARB’s response will be different with regard to VW’s 3.0L vehicles? Shall we take bets?

Fugly, in multiples — cybersec edition
Ebay’s got bugs, and not just at auction.

Need more than tape to fix this problem with cheap web cameras.

Popular antivirus may pose a hacking threat, patch has been issued. Same antivirus manufacturer has a nifty relationship with INTERPOL, too, to share information about cyberthreats. Wonder if they phoned INTERPOL and said, “Cyberthreat. It me!”

(BTW, I love it when spell check helpfully says, “‘Cybersec’ is wrong, don’t you mean ‘cybersex’?”…um, no.)

General Motors: We won’t sue white hats doing our work for us!
No lawsuits, but don’t expect any rewards for finding vulnerabilities (unlike competitor Tesla’s bug report program).

Big of you, GM. Way to protect your intellectual property and brand at the same time.

The biggest threat to nation’s power grid is S_______
Beady-eyed and focused, slips beneath our radar, gnaws into our electricity transport with annoying frequency, causing hundreds of hours of power outages. Stuxnet? No. Bloody squirrels.

In short, it’s all wonderful this Wednesday. Just wonderful. Pass the Glenmorangie, please.