Posts

‘Picking on’ Volkswagen: Why Follow Dieselgate?

/15 Comments/in , /by

[photo: macwagen via Flickr]

[photo: macwagen via Flickr]

One of our commenters described my attention to Dieselgate as ‘picking on’ Volkswagen. It’s not as if there haven’t been scandalous problems with other automotive industry manufacturers, like General Motors’ ignition switches or Takata’s airbag failures, right?

But Volkswagen earns greater attention here at this site because:

1) A critical mass of emptywheel readers are not familiar with the automotive industry, let alone manufacturing; they do not regularly follow automotive news. Quite a number are familiar with enterprise information security, but not car manufacturing or with passenger vehicle security. Many of the readers here are also in policy making, law enforcement, judiciary — persons who may influence outcomes at the very beginning or very end of the product manufacturing life cycle.

2) This is the first identified* multi-year incidence in which an automotive industry manufacturer using computer programming of a street-ready vehicle to defraud consumers and willfully violate multiple U.S. laws. This willfulness wholly separates the nature of this risk from other passenger vehicle vulnerabilities, ex: Fiat Chrysler’s hackable Uconnect dashboard computers or Nissan’s unprotected APIs for keyless remotes. (These latter events arose from inadequate info security awareness though responsiveness of vehicle manufacturers after notification may be in question.)

3) Volkswagen Group is the single largest passenger vehicle manufacturer in Europe. This isn’t a little deal considering half of all passenger vehicles in Europe are diesel-powered. Health and environmental damage in the U.S. from 600,000 passenger diesels has been bad enough; it’s taking lives in the tens of thousands across Europe. 75,000 premature deaths in 2012 alone were attributed to urban NO2 exposures, the source of which is diesel engines. It was testing in the U.S. against U.S. emissions standards which brought VW’s ‘cheating’ to light making it impossible for the EU to ignore any longer. The environmental damage from all Volkswagen passenger diesels combined isn’t localized; these additional non-compliant emissions exacerbate global climate change.

These are the reasons why Dieselgate deserved heightened scrutiny here to date — but the reasons why this scandal merits continued awareness have everything to do with an as-yet unrealized future.

We are on the cusp of a dramatic paradigm shift in transportation, driven in no small part by the need for reduced emissions. Development and implementation of battery-powered powertrains are tightly entwined with artificial intelligence development for self-driving cars. Pittsburgh PA is already a testing ground for a fleet of self-driving Uber vehicles; Michigan’s state senate seeks changes to the state’s vehicle code to permit self-driving cars to operate without a human driver to intervene.

All of this represents a paradigm shift in threats to the public on U.S. highways. Self-driving car makers and their AI partners claim self-driving vehicles will be safer than human-driven cars. We won’t know what the truth is for some time, whether AI will make better decisions than humans.

But new risks arise:

  • An entire line of vehicles can pose a threat if they are programmed to evade laws, ex: VW’s electronic control unit using proprietary code which could be manipulated before installation. (Intentional ‘defect’.)
  • An entire line of vehicles can be compromised if they have inherent vulnerabilities built into them, ex: Fiat Chrysler’s Uconnect dashboard computers. (Unintentional ‘defect’.)

Let’s ‘pick on’ another manufacturer for a moment: imagine every single Fiat Chrysler/Dodge/Jeep vehicle on the road in 5-10 years programmed to evade state and federal laws on emissions and diagnostic tests for road-worthiness. Imagine that same programming exploit used by criminals for other means. We’re no longer looking at a mere hundred thousand vehicles a year but millions, and the number of people at risk even greater.

The fear of robots is all hype, until one realizes some robots are on the road now, and in the very near future all vehicles will be robots. Robots are only as perfect as their makers.

An additional challenge posed by Volkswagen is its corporate culture and the deliberate use of a language barrier to frustrate fact-finding and obscure responsibility. Imagine now foreign transportation manufacturers not only using cultural barriers to hide their deliberate violation of laws, but masking the problems in their programming using the same techniques. Because of GM’s labyrinthine corporate bureaucracy, identifying the problems which contributed to the ignition switch scandal was difficult. Imagine how much more cumbersome it would be to tease out the roots if the entire corporate culture deliberately hid the source using culture, even into the coding language itself? Don’t take my word for how culture is used to this end — listen to a former VW employee who explains how VW’s management prevaricates on its ‘involvement’ in Dieselgate (video at 14:15-19:46).

Should we really wait for another five to 10 years to ‘pick on’ manufacturers of artificially intelligent vehicles — cars with the ability lie to us as much as their makers will? Or should we look very closely now at the nexus of transportation and programming where problems already occur, and create effective policy and enforcement for the road ahead?
_________
* A recent additional study suggests that Volkswagen Group is not the only passenger diesel manufacturer using emissions controls defeats.

Wednesday Morning: Meet Me on the Floor

/6 Comments/in , , /by

I admit it, I’ve betrayed my kind. I’ve been remiss in my responsibilities, haven’t been equitable.

To fix that, you need a dose of estrogen, stat. This morning’s medication is Veruca Salt’s Volcano Girls.

Feel better soon, eh?

Wheels
Mitsubishi’s Tetsuro Aikawa to leave, asks Nissan to name replacement (Bloomberg) — Announcement comes six days after Nissan announced it would buy a controlling interest in Mitsubishi. Nissan’s CEO Carlos Ghosn indicated he does not intend to subsume and phase out the Mitsubishi brand; this may have encouraged Aikawa he was leaving the company in good hands. I wouldn’t bet on some overlap between Nissan/Mitsubishi being eliminated.

Suzuki apologized for using the wrong fuel economy tests (Reuters) — Suzuki says it didn’t need to change its declared mileage data based on correct testing. I sure hope independent testing confirms this, though I suspect the same study which revealed Volkswagen’s cheat would have indicated additional validation needed.

Volkswagen says it will focus on profitability, pronto (Bloomberg) — Investors are restless and complaining about VW’s recalcitrance toward cost cutting in light of 16 billion euros it set aside for fixes and claims due to Dieselgate. Executives’ pay is on the butcher’s block. More than a little overdue as VW execs knew about the emissions controls defeat’s detection two years ago.

Forensic scientist reports to NHTSA Chevrolet’s dangerous cruise control problem (Zdziarski’s blog) — PAY ATTENTION TO THIS IF YOU’RE A LATE MODEL CHEVROLET OWNER. Read the linked post; Chevrolet’s response is deplorable, asking drivers to modify behavior rather than supply/fix product to work as documented and sold.

The (Fossil Fuel) Business
Goldman Sachs downgrades stocks to neutral while going bullish on oil (Bloomberg) — I like the subhead on this article: “Too many things to worry about.” ~LOL~ Excess valuation, lower growth, “a wall of stock market worries” encouraged the bear move. Things not explicitly mentioned: the U.S. and Australian elections and Brexit referendum outcome.

But…bullishness on oil out of whack (MarketWatch) — Another LOL-ish subhead today: “The fine print shows Goldman analysts believe oil will struggle to easily top $50.” So GS is telling its clients to reduce excess oil holdings while conditioning overall market to firm up what’s in their clients’ portfolios? ~smh~ Just as above, not mentioned in this take are any elections/referendums.

Note, too, that neither of these reports mentions Iran.

Anadarko Petroleum downgraded to neutral by Credit Suisse (Trade Calls) — You want another confusing take on fossil fuels? Read this article. Supports MarketWatch’s calling out GS on oil, though Anadarko also includes natural gas.

Total SA’s CEO Pouyanne pooh-poohs France’s ban on shale gas (Bloomberg) — Man, this dude is as arrogant as his predecessor. France could simply outlaw any imports without a certificate of origin, and force the industry to figure it out. Yet another article that doesn’t mention Iran, which sits on one of the largest natural gas reserves in the world. Pouyanne’s predecessor was cozy with Iran, too. So why all the attitude about North American shale gas imports?

Artificial Intelligence
Hedge fund used AI to pick through Fed Reserve’s minutes (Business Insider) — Using AI gleaned from a competition it hosted, Two Sigma fund analyzed the Fed Reserve. The app used Natural Language Processing and found some interesting trends. Wonder if the results would be different using Google’s SyntaxText open sourced this past week?

NSFWhut?
Cynically opportunistic marketing push promotes so-called ‘anti-Zika’ condoms (IBTImes-AU) — Pharmaco Starpharma Holdings and condom-maker Ansell will give Australia’s Olympians “Dual Protect” condoms lubricated with VivaGel for “almost 100-percent anti-viral protection” against Zika. Never let a perfectly good health crisis go to waste, right?

CDC says any condom will work against Zika (MarketWatch) — Yeah. That. I said this already: condoms are recommended for other viral STIs like herpes and HIV, will work fine for Zika, no special anti-Zika condom required. But you have to use the consistently and for at least six months after exposure to Zika since the virus can remain in men’s reproductive system for at least that long after infection.

ONE company will release condoms in 56 different sizes (Glamour) — Holy schnikes. This is a broader range of sizes than men’s off-the-rack suits. No excuses about not wearing condoms, there will be one bound to fit gents. Would be nice if ONE could hit the market with these in Brazil before the Olympics. (And don’t turn your nose up at Glamour. It’s one of the better articles I read today, includes some good links.)

There’s enough material to get you over the hump. Catch you in the morning tomorrow!

Thursday Morning: Snowed In (Get It?)

/8 Comments/in , , /by

Yes, it’s a weak information security joke, but it’s all I have after shoveling out.

Michigan’s winter storm expanded and shifted last night; Marcy more than caught up on her share of snow in her neck of the woods after all.

Fortunately nothing momentous in the news except for the weather…

Carmaker Nissan’s LEAF online service w-i-d-e open to hackers
Nissan shut down its Carwings app service, which controls LEAF model’s climate control systems. Carwings allows vehicle owners to check information about their cars on a remote basis. Some LEAF owners conducted a personal audit and hacked themselves, discovering their cars were vulnerable to hacking by nearly anyone else. Hackers need only the VIN as userid and no other authentication to access the vehicle’s Carwings account. You’d think by now all automakers would have instituted two-factor authentication at a minimum on any online service.

Researcher says hardware hack of iPhone may be possible
With “considerable financial resources and acumen,” a hardware-based attack may work against iPhone’s passcode security. The researcher noted such an attempt would be very risky and could destroy any information sought in the phone. Tracing power usage could also offer another opportunity at cracking an iPhone’s passcode, but the know-how is very limited in the industry. This bit from the article is rather interesting:

IOActive’s Zonenberg, meanwhile, told Threatpost that an invasive hardware attack hack is likely also in the National Security Agency’s arsenal; the NSA has been absent from discussions since this story broke last week.

“It’s been known they have a semiconductor [fabrication] since January 2001. They can make chips. They can make software. They can break software. Chances are they can probably break hardware,” he said. “How advanced they were, I cannot begin to guess.”

The NSA has been awfully quiet about the San Bernardino shooter’s phone, haven’t they?

‘Dust Storm’: Years-long cyber attacks focused on intel gathering from Japanese energy industry
“[U]sing dynamic DNS domains and customized backdoors,” a nebulous group has focused for five years on collecting information from energy-related entities in Japan. The attacks were not limited to Japan, but attacks outside Japan by this same group led back in some way to Japanese hydrocarbon and electricity generation and distribution. ‘Dust Storm’ approaches have evolved over time, from zero-day exploits to spearfishing, and Android trojans. There’s something about this collected, focused campaign which sounds familiar — rather like the attackers who hacked Sony Pictures? And backdoors…what is it about backdoors?

ISIS threatens Facebook’s Zuckerberg and Twitter’s Dorsey
Which geniuses in U.S. government both worked on Mark Zuckerberg and Jack Dorsey about cutting off ISIS-related accounts AND encouraged revelation about this effort? Somebody has a poor grasp on opsec, or puts a higher value on propaganda than opsec.

Wonder if the same geniuses were behind this widely-reported meeting last week between Secretary of State John Kerry and Hollywood executives. Brilliant.

Case 98476302, Don’t text while walking
So many people claimed to have bumped their heads on a large statue while texting that the statue was moved. The stupid, it burns…or bumps, in this case.

House Select Intelligence Committee hearing this morning on National Security World Wide Threats.
Usual cast of characters will appear, including CIA Director John Brennan, FBI Director James Comey, National Counterterrorism Center Director Nicholas Rasmussen, NSA Director Admiral Michael Rogers, and Defense Intelligence Agency Director Lieutenant General Vincent Stewart. Catch it on C-SPAN.

Snow’s supposed to end in a couple hours, need to go nap before I break out the snow shovels again. À plus tard!