“Volkswagen says 11 million of its cars have emissions-test-beating software.” – Fox News.
According to an NBC report, the U.S. Environmental Protection Administration (EPA) announced that Volkswagen had surreptitiously equipped its diesel vehicles with software designed to recognize when those products were being tested on a dynamometer, essentially an automotive treadmill. In such a situation, the full complement of emissions controls systems would operate at their maximum, bringing the vehicles into compliance with U.S. – and even tougher California – emissions standards. But once the testing was over, according to the EPA, the vehicles would change over to a different mode, effectively allowing emissions levels to increase by as much as 40 times.
I have to admit, I’m impressed with the simple, yet sophisticated software embedded in these vehicles. The engineer that developed the Volkswagen software to beat emissions testing equipment should never be without work again, after inevitably getting fired from VW in the coming days, and I’m sure he’ll just be the first of many up and down the management chain. I can think of many cyber security firms who would hire this individual for their hacking/malware skills. To build a piece of software that detects the type of equipment it’s interfacing with and, in real time, adjusts the performance of the vehicle before going dormant is brilliant.
Is it or Isn’t It “Malware??
Calling the undocumented feature “software” might be incorrect, as many would label it “malware.” According to Kapersky Labs’ malware definition, “[Malware] is short for malicious software and refers to any computer program designed to do things that are harmful to or unwanted by a computer’s legitimate user,” so Volkswagen’s “emissions software” may indeed be “emissions malware.”
THE CASE FOR – Clearly the intent was to purposefully bypass testing equipment and put the car into a mode where performance was stellar. If the vehicle’s tuning was in a state of low performance prior, then turned to maximum performance during the test, to only return to low performance, then it’s hard to argue there wasn’t malicious intent. From the reports, it seems like this was the case; therefore, I believe we have been duped.
THE CASE AGAINST – Now I will embrace the merciful side of my personality. Perhaps said brilliant engineer wasn’t so bright and built a piece of software for Volkswagen’s internal emissions testing purposes, to determine vehicle maximum performance settings by country for shipment. Again, a great test program to determine this, but perhaps it’s a sign of something different, like a flaw in their process. Maybe this software was loaded into the vehicle’s test build via their configuration management system but wasn’t excluded from their production build for shipment. If this was the case, then the engineer who built the code might be off the hook, but the process and config management people would be in the hot seat. Another possibility is a flaw in the code logic. Maybe the intent was that after maximum performance was determined, based on how the car was tested, it was supposed to use that “state” as the default versus regressing back to a low performance as the default. It might be a case of missing logic. Sounds like a great case for a software testing firm to take a look at the code to see if intent can be determined from the fingerprints in the code.
Ultimately, the classification of this little beauty inside Volkswagen’s cars will be left up to the courts and lawyers, but regardless of the final outcome, Volkswagen is paying for what comes down to a software quality issue.
What’s the So What?
Software is eating the world and the sooner automobile makers realize this, the better off we all will be. The days of driverless cars are coming faster than we think, and from collision warning sensors to infotainment, your car’s software is exponentially more complex than the hardware it rides on. This means that automotive cybersecurity is a mounting issue that will need to be addressed.
News outlets are reporting that VW has reserved as much as $7B to clean this mess up, and their stock price dropped 17% yesterday, resulting in a loss of billions in value to shareholders for what could have been a faulty or missing code logic, mismanagement of files/builds or intentional malware loaded onto vehicles without management knowing. Either way, the days of software being treated like a second-class citizen inside auto companies are gone. Auto executives need to dial in their awareness of software security, cyber and quality defects if they don’t want their lunches to be eaten by the likes of Tesla, who puts software first.
PSC Vice President