After Volkswagen used software that manipulated exhaust values and defeated emissions tests, it has affected 11 million VW diesel cars built since 2008. A 2007 letter from VW parts supplier Bosch warned Volkswagen not to use the software for regular operations; in 2011, a Volkswagen technician raised concerns about the illegal practices in connection with the emissions levels.
“We should be allowed to know how the things we buy work,” Eben Moglen, a Columbia University law professor and technologist told the New York Times. “Let’s say everybody who bought a Volkswagen were guaranteed the right to read the source code of everything in the car. 99% of the buyers would never read anything, but out of the 11 million people whose car was cheating, one of them would have found it. And Volkswagen would have been caught in 2009, not 2015.”
Moglen added vehicles are “sealed-hood entities with complicated computers and modules. All of this is deeply nontransparent. And all of this is grounds for cheating of all sorts. Is the problem of individuals modifying their cars individually more serious than the risk of large-scale cheating by manufacturers?”
EFF Staff Attorney Kit Walsh suggested that if copyright law wasn’t standing in the way, “then we could have independent researchers go in and look at the code and find this kind of intentional wrongdoing.”
Vulnerable software in closed-off code
Beyond the Volkswagen scandal are potentially deadly security vulnerabilities in software code.
After Charlie Miller and Chris Valasek remotely hacked a Jeep Cherokee, Miller said, “We could have easily done the same thing on one of the hundreds of thousands of vulnerable vehicles on the road.” He added, “Yeah, Chrysler fixed this particular remote flaw, but there are probably others. We can't build perfect software. Someone is going to hack into another vehicle head unit someday.”
Over 100 million lines of code in high-tech cars
Of course the code isn’t perfect as there are millions of lines of it; the New York Times reported, “New high-end cars are among the most sophisticated machines on the planet, containing 100 million or more lines of code. Compare that with about 60 million lines of code in all of Facebook or 50 million in the Large Hadron Collider.” In fact, Stanford University professor of mechanical engineering Chris Gerdes said, “Cars these days are reaching biological levels of complexity.”
This summer, the National Highway Traffic Safety Administration (NHTSA) said privacy and cybersecurity should be high-priorities for NHTSA as well as for the automobile industry.
Nat Beuse, who heads up the NHTSA office of vehicle safety research, has engineers hacking cars and hunting for vulnerabilities that could allow an attacker to “manipulate critical functions of a car, like its brakes or steering.” But the scope is “too large” and NHSTA doesn’t have the manpower to “actually police every little piece of software and electronics in a vehicle. What we’re focused on are very, very critical systems that affect safety – steering, throttle, braking and anything to do with battery systems.”
NHSTA is trying to determine if “black boxes in cars that record data, like a vehicle’s speed in a crash, can be programmed to record electronic faults.” The agency is also interested in applying an FAA model to vehicles; the FAA won’t sign off on airplane software without first being shown that the software, used for critical systems that control flying, was designed well.
Open source car code?
Carnegie Mellon University associate professor Philip Koopman, who works in the electrical and computer engineering department, said, “There’s no requirement that anyone except the car companies looks at the code. Computers can now exert almost complete control over your car. But if the software misbehaves, there’s nothing you can do.”
One solution for making auto software safer could be to “open it to public scrutiny;” yes, open-source the code. Of course most car manufacturers would wage a battle of epic proportions to stop that from happening; the Alliance of Automobile Manufacturers opposed (pdf) adding software used in vehicles to a proposed list of DMCA exemptions. Yet the industry could be losing one of its allies. The Volkswagen scandal may change the way the EPA feels about keeping auto code closed off from the public. The shock-waves from VW could reverberate until it affects automobile cybersecurity and the code that is hidden from the public.
Carnegie Mellon’s Koopman added, “Keeping source code secret does not prevent attacks; either the code is vulnerable or it’s not.”