{"id":6560,"date":"2016-01-06T09:18:06","date_gmt":"2016-01-06T14:18:06","guid":{"rendered":"https:\/\/kasperskydaily.com\/uk\/?p=6560"},"modified":"2019-11-22T10:11:52","modified_gmt":"2019-11-22T10:11:52","slug":"explaining-how-volkswagen-dieselgate-happened","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/explaining-how-volkswagen-dieselgate-happened\/6560\/","title":{"rendered":"Explaining how Volkswagen Dieselgate happened"},"content":{"rendered":"<p>At the recent <a href=\"https:\/\/www.kaspersky.com\/blog\/tag\/32c3\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Chaos Communication Congress<\/a> in Hamburg two IT experts, Felix Domke and Daniel Lange (former Head of IT strategy at BMW) gave a talk on what exactly had happened with Volkswagen\u2019s cheating of emissions tests.<\/p>\n<p>Over the last several months we have seen a large ammount of media stories published on Diesel-gate. With that said, few explained how this trickery worked and who is really responsible for its im-plementation. That\u2019s why it\u2019s interesting to look at the research conducted by independent experts who tried to find out the truth.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6562\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/01\/05194448\/dieselgate-32c3-lange-domke.jpg\" alt=\"dieselgate-32c3-lange-domke\" width=\"1024\" height=\"1024\"><\/p>\n<h3>Why this trickery had occurred at the first place?<\/h3>\n<p>The biggest issue of emissions tests is that they are always performed with some standard model, like the so-called <a href=\"https:\/\/en.wikipedia.org\/wiki\/New_European_Driving_Cycle\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">NEDC<\/a> (New European Driving Cycle). This model consists of a few pretty short ac-celeration-braking cycles and one long cycle with higher speed, which represent city and highway traffic respectively. In real life nobody drives like this, and definitely nobody drives <i>exactly<\/i> like this.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6563\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/01\/05194447\/dieselgate-32c3-nedc.jpg\" alt=\"dieselgate-32c3-nedc\" width=\"1024\" height=\"608\"><\/p>\n<p>But for emissions measurement they use this very model, thus engineers at car companies can do tricks to improve measurement results. Why do they do it? Plain and simple: it\u2019s way cheaper than to do real improvements. If an enterprise could do something in a cheaper way, it definitely would pre-fer this way to any other as the bottom line is important to company performance.<\/p>\n<p>\u201cTrickery on that tests is very common,\u201d says Lange. \u201cWhat tricks people are doing to drive down the emissions? For example they blow up the tires by 3 <a href=\"https:\/\/en.wikipedia.org\/wiki\/Bar_(unit)\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">bars<\/a> more than you could actually use them on the road. The bottom of the tire looks like this, so that means that you only have that very small por-tion of the tire that still touches the ground, your resistance gets reduced.\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6564\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/01\/05194445\/dieselgate-32c2-trickery.jpg\" alt=\"dieselgate-32c2-trickery\" width=\"1024\" height=\"576\"><\/p>\n<p>\u201cThey put diesel into the oil, because diesel is lighter than the oil, so friction gets reduced. They take off the mirror on a passenger side, because that is not legally required to exist. So resistance gets away with it. They tape close all the openings of the vehicle. Obviously, when the wind goes over it, it goes much smoother once you have everything taped. All of these things are either Ok, or they kind of borderline grey area. And they do this. This is how actually emissions are tested.\u201d<\/p>\n<div id=\"attachment_6565\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-6565\" class=\"wp-image-6565 size-large\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/01\/05194443\/dieselgate-32c3-nox-emissions.jpg\" alt=\"dieselgate-32c3-nox-emissions\" width=\"1024\" height=\"608\"><p id=\"caption-attachment-6565\" class=\"wp-caption-text\">NOx emissions in NEDC and alternative ADAC tests<\/p><\/div>\n<p>The results of this trickery are very simple: measured values have pretty much nothing to do with what is going on in the real world. The whole auto industry knows this very well. Perhaps every car manufacturer uses software tweaks, just like Volkswagen did. As a matter of fact, 15 years ago <a href=\"http:\/\/www.motorradonline.de\/vergleichstest\/technik-abgasreinigung\/105838\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">BMW was actually caught<\/a> on using a similar trick with software of its motorcycle.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6566\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/01\/05194442\/dieselgate-32c2-bmw.jpg\" alt=\"dieselgate-32c2-bmw\" width=\"1024\" height=\"608\"><\/p>\n<p>But how do they deploy these software cheats? To understand that, we need to examine how cars\u2019 electronic systems work.<\/p>\n<h3>What\u2019s inside the <s>box<\/s> car?<\/h3>\n<p>The piece of electronics directly responsible for everything that happens with car\u2019s engine, including exhaust, is <a href=\"https:\/\/en.wikipedia.org\/wiki\/engine_control_unit\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Engine Control Unit<\/a> (or ECU). Car manufacturers don\u2019t develop these devices them-selves, but purchase this equipment from companies who specialize in vehicle electronics systems. There are not that many companies, and at least in Germany the market leader is Bosch.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Breaking News: E.P.A. orders Volkswagen to recall nearly a half-million cars<a href=\"http:\/\/t.co\/WNqBPQnHbd\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/WNqBPQnHbd<\/a><\/p>\n<p>\u2014 The New York Times (@nytimes) <a href=\"https:\/\/twitter.com\/nytimes\/status\/644904843535060994?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 18, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The firmware code for the ECU is also developed by the same manufacturer; since this firmware is really critical for proper operation of car\u2019s engine and car itself, it is reviewed thoroughly.<\/p>\n<p>As Lange puts it, \u201cthis thing is simulated and tested <i>to death<\/i>. Because it\u2019s hugely important. Because if you have this machine here which has like 200 HP, and if you steer it wrong it will blow up, and it will blow up really hard. That\u2019s why this thing is about the best tested piece of software you will ever find.\u201d<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Volkswagen shares are down 20%. Here\u2019s what we know so far about the emissions scandal: <a href=\"http:\/\/t.co\/Y2FlLLHRlh\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/Y2FlLLHRlh<\/a> <a href=\"http:\/\/t.co\/WJw9C0vCDy\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/WJw9C0vCDy<\/a><\/p>\n<p>\u2014 The Wall Street Journal (@WSJ) <a href=\"https:\/\/twitter.com\/WSJ\/status\/645924511297220608?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 21, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Another fact is that car companies are not allowed to change ECU firmware. At the same time, each specific ECU model can be used by a whole list of car manufacturers in a variety of car models and engines. Therefore, to be compatible with various cars, ECU\u2019s firmware has to be flexible. To achieve this flexibility ECU manufacturers use a lot of variables, which can be adjusted by car manu-facturer in accordance to specific requirements of this or that particular car\/engine model.<\/p>\n<p>For instance, Bosch EDC17C46, which is the model of ECU used by cars involved in the Dieselgate scandal, has more than 20,000 of such variables. If this virtual benchboard could be somehow mate-rialized in a real world, it definitely would be the hugest and the most complex control panel in the whole world.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6567\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/01\/05194440\/dieselgate-32c3-ecu.jpg\" alt=\"dieselgate-32c3-ecu\" width=\"1024\" height=\"576\"><\/p>\n<p>Quick summary: the tweaks in firmware code can\u2019t be developed by car manufacturer, but by ECU manufacturer, with request from the former. Since every such modification leaves really long paper trail, ECU manufacturers are likely to inform car companies that using these tweaks is illegal. And eventually the final decision is made by the car manufacturer \u2014 to use the tweaks the car company needs to play with above mentioned variables. But how exactly do these tweaks work?<\/p>\n<h3>The truth is in the code<\/h3>\n<p>To investigate that Felix Domke bought a spare ECU on eBay and, along with his own Volkswagen Sharan (affected by VW recall), reverse-engineered it. He exploited a zero-day hardware vulnerabil-ity in ECU\u2019s chip to obtain 2 MB firmware out of its flash memory and examined the code. First of all, the research gave him a very good understanding of how complex processes in car electronics are.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6568\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/01\/05194438\/dieselgate-32c3-sharan.jpg\" alt=\"dieselgate-32c3-sharan\" width=\"1024\" height=\"576\"><\/p>\n<p>For instance, it turned out that what you see on such ordinary thing as tachometer doesn\u2019t represent engine\u2019s RPM directly. The value displayed by tachometer depends on more than 20 other signals processed by 12 KB of dense code (in case you were wondering: that\u2019s a whole lot of code).<\/p>\n<p>\u201cYou realize at this point that there is a lot of cheating could go on here without most people notic-ing,\u201d says Domke. \u201cYou don\u2019t really believe that speedometer in your car displays actual speed. It displays <i>something<\/i> that is related to speed.\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6569\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/01\/05194436\/dieselgate-32c3-ecu-2.jpg\" alt=\"dieselgate-32c3-ecu-2\" width=\"1024\" height=\"576\"><\/p>\n<p>The emission control part of firmware is even more complex and flexible. However, the core idea of how nitrogen oxides emissions reduction is supposed to work is comparatively simple. In order to get rid of nitrogen oxides, you can add to exhaust some substance called <a href=\"https:\/\/en.wikipedia.org\/wiki\/Urea\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">urea<\/a> (branded by VW as Ad-Blue). With high temperature it turns to ammonia and reacts with NOx with nice and harmful water and nitrogen as resultant substances.<\/p>\n<p>However, if you added too much of urea, the excess of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Ammonia\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">ammonia<\/a> goes into exhaust. This is not good for you or your car. That\u2019s why in normal situation it is better to add less urea than to add more (the best approach would be to dose the exact amount of urea, but it\u2019s quite hard to do). Unfortunately, this insufficient dosage won\u2019t get you high score at emissions test. That is basically why car compa-nies need to cheat.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6570\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/01\/05194434\/dieselgate-32c3-adblue.jpg\" alt=\"dieselgate-32c3-adblue\" width=\"1024\" height=\"576\"><\/p>\n<p>In the case of Volkswagen this trick was performed in the following manner: there were two modes in which urea dosage could be operated. One of them was called \u2018regular model\u2019 in which the dose of urea was pretty big, and another called \u2018alternative model\u2019 in which urea was significantly under-dosed. Domke revealed that about 75% of the time, a VW car\u2019s exhaust system was operating in this \u2018alternative mode\u2019 with almost all of the remaining time not dosing urea at all.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6571\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/01\/05194433\/dieselgate-32c3-modes.jpg\" alt=\"dieselgate-32c3-modes\" width=\"1024\" height=\"576\"><\/p>\n<p>As analysis of firmware code showed, the criteria of switching to \u2018regular mode\u2019 (which still happened from time to time), besides simple conditions for engine and fuel temperature and atmosphere pres-sure, included one more interesting criterion. To put it simply, \u2018regular mode\u2019 was switched on, when a vehicle\u2019s travelled distance over time chart was within one of several pairs of min-max limit curves.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>#Dieselgate investigation: At #32C3 hackers explained what exactly had happened with dirty diesel emissions<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F1LHT&amp;text=%23Dieselgate+investigation%3A+At+%2332C3+hackers+explained+what+exactly+had+happened+with+dirty+diesel+emissions\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Funny enough, one pair of these curves was designed in the exact way to very accurately include distance over time chart for a vehicle running above mentioned New European Driving Cycle. In this case the dosage of urea was high and NOx emission was low enough to meet the very strict Euro-pean requirements. And that is exactly the core idea of VW software trick.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6572\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/01\/05194431\/dieselgate-32c3-curves.jpg\" alt=\"dieselgate-32c3-curves\" width=\"1024\" height=\"576\"><\/p>\n<p>While there are many takeaways from this story, one stands out. The ability to create hacks or tricks that can impact the bottom line need someone with an IT background. Put into a bigger context, digi-tal technology is now more important and the people who know how to leverage them will become more influential and important to companies. On one side of the coin, they can help fool systems to hide a deficiency in a product. However on the other, they can expose tricks and frauds similar to what these two researchers did with Dieselgate.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/xZSU1FPDiao?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>At the Chaos Communications Congress, researchers explain how Dieselgate happened<\/p>\n","protected":false},"author":421,"featured_media":6561,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[1237,1245,629,1242,1246,1244,553,709,1243],"class_list":{"0":"post-6560","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-32c3","9":"tag-bosch","10":"tag-cars","11":"tag-dieselgate","12":"tag-ecu-category-featured","13":"tag-emissions","14":"tag-news-2","15":"tag-research","16":"tag-volkswagen"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/explaining-how-volkswagen-dieselgate-happened\/6560\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/explaining-how-volkswagen-dieselgate-happened\/5525\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/explaining-how-volkswagen-dieselgate-happened\/3817\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/32c3\/","name":"32C3"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6560","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=6560"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6560\/revisions"}],"predecessor-version":[{"id":17819,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6560\/revisions\/17819"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/6561"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=6560"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=6560"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=6560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}