VW's car DRM let it get away with cheating on its diesel emissions testing

[Read the post]


The EPA has accused Volkswagon of …
Volkswagon, like most auto manufacturers…



In the end it will get too expensive for VW. The dealer who sold us our Jetta kept creating and fixing problems with the DSG transmission, right up to the end of the factory guarantee, at which point all the problems magically fixed themselves. A classic trick was to change the DSG firmware and “forgetting” replace the corresponding clutch pack. That kept the issue bouncing along for another year, with more money flowing from head office to pay for repairs.


We cannot rely on laws that mercifully grant us what should be our right anyway.

We have to take our rights and fight for them with all the tools we have to our disposal, from hardware to software. A logic analyzer with 25MHz samplerate can be bought for $10, there are frameworks for side channel attacks by differential power analysis and power glitching (you can buy the board), and so on.

When it is lawyers vs engineers, the engineers have the upper hand. We are many and we are pissed. We are Legion. Expect us.


It wasn’t DRM. It was specific programming in the ECU, and had nothing to do with any sort of DRM.
You lose credibility when you inject your favorite cause célèbre into a story that has nothing to do with it. You might as well have accused VW of not using general purpose computers to regulate their engines, for all it has to do with the specific issue. Which is to say, none at all.


The argument is that no one was allowed to see the ECU code (and thus no one figured out what the code was doing) because of the DRM - basically arguing that car software should be visible and open to the public.

I think it’s a weak argument, but do agree with the conclusion - car software should be visible and open to the public.


I’m not sure if DRM is the most important point. The firmware is copyrighted, closed source and a rather normal trade secret.

This is more a case of arrogant corporate asshattery: They believe they are above the law and use custom ECU procedures to circumvent environment and health protection laws. It seems this behaviour is deeply ingrained in the car industry - the test cycle mileage is more often than not out of touch with reality.

This has to stop, and I hope VW (and GM, and Toyota, and whoever) pays - if this as a side effect weakens DRM: Fine by me, but not my primary wish.


http://freeems.org/ <-- this is moving slow, but steady into usefulness.


No, the DRM is absolutely dispositive.

Copyright allows you to do “clean room” reverse-engineering to make interoperable product – it’s totally legal (and legit) to reverse engineer proprietary software to make your own diagnostic tools (that’s why, for example, there’s SAMBA for SMB).

But section 1201 of the DMCA makes it a felony to undertake this work if you have to break DRM to do it.

In other words: in the absence of the DMCA, you’d expect there to be a market of funded businesses that jailbroke and improved the firmware on cars, who would have spotted the emissions cheating and blown the whistle on it.

But because telling people about flaws in DRM is a felony (because it helps people break DRM if they know about programmer errors in it), the flaws, even if detected by (for example) hobbyist tuners, have no legitimate means by which they can be reported.

When Sony put a rootkit on 6,000,000 audio CDs in 2005, at least one (and probably more) security researcher detected it. But it was not reported, because the researcher’s counsel vetoed any publication, due to concern over DMCA liability. The eventual publication of the rootkit news came months after that initial detection, by which point between 200,000 and 300,000 US government and military networks had been compromised by the malware.

tl;dr: it’s not a crime to find and report bugs and vulns in proprietary software. But once there’s DRM, it is. So devices with DRM become reservoirs of unreportable vulns that bad guys can take advantage of.


It’s a bit off topic but somebody help me to understand why diesel vehicles like this are legally allowed to spew visible black smoke while normal gasoline engines are subjected to strict emissions tests and fined heavily for defective smog controls.

Every time I see a truck belching out clouds like this I’m always tempted to call the cops on them. (And don’t get me started on those rolling coal assholes).

Another side point… I have been tempted to buy a Passat TDI for my next car but something about VWs and the outrageous cost of parts, service and simply the German-esque way they are built (ie: unnecessary complexity) just rubs me the wrong way.


Okay, I see your point - your goal is much more ambitious than mine, but we’re on the same side of the struggle : )


Where can I read more about the specifics of this “cheat” in the VW diesel firmware? It doesn’t surprise me that it is possible, as the Bluetech engines have fancy exhaust systems (specifically for emissions as well).

It sounds like perhaps the ECU detects when emissions are being monitored via ODB and behaves itself. Any idea on effected models?

Only if you get caught.

In some cases a parallel-construction approach could be devised. For the other cases we have to use anonymity/pseudonymity tools.

The legitimate part is optional, the reported part is what is important here.

We need a robust framework for anonymous or pseudonymous bug reporting to the public. Possibly, if we’d want to go lighthgrayhat, do it as an offshore escrow service that contacts the vendor on behalf of the researcher, and publishes the bug with a fixed delay afterwards.

I can see it combined with bitcoin-mediated public bug bounty pool.

Geopolitical rivalries may be useful to leverage when choosing the location of such service provider.


here’s a NY Times article about the EPA/VW clash


I’ve always loved old school VWs… I used to have a late 80s/early 90s Jetta and once had a 70s bug. I still plan to get an old school bug in the future. But a friend of mine had a VW Jetta wagon (I think it was a Jetta…) for years, I think it was an early aughts model - nothing but trouble. From what I’ve heard, I wouldn’t recommend it.

Interesting. I did receive a recall notification regarding an ECU update (actually having it done as I write this).

Discussion here, and a scan of the same letter I received:


It doesn’t sound like it’s the same issue, but they might be playing CYA and claiming it’s a fix for something other than what is actually being fixed.

The early aughts were when they switched generations; it took some years to work the bugs out (ho ho ho).

IIRC, it was the mid-1999 models that made the switch to the next gen with all the issues. I had a 1998 Jetta GLX 6-cyl., absolutely loved that car. For no apparent reason, it had a killer stereo stock that the following and preceding model years didn’t.

Anyways, I got back into VW ownership with the very first diesel model of the next Golf generation in 2009 (MK VI, I think?). Those fared much, much better. We just kicked over to MK VII I think, and I gather it’s faring similar to last gen so far.


Holy crap! I feel dumb and didn’t understand most of that! :wink: So you think the newer ones can be pretty good, depending on the year/model. I think part of the problem was the expense of the parts for repair, etc for the newer ones. That was just my friends experience, so it’s anecdotal, natch.

For a while, there was a pink VW bug for sale on the route I take my daughter to school. It sat on the persons front lawn for months and months, and I kept talking about it. They moved it to their back yard during the summer, but I can still see it… I keep thinking I’ll stop and ask about it, but I never do because I just don’t have the time to deal with some kind of project. I’d love to learn to tinker with a car like that, but maybe not while I’m writing a dissertation! :wink:

My friend has a 97 Jetta and while it’s a sharp looking car and still runs great, there are so many little electrical gremlins that he’s looking to get rid of it.

Once I tried helping him do a brake job and couldn’t figure out how to get the calipers off. There were 4 different bolt sizes used on each wheel and no obvious way to reverse the brake piston without a “special” tool. On my Japanese car I can usually do a full 4-wheel brake job in under an hour using only 2 sockets and a C-clamp. Never did figure out the Jetta.

The same friend’s son bought a 2001 Audi A4 and has so far spent 2x what he payed for it in repairs - and now the turbo has gone out which will cost more to fix than the car is worth. An absolute piece of shit car in my opinion.


Back in the nineties, I had an office with a view of the road leading to the local emissions testing facility. I would occasionally see someone stop on the road in front of my office, get out, fiddle under the hood, and continue into the testing place. They’d do the same thing on the way out.

It looks like their shenanigans have now been incorporated into the VW firmware.