Santa Clara Valley orders 47 New Flyer Xcelsior 60' diesel-hybrid buses
European car registrations drop 7.1% in April, diesel down 15%, SUVs continue to grow

International team uncovers mechanisms of VW, Fiat software defeat device code

An international team of researchers has uncovered the mechanisms of two families of software defeat devices for diesel engines: one used by the Volkswagen Group to pass emissions tests in the US and Europe, and a second found in Fiat Chrysler Automobiles. To carry out the analysis, the team developed new static analysis firmware forensics techniques necessary automatically to identify defeat devices and confirm their function.

After testing some 900 firmware images, the researchers were able to detect a potential defeat device in more than 400 firmware images spanning eight years. Both the Volkswagen and Fiat vehicles use the EDC17 diesel ECU manufactured by Bosch, the researchers noted. Using a combination of manual reverse engineering of binary firmware images and insights obtained from manufacturer technical documentation traded in the performance tuner community, the researchers identified the defeat devices used, how the devices inferred when the vehicle was under test, and how that inference was used to change engine behavior. “Notably,” the team wrote in a paper presented at the 38th IEEE Symposium on Security and Privacy this week, “we find strong evidence that both defeat devices were created by Bosch and then enabled by Volkswagen and Fiat for their respective vehicles.

During current emissions standards tests, cars are placed on a chassis equipped with a dynamometer. The vehicle follows a precisely defined speed profile that tries to mimic real driving on an urban route with frequent stops. The conditions of the test are both standardized and public. This essentially makes it possible for manufacturers to intentionally alter the behavior of their vehicles during the test cycle. The code found in Volkswagen vehicles checks for a number of conditions associated with a driving test, such as distance, speed and even the position of the wheel. If the conditions are met, the code directs the onboard computer to activate emissions curbing mechanism when those conditions were met.

Electronic engine control has also made it easier to circumvent emissions testing by implementing a defeat device in software. The black box nature of emissions testing makes it nearly impossible to discover such a software-based defeat device during a test, forcing regulators to rely on heavy fines to discourage cheating. Unfortunately, as the Volkswagen case illustrates, it can take many years to discover such a defeat device. Given the ultimate limitations of testing, we are led to consider whether we can detect defeat devices using software verification techniques. Unfortunately, verifying complex software systems is a difficult problem in its own right, more so for a cyber-physical system like a modern automobile. In our case, the setting is also adversarial—rather than trying to find bugs, we are looking for intentional attempts to alter a system’s behavior under test conditions. This paper aims to be a first step in cyber-physical system verification in an adversarial setting with two case studies of automobile defeat devices and binary analysis techniques to identify verification- critical code elements across multiple software revisions.

—Contag et al.

Computer scientist Kirill Levchenko led the research effort at UC San Diego. The work, supported by the European Research Council and by the US National Science Foundation (NSF), started when computer scientists at Ruhr University, working with independent researcher Felix Domke, teamed up with Levchenko and the research group of computer science professor Stefan Savage at the Jacobs School of Engineering at UC San Diego.

Savage, Levchenko and their team have extensive experience analyzing embedded systems, such as cars’ onboard Engine Control Units for vulnerabilities. The team examined 900 versions of the code and found that 400 of those included information to circumvent emissions tests.

A specific piece of code was labeled as the “acoustic condition”—ostensibly, a way to control the sound the engine makes. But in reality, the label became a euphemism for conditions occurring during an emissions test. The code allowed for as many as 10 different profiles for potential tests. When the computer determined the car was undergoing a test, it activated emissions-curbing systems, which reduced the amount of nitrogen oxide emitted.

The Volkswagen defeat device is arguably the most complex in automotive history.

—Kirill Levchenko

Researchers found a less sophisticated circumventing ploy for the Fiat 500X. That car’s onboard computer simply allows its emissions-curbing system to run for the first 26 minutes and 40 seconds after the engine starts—roughly the duration of many emissions tests.

We implemented our approach in a tool called CURVEDIFF. Given that we perform an intra-procedural analysis, we might miss certain ways how a defeat device can be implemented and an inter-procedural analysis could enhance the soundness of our implementation. Furthermore, our analysis can be extended to take more primitive building blocks such as timers and multiplexers into account to deepen the knowledge about the relation of various components in the detection logic.

—Contag et al.

The study draws attention to the regulatory challenges of verifying software-controlled systems that may try to hide their behavior and calls for a new breed of techniques that work in an adversarial setting.




"Written" by Bosch, and "Enabled" by Fiat / VW .... tut tut.

What annoys me is that 95% of the damage was done in Europe, (where most people drive (or used to drive) diesel) while most of the money went to the USA. Something of a shakedown IMO.


The EU smog checks for diesel were less limiting than in the U.S. But, you are rightmost of the damage was in Europe and still is as there are still old diesels running the roads there. Some Governments are trying to buy the old ones for the crusher.


Brings new meaning to the British phrase "complete bosh".


What we should ask, why so much effort put forth to cheat the emissions test? Common sense would indicate there must be much to gain. What exactly do these emission controls cost consumers. The public is never treated to information in which the EPA operates. Why is that? Why do they hide info and shouldn't they be vetted as compared to the scrutiny suffered by any private sector business that would be in the business of meeting needs of public. Or are they given tyrannical power as we can't handle the truth? Do they fear if we had the info that would take their control and power away to some degree and make them more accountable. I for one want to inspect the cost vs benefits of this agency. Are they separating the pepper from the fly poop to gain a trivial improvement at a large cost to consumer, because they have the attitude they can, and suffer no cost/skin to them. Do they consider all improvements good as it will cost the consumer more and inhibit the auto use and may even improve air quality for a short period of use? I want the public to have an array of choices in which improvements to environment could be made. I don't want mindless regulations that offer little improvement. For example, should we be using the wasted money of consuming public in better ways? There must be myriad ways to improve the environment.


Because of it's high torque, nothing tows better than a diesel. And because of the high efficiency of the engine and high energy density of the fuel nothing covers more ground on a given tank size than a diesel. But MAN, I still have to look at myself in the mirror;

The comments to this entry are closed.