A Tale of Three Hacks: Dieselgate, Jeep, and the VW Supply Chain

Illustration of VW Supply Chain hack

The Dieselgate Hack: Friendly but Very Costly

A 2015 software hack at Volkswagen caused a scandal that was unprecedented in size and scope. Called “Dieselgate” or “emissions gate,” the Volkswagen hack used specially designed software to hack the performance of its “clean diesel engines” in 11 million cars worldwide—including 500,000 cars in the USA. This software could detect when the car’s emissions were being tested and adjust the car’s engine to perform more efficiently to hide the fact that they were actually producing NOx at 40 times the legal amount. 

Volkswagen concealed this hack for nearly seven years, but once it was discovered, it cost the company dearly. Several executives, including the CEO, were fired or forced to resign, and the company’s stock lost nearly 25% of its value. Sales plummeted, and the company paid nearly $39 billion in fines, settlements, and legal costs

But in the end, there was a small silver lining: $2 billion in fines were to be used for installing an electric vehicle charging network in the USA, with hundreds of stations and thousands of chargers. In 2020, the automaker recognized the danger its diesel engines posed to the company’s future and revealed a $37 billion strategy for developing and producing 28 million electric vehicles by 2028.

Hacking a Jeep at 70 MPH

Even non-electric cars like VWs are not the mechanical systems they used to be. Each flip of a switch, turn of a knob, or press of a pedal are more like keystrokes on a computer or swipes on a mobile phone than the mechanical vehicle of the 1970s, 1980s, or 1990s. 

Regardless of the manufacturer, today’s cars are actually computers on wheels containing 150 or more mini-computers or ECUs. Together, these ECUs contain 200 million lines of software code, 5,000 times more code than the space shuttle or nearly 10 times the amount in an F35 fighter jet. Each ECU controls a specific function in your car, like opening and closing windows, steering, acceleration and braking, and the infotainment system that’s connected to the Internet. And like your office or home network, your car’s outbound Internet connection can be used by hackers and thieves to get inside your car’s network. 

Car hacking isn’t just cool special effects from movies like Fast and the Furious 8. It’s definitely very real. In 2015, while VW was busy hacking its diesel engines, two white hat hackers, Charlie Miller and Chris Valasek, drove a Jeep off the highway from 10 miles away. 

Hacked Jeep on the side of the road

In 2019, car hacking made the headlines when some successful key fob hacks led to a rash of Tesla thefts in the UK. But the big hack that was recently discovered at Volkswagen came from a completely different direction.

Hackers (Again) Strike the Supply Chain

While VW was still busy dealing with continuing legal issues from hacking their own diesel engines, sometime between August 2019 and May 2021, others were occupied with a new Volkswagen hack focused on the supply chain. At an external marketing vendor, the hackers discovered an unsecured file with the personal information of more than 3.3 million American and Canadian Volkswagen and Audi customers, including their phone numbers, email addresses, mailing addresses, social security numbers, dates of birth, vehicle identification numbers, and possibly more.

This huge data breach once again exposed the supply chain as the soft underbelly of many companies. As we’ve seen with the recent hacks of Microsoft Exchange Server, SolarWinds, Colonial Pipeline, and JBS, the supply chains are the weakest link in enterprises and governments’ cyber strategies. As extensions to corporate networks, improperly protected supply chain networks are no less a cyber risk than the company connection to the Internet. 

While we don’t know whether this particular data breach will lead to identity theft or worse, we already know that supply chain attacks can have major repercussions, from gas shortages to imperiling the food supply or potentially even poisoning the water supply

No Trust, No Access

The White House, in its recent Cybersecurity Executive Order, has set an important precedent by identifying its own supply chain as a critical area for establishing cybersecurity standards and implementing Zero Trust or Zero Trust Network Access(ZTNA)

This cybersecurity concept is centered on the principle of “verify, then trust.” This means that no network user should be automatically trusted to access any computing resource on the network or the cloud. The identity of each user must be first identified and classified. Only then are they given access based on who they are and what they need to do—not where they are located.