I support the EFF with regular donations and definitely don't care for DMCA but this feels like quite a stretch..
Most estimates put the number of lines of code in a new car at near 100 million, it'd be trivial for a company with intent to obfuscate the 'emissions mode' criteria in a manner that would be completely invisible to researchers.
I feel exactly the opposite. I think the poor quality of code in this industry across all manufacturers would benefit greatly from a little sunlight. Some of the researchers I know are clever people, they might get lucky. /s
I agree with your overall point that auto code should be open to review and the "could have uncovered" buys the EFF enough wiggle room in the headline -- but it just seems extremely unlikely that it would have been uncovered.
Part of my doubt comes from a financial incentive for random researchers to really spend time on bug review for Jetta wagons.. Though seeing the 20% stock plunge and following a few 'Fraud Cap' traders did provide an interesting view into a possible reward mechanism for researchers who find illegal or dangerous defects in embedded code..
There's a class of hedge funds and independent traders that specifically search out frauds to profit off of exposing their malfeasance. The most famous of this group at the moment is probably Muddy Waters Research[1].
They look for companies that are trading at suspiciously high prices relative to their peers and then try to figure out why. In many cases lately, their targets are Chinese companies that "reverse-merge" with companies that are already listed on US stock exchanges. These companies are often partly or mostly fradulent and the "Fraud Cap" traders take large short positions and then publish their research to make immense profits off of the cratering share prices.
Their methods usually start with pouring over financial records but often involve boots on the ground too.. In one case, they hired people to literally count every truck that came and went from a factory that was claiming much more business than it was actually doing.
It's a fascinating part of the market and I think a net 'good' in the scheme of things but I think it'd be interesting if hedge funds started deep dives on published code in an attempt to profit off of security holes or intentionally dishonest emissions controls..
Don't underestimate the simple effect that publishing the code will bring. If a car company knew that all the source code that went into the car would be published they would have to be comfortable with what might be in there because there would always be a risk of someone finding something. It's a bit like the asymmetry in security investment: the attackers (or emissions researchers in this case) only need to find a single issue to win, but the defenders (car companies) have to invest across a broad range of areas so there are no obvious weaknesses.
As a comparison, consider the difference in a developer's behaviour when writing code or a commit message in a completely private repository vs. one which will be published for anyone to see. Closed code only needs to reach the level that's considered 'normal' for the culture within the organisation. For many developers the quality threshold goes up for things that will be published more widely, even if the potential audience is small.
Cars are pretty much traveling entertainment systems these days, so I'm sure most of it isn't "mission critical" code, but here's a decent seeming source:
I doubt that the EEPROM is holding all the code these days. For the most part, it's probably holding small sub-routines, or even just LUT's for mapping the parameters of the control logic.
It's probably mostly real code, though cars certainly do use plenty of lookup tables, starting from one of the earlier uses of computers in cars, the engine control unit.
Modern cars have tons of things needing code:
Power seats with memory
Drive by wire gas pedal and cruise control
Keyless entry
Stereo system (auto volume by speed, etc.)
GPS/Navigation (perhaps third-party)
USB outlets for iPods, USB sticks for music
Reverse-gear proximity sensors
Emissions controls (oops!)
OnStar-type services
Cellular phone integration, e.g. mute on ring
Lighting (DRL, smart cabin dimming)
Traction control and ABS
Variable suspension
Dashboard diagnostics
OBD-II
Self-parking
Windshield wipers (auto speed, rain sensors)
Antitheft systems
I'm sure I've left out plenty, but even something "simple" like keyless entry has a lot of features (integration with OnStar, alarm system, reprogramming support for new remotes, ...). How many LOC do you think that entails? I imagine at least 100K LOC (keeping in mind it's likely written in C or similar).
Well the parent of the comment I first replied to said "Most estimates put the number of lines of code in a new car at near 100 million." I took that to mean total LOC in a car, not in an Engine Control Unit. But your comments to me suggest you are talking about an Engine Control Unit. Forgive me, but it is not obvious to me what you are on about.
I think the point is that if you're talking about finding malicious engine control activity, then talking about the number of lines of code for the entire car is irrelevant, because all that matters is the code for the engine control unit.
Most estimates put the number of lines of code in a new car at near 100 million, it'd be trivial for a company with intent to obfuscate the 'emissions mode' criteria in a manner that would be completely invisible to researchers.