Comment by this_user
15 hours ago
German companies, especially old school industrial ones like VW, have a very hard time understanding open platforms. The view everything through the lense of liability and compliance first. Their thinking is that if someone runs their app on a custom ROM and uses that to manipulate the app in any way, and that causes some extremely hypothetical damage, that they might be held liable for not having prevented this situation.
Obviously, the chances of that are virtually zero. But they'd rather make their product worse than assume with any kind of risk, even if it is virtually zero. That is simply the way in which German enterprises operate.
It looks like the software development at Volkswagen is done by mixed bag of different deparments with different quality.
On one hand you have: Linux at Volkswagen
"Software development without Linux is no longer possible within automotive environment. Therefore Volkswagen Group IT created and maintains a Linux distribution for our developers. This short talk will highlight our starting goal to integrate into the existing environment, highlight our integration problems and solutions with contributing to upstream. Furthermore we will show where Linux desktop need to improve in future iteration to be a good fitting replacement for other systems."
https://media.ccc.de/v/4486-linux-at-volkswagen
On the other hand you have insecure implementation of telemetry: Wir wissen wo dein Auto steht
"Bewegungsdaten von 800.000 E-Autos sowie Kontaktinformationen zu den Besitzern standen ungeschützt im Netz. Sichtbar war, wer wann zu Hause parkt, beim BND oder vor dem Bordell.
Welche Folgen hat es, wenn VW massenhaft Fahrzeug-, Bewegungs- und Diagnosedaten sammelt und den Schlüssel unter die Fußmatte legt?"
https://media.ccc.de/v/38c3-wir-wissen-wo-dein-auto-steht-vo...
I’ve spent time doing software at VW and a few of its subsidiaries, and this matches my experience.
Compliance is everything, and SAFe (Scaled Agile) is deployed as a blunt instrument.
Management treats software exactly like hardware production lines—everything is just an "engineering process" that can be optimized on a spreadsheet.
The underlying assumption is that individual engineering talent is just an interchangeable commodity. Once you view developers as replaceable cogs, outsourcing the entire infrastructure to the lowest bidder in India becomes the logical conclusion.
It’s a textbook case of process-over-people driving institutional tech debt.
If they have concerns about the security of their app on some platform, they have the choice to either put "security" into the app, or to trust the platform vendor to provide the security. The correct solution is the first way. Deferring trust to the platform provider is the lazy way.
If their APIs are done correctly, they shouldn't be afraid to expose them.
You're proving the previous commenter's point. VW doesn't want liability. They do not care about "security" just liability.
When they leave the "security" to the platform they can blame them in a lawsuit.
Google has a pretty good legal team. Their developer ToS that absolves them of any sort of liability for anything. So this means VW is just being lazy and not seeking legal protection.
https://play.google/developer-distribution-agreement.html
3 replies →
How else would you build "security" into the app (in the sense of not allowing third-party modifications of it that would open them up to liability), except relying on hardware attestation that the app has not been modified? That attestation necessarily requires the platform provider to be involved.
You don't, the app runs on a user-supplied device. They should secure the part that runs on the car and consider the interface between the app and the api to be a user interface.
Volkswagon has no jurisdiction over how I manage my fob, which is the client for the vehicle's unlock and start API. Once you hand a bearer token to me that governs full access to the vehicle, including the accelerator and steering wheel, it's not your job to babysit whether I chose to use it while drunk or hand it over to someone else.
3 replies →
It's more about rules than hypothetical liability for Germans.
It's inconceivable that someone would want to use a car outside of it's specified rules.
VW didn’t seem too concerned with compliance when they were rigging their pollution tests.
And since they saw what it cost them, they are now VERY concerned with compliance.
They'd have you know they actually cared a bit too much about said compliance itself.
*appearance of compliance
That was just engineers engineering their way into creating Electrify America :)
I am pretty sure that was not the engineers, but someone higher up the food chain ordering people to do that. I might be wrong, but maybe I missed the obvious "/s" or "/i" here.
3 replies →
I mean, the only reason they did it was to be able to comply with the requirements of the test.
But the reality is that every once in a while you have a scandal like this or something like Wirecard, and it happens, because the culture is such that absolutely nobody thinks it possible. That includes officials and regulators whose first instinct will often be to come after the people trying to expose the scandal, as has happened in the case of Wirecard.
>because the culture is such that absolutely nobody thinks it possible
Only naive laymen or newcomers to Germany think it's not possible. German business leaders, lawyers and politicians know exactly how much corruption and scamming is going on in the business sector, and it's not a little.
>first instinct will often be to come after the people trying to expose the scandal, as has happened in the case of Wirecard.
That was purely malicious to try to protect Wirecard, not because the regulators couldn't possibly imagine corruption and law breaking exists, that was the story they used as cover for their corruption.
Like you're a regulator and instead of doing the thing you were hired for and look at the evidence The Economist showed you, you instead "use your instincts" to decide not to do your job and not look into Wirecard because you can't imagine something bad can ever happen? Come on! All those regulators should have been fired and tried for corruption and/or accessory to crime.
“Compliance” only matters when their own interests aren’t involved
Them cheating the tests WAS them ensuring THAT compliance.
In fact, that's how a lot of compliance works in industries where there's little little enforcement and relies a lot on self regulation.
If I had to guess it’s liability concerns around the app-based remote unlock and parking + R155 and CRA. A lot of european companies have moved to require attestation in their apps, likely spurred on by the CRA.
But why? I'd understand (though not approve) them tightening down everything about the car firmware to the max. They are responsible for the app, sure (it's a "digital element"), but they aren't responsible for the OS the app runs on. The CRA should not be used as an excuse to enact stupid restrictions.
Unfortunately, due to the nature of these things, you cannot verify an app is unmodified without also verifying the OS running it is also unmodified. So if VW decides that only their unmodified app may access APIs, then they kind of are stuck verifying the OS.
They can, given basic competence in SW engineering, also verify against GrapheneOS' published release keys. The reason they don't is the same reason Google closed my ticket asking them to include Graphene keys in Play Integrity checks: they don't care.
I wonder if they would be ok with letting users sign a waiver to gain unrestricted API access.
Germans will talk a lot about data privacy but then do stuff like this regularly.
One is people one is companies.
It sends very weird signals when the EU will fine an American company over some data moving in a direction they don't like while at the same time EU governments will allow home grown companies to de facto force people into using products from those same American companies all while lecturing us about duopolies and privacy only to re-enforce those same problematic patterns. It is absurd.
Yeah sure, the company behind Dieselgate and single handedly destroyed the diesel market is worried about compliance? Give me a break.
Yes? These things directly follow one another: VW are obsessed with letter-of-the-law compliance, so things like end-runs around test routines are obvious solutions.
And VW didn't single-handedly destroy the diesel market; economics and physics did. Almost every other manufacturer was also fudging the tests results in some way. But more importantly, building a passenger car diesel that meets NOx targets doesn't work; by the time a passenger car diesel meets modern NOx targets honestly, the car contains a ludicrous precious metal loading in the catalyst and is only a few percentage points more efficient in terms of consumption and CO2 emissions than a petrol car and the math doesn't add up. Diesel is just not a practical solution for passenger cars; it never was in most ways, but it took the EU a long time to restrict NOx pollution to a sustainable level and expose the physical issues at hand.
You can have high-mileage diesel cars or low-emissions diesel cars but not both at the same time.
VW knew this but lied to customers and told them they could have both. Dieselgate was their attempt to convince everybody the lie was true.
1 reply →
VW is large enough that different parts of the company can have very different opinions.
That itself though speaks for a broken company culture. If one part of the company is completely disaligned with the values of good engineering, why should anyone still trust the company as a whole? It seems they at the very least severely lack a good vision then, to uphold the company values or what should be the company values.
1 reply →
I mean, the app services department doesn't exactly have a track record of perfect compliance (privacy) either, so there is that.
You don't understand, both comes from the same motivation and way of thinking: You see, compliance in Germany is about pretending to be super-compliant and not getting caught. Everyone will do the dance, make all the moves, and if you seem to make all the moves, you are assumed to be compliant. Supervisory authorities will not really check thoroughly except if you are annoying them or making them look bad. Especially if you are partially state-owned like VW.
In Dieselgate VW got caught, made the supervisory authorities and politicians look bad, which is why the authorities also weren't inclined to sweep it under the rug completely. They just shielded VW from the financial consequences in Germany (German VW customers got shafted).
Blocking GrapheneOS is the useless "pretending" part of compliance. They don't really want to do security, because that would cost money, so they pick some actions that seem drastic, harsh and don't cost them anything to implement. Later, when there is a security incident, they will point to their huge heap of pretend compliance, whine a bit about state sponsored actors, high criminal intent and other obvious deflecting bullshit. But they will get away with it, because they did the compliance dance, so they are obviously compliant and did nothing wrong. Nobody in authority will look twice als long as they are neither annoyed or made to look bad.
tl;dr: compliance in Germany is performative
> The view everything through the lense of liability and compliance first.
Wow, so they must really want to avoid the liability of spying after their users and keeping all that data, and to be extra sure to comply with the GDPR, they must keep only the absolute minimum of data, right?
Wrong: https://www.theregister.com/security/2025/01/06/data-describ...
https://dailysecurityreview.com/security-spotlight/volkswage...
When a company behaves as your enemy, don't invent wild justifications how they're actually not. At least leave it to their PR team.