An international team of researchers lead by Kirill Levchenko, a computer scientist at the University of California San Diego, has uncovered the mechanism that allowed Volkswagen to circumvent the U.S. and European emission tests over at least six years before the Environmental Protection Agency put the company on notice in 2015 for violating the Clean Air Act. The team has presented their findings at the 38th IEEE Symposium on Security and Privacy in the San Francisco Bay Area.

During a year-long investigation, researchers found the code that allowed a car’s onboard computer to determine that the vehicle was undergoing an emissions test. The computer then activated the car’s emission-curbing systems, reducing the amount of pollutants emitted. Once the computer determined that the test was over, these systems were deactivated.

When the emissions curbing system wasn’t running, cars emitted up to 40 times the amount of nitrogen oxides allowed under EPA regulations.

“We were able to find the smoking gun,” Levchenko said. “We found the system and how it was used.” Computer scientists obtained copies of the code running on Volkswagen onboard computers from the company’s own maintenance website and from forums run by car enthusiasts. The code was running on a wide range of models, including the Jetta, Golf, and Passat, as well as Audi’s A and Q series. “We found evidence of the fraud right there in public view,” Levchenko said.

During emissions standards tests, cars are placed on a chassis equipped with a dynamometer, which measures the power output of the engine. The vehicle follows a precisely defined speed profile that tries to mimic real driving on an urban route with frequent stops. The conditions of the test are both standardized and public. This essentially makes it possible for manufacturers to intentionally alter the behaviour of their vehicles during the test cycle. The code found in Volkswagen vehicles checks for a number of conditions associated with a driving test, such as distance, speed, and even the position of the wheel. If the conditions are met, the code directs the onboard computer to activate emissions-curbing mechanism when those conditions were met.

Finding the code

It all started when computer scientists at Ruhr University, working with independent researcher Felix Domke, teamed up with Levchenko and the research group of computer science professor Stefan Savage at the Jacobs School of Engineering at UC San Diego.

Savage, Levchenko, and their team have extensive experience analysing embedded systems, such as cars’ onboard computers, known as Engine Control Units, for vulnerabilities. The team examined 900 versions of the code and found that 400 of those included information to circumvent emissions tests.

A specific piece of code was labelled as the “acoustic condition”—ostensibly, a way to control the sound the engine makes. But in reality, the label became a euphemism for conditions occurring during an emissions test. The code allowed for as many as 10 different profiles for potential tests. When the computer determined the car was undergoing a test, it activated emissions-curbing systems, which reduced the amount of nitrogen oxide emitted.

“The Volkswagen defeat device is arguably the most complex in automotive history,” Levchenko said. Researchers found a less sophisticated circumventing ploy for the Fiat 500X. That car’s onboard computer simply allows its emissions-curbing system to run for the first 26 minutes and 40 seconds after the engine starts—roughly the duration of many emissions tests.

Researchers note that for both Volkswagen and Fiat, the vehicles’ Engine Control Unit is manufactured by automotive component giant Robert Bosch. Car manufacturers then enable the code by entering specific parameters.

Diesel engines pose special challenges for automobile manufacturers because their combustion process produces more particulates and nitrogen oxides than gasoline engines. To curb emissions from these engines, the vehicle’s onboard computer must sometimes sacrifice performance or efficiency for compliance.

The study draws attention to the regulatory challenges of verifying software-controlled systems that may try to hide their behaviour and calls for a new breed of techniques that work in an adversarial setting. "Dynamometer testing is just not enough anymore,” Levchenko said.