Connect with us

Biz & IT

Transportation Weekly: Polestar CEO speaks, Tesla terminology, and a tribute

Published

on

Welcome back to Transportation Weekly; I’m your host Kirsten Korosec, senior transportation reporter at TechCrunch . This is the fourth edition of our newsletter, a weekly jaunt into the wonderful world of transportation and how we (and our packages) move.

This week we chat with Polestar CEO Thomas Ingenlath, dig into Lyft’s S-1, take note of an emerging trend in AV development, and check out an experiment with paving. Oh, and how could we forget Tesla.

Never heard of TechCrunch’s Transportation Weekly? Catch up here, here and here. As I’ve written before, consider this a soft launch. Follow me on Twitter @kirstenkorosec to ensure you see it each week. (An email subscription is coming). 


ONM …

There are OEMs in the automotive world. And here, (wait for it) there are ONMs — original news manufacturers. (Cymbal clash!) This is where investigative reporting, enterprise pieces and analysis on transportation lives.

This week, we’re featuring excerpts taken from a one-on-one interview with Polestar CEO Thomas Ingenlath.

On February 27, Volvo’s standalone electric performance brand Polestar introduced its first all-electric vehicle, a five-door fastback called the Polestar 2. The EV, which has a 78 kWh battery pack and can travel 275 miles (estimated EPA guidance) on a single charge, will be manufactured at a new factory in Chengdu, China. Other notable specs: The infotainment system will be powered by Android OS, Polestar is offering subscriptions to the vehicle, and production starts in 2020.

Here is what Ingenlath had to say to me about …

EV charging infrastructure

To be very unpolitical, I think it would be totally stupid if we were to aim to develop electric charging infrastructure on our own or for our brand specifically. If you join the electric market today, of course, you would see partnerships; that’s sensible thing to do. Car companies together are making a big effort in getting out a network of necessary charging stations along the highway. 

That’s what we’re doing; we’re teaming up and have the contracts being designed and soon signed.

On the company’s approach to automation 

The terminology is important for us. We very clearly put that into a different picture, we’re not talking about, and we clearly do not ever want to label it, anautopilot.” The focus of this system is a very safe distance control, which brakes for you and accelerates for you, and of course, the lane keeping. This is not about developing an autopilot system, it is about giving your safety. And that’s where we don’t want to provoke people thinking that they have full rollout autopilot system there. But it is a system that helps you being safe and protected on the road.

I also reached out to Transportation Weekly readers and asked what they wanted to know and then sent some of those questions to Ingenlath.

TW Reader: How did it feel taking one of your personal styling elements – the C shaped rear lamps – from your previous brand over to Polestar?

Ingenlath: It’s an evolutionary process. Polestar naturally builds on its “mothers” DNA and as a new branch develops its own personality. Thor’s hammer, the rear light signature -—with each new model launch (Volvo and Polestar) those elements diverge into a brand specific species.

TW Reader: How much do you still get to do what you love, which is design?

Ingenlath: Being creative is still my main job, now applied on a broader scope — trying to lead a company with a creative and  brand building mindset. Still, I love the Fridays when I meet up with Robin and Max to review the models, sketches and new data. We really enjoy driving the design of both brands to new adventures.


Dig In

Tesla is finally going to offer customers a $35,000 Model 3. How the automaker is able to sell this electric vehicle at the long-awaited $35,000 price point is a big piece of that story — and one that some overlooked. In short, the company is blowing up its sales model and moving to an online only strategy. Tesla stores will close or be converted to “information centers” and retail employees will be laid off.

But this is not what we’re going to talk about today. Tesla has also brought back its so-called “full self-driving” feature, which was removed as an option on its website last year. Now it’s back. Owners can opt for Autopilot, which has automatic steering on highways and traffic-aware cruise control, or FSD.

FSD capability includes several features such as Navigate on Autopilot that is supposed to guide a car from a highway on-ramp to off-ramp, including navigating interchanges and making lane changes. FSD also includes Advanced Summon, Auto Lane Change, and Autopark. Later this year, the system will recognize and respond to traffic lights in more complex urban environments, Tesla says.

All of these features require the driver to be engaged (or ready to take over), yet it’s called “full self-driving.” Now Tesla has two controversially named automation features. (The other is Autopilot). As Andrew Hawkins at The Verge noted in his coverage, “experts are beginning to realize that the way we discuss, and how companies market, autonomy is significant.”

Which begs the obvious question, and one that I asked Musk during a conference call on Thursday. “Isn’t it a problem that you’re calling this full self-driving capability when you’re still going to require the driver to take control or be paying attention?” (I also wanted to ask a followup on his response, but the moderator moved onto the next reporter).

His response:

“We are very clear when you buy the car what is meant by full self driving. It means it’s feature complete, but feature complete requiring supervision.

As we get more — we really need billions of miles, if not maybe 10 billion sort of miles or kilometers on that order collectively from the fleet — then in our opinion probably at that point supervision is not required, but that will still be up to regulators to agree.

So we’re just very clear.  There’s really three steps: there’s being feature complete of full self driving that requires supervision, feature complete but not requiring supervision, and feature complete not requiring supervision and regulators agree.

In other Tesla news, the National Transportation Safety Board is investigating a crash, that at first glance seems to be similar to the fatal crash that killed Tesla owner Joshua Brown.


A little bird …

We hear a lot. But we’re not selfish. Let’s share.

blinky-cat-bird

It’s no secret that Pittsburgh is one of the hubs of autonomous vehicle development in the world. But what’s not so widely known — except for a group of government and company insiders — is that Mayor William Peduto is on the verge of issuing an executive order that will give more visibility into testing there. 

The city’s department of mobility and infrastructure is the central coordinator of this new executive order that aims to help guide testing and policy development there. The department is going to develop guidelines for AV testing, we’re told. And it appears that information on testing will be released to the public at least once a year.

Got a tip or overheard something in the world of transportation? Email me or send a direct message to @kirstenkorosec.


Deal of the week

Daimler and BMW are supposed to be competitors. And they are, except with mapping (both part of the HERE consortium), mobility services (car sharing, ride-sharing), and now the development of highly automated driving systems. The deal is notable because it illustrates a larger trend that has emerged as the AV industry hunkers down into the “trough of disillusionment.” And that’s consolidation. If 2016, was the year of splashy acquisitions, then 2019 is shaping up to be chockfull of alliances and failures (of some startups).

Also interesting to note, and one that will make some AV safety experts cringe, both companies are working on Level 3 driving automation, a designation by the SAE that means conditional driving automation in which multiple high levels of automation are available in certain conditions, but a human driver must be ready to take over. This level of automation is the most controversial because of the so-called “hand off” problem in which a human driver is expected to take control of the wheel in time.

Speaking of partnerships, another deal that got our attention this week involved New York-based mapping and data analytics startup Carmera and Toyota Research Institute-Advanced Development. TRI-AD is an autonomous drive unit started by Toyota with Denso and Aisin. TRI-AD’s mission is to take the research being done over at the Toyota Research Institute and turn its into a product.

The two companies are going to test a concept that will use cameras in Toyota test vehicles to collect data from downtown Tokyo and use it to create high definition maps for urban and surface roads.

TRI-AD considers this the first step towards its open software platform concept known as Automated Mapping Platform that will be used to support the scalability of highly automated driving, by combining data gathered from vehicles of participating companies to generate HD maps. AMP is new and has possible widespread implications at Toyota. And TRI-AD is full of A-listers, including CEO James Kuffner, who came from the Google self-driving project and Nikos Michalakis, who built Netflix’s cloud platform, and Mandali Khalesi, who was at HERE.

Read more on Khalesi and the Toyota’s open source ambitions here.

Other deals:


Snapshot

Snapshot this week is a bit untraditional. It’s literally a snapshot of myself and my grandmother, months before her 100th birthday. Her memorial service was held Saturday. She died at 101.

I suppose I could blame my emotions and timing for her sudden inclusion in this week’s newsletter. But if Evelyn deserves a tribute anywhere, it’s here at TechCrunch.

I often wonder, that if given the opportunity, what technical field she would have ended up in? Given her specific skill set, I think she would have been a wonderful mechanical engineer. She was a closet techie, a lover of science fiction who was equally fascinated by the very real breakthroughs in science and space travel that occurred throughout her lifetime. Her 30-year career as a factory worker at an avionics manufacturer certainly wasn’t romantic. But it did give her a certain technical acumen (not to mention tenacity) that I admired.

And, she was one of my favorite test car companions. She loved cars and fast ones, but not so much driving them. Every time I got a new press car, we’d hit the road and she’d encourage me to take the turns a bit faster — sometimes beyond my comfort zone.

She also loved road trips and in the 1920s and 30s, her father would drive the family on the mostly dirt roads from New Jersey to Vermont and even Canada. In her teens, she loved riding in the rumble seat, a feature found in a few vehicles at the time including the Ford Model A.

She was young at heart, until the very end. And my one regret is that I didn’t find a way to get her into an autonomous vehicle.

Next week, we’ll focus on the youngest drivers and one automotive startup that is targeting that demographic.


Tiny but mighty micromobility

Lyft’s S-1 lays out the risks associated with its micromobility business and its intent to continue relying on third parties to manufacture its bikes and scooters. Here’s a key nugget about adoption:

“While some major cities have widely adopted bike and scooter sharing, there can be no assurance that new markets we enter will accept, or existing markets will continue to accept, bike and scooter sharing, and even if they do, that we will be able to execute on our business strategy or that our related offerings will be successful in such markets. Even if we are able to successfully develop and implement our network of shared bikes and scooters, there may be heightened public skepticism of this nascent service offering.”

And another about seasonality:

“Our limited operating history makes it difficult for us to assess the exact nature or extent of the effects of seasonality on our network of shared bikes and scooters, however, we expect the demand for our bike and scooter rentals to decline over the winter season and increase during more temperate and dry seasons.”

Lyft, which bought bike-share company Motivate back in July, also released some data about its electric pedal-assist bikes this week, showing that the pedal assist bikes are, unsurprisingly, more popular than the traditional bikes. They also traveled longer distances and improved winter ridership numbers. Now, Lyft is gearing up to deploy 4,000 additional electric bikes to the Citi Bike system in New York City.

One more thing …

Google Maps has added a feature that lets users see Lime scooters, pedal bikes and e-bikes right from the transit tab in over 80 new cities around the world. Users can click the tab to find out if Lime vehicle is available, how long it’ll take to walk to the vehicle, an estimate of how much their ride could cost, along with total journey time and ETA.


Notable reads

If take the time to read anything this week (besides this newsletter), spend some time with Lyft’s S-1. The ride-hailing company’s prospectus mentions autonomous 109 times. In short, yeah, it’s something the company’s executives are thinking about and investing in.

Lyft says it has a two-pronged strategy to bring autonomous vehicles to market. The company encouraging developers of autonomous vehicle technology to use its open platform to get access to its network and enable their vehicles to fulfill rides on the Lyft platform. And Lyft is trying to build its own autonomous vehicle system at its confusingly named “Level 5 Engineering Center.”

  • The company’s primary investors are Rakuten with a 13 percent stake, GM with 7.8 percent, Fidelity with 7.7 percent, Andreessen Horowitz with 6.3 percent and Alphabet with 5.3 percent. GM and Alphabet have business units, GM Cruise and Waymo respectively, that are also developing AV technology.
  • Through Lyft’s partnership with AV systems developer and supplier Aptiv, people in Las Vegas have taken more than 35,000 rides in Aptiv autonomous vehicles with a safety driver since January 2018.
  • One of the “risks” the company lists is “a failure to detect a defect in our autonomous vehicles or our bikes or scooters”

Other quotable notables:

Check out the Pedestrian Traffic Fatalities by State report, a newly released report from Volvo Car USA and The Harris Poll called  The State of Electric Vehicles in America.


Testing and deployments

Again, deployments doesn’t always mean the latest autonomous vehicle pilot.

On Saturday, Sidewalk Labs hosted its Open Sidewalk event in Toronto. This is part of Sidewalk Toronto, a joint effort by Waterfront Toronto and Alphabet’s Sidewalk Labs to create a “mixed-use, complete community” on Toronto’s Eastern Waterfront

The idea of this event was to share ideas and prototypes for making outdoor public space the “social default year-round.” One such prototype “hexagonal paving” got our attention because of its use case for traffic control and pedestrian and bicyclist safety. (Pictured below)

These individual precast concrete slabs are movable and permeable, can light up and give off heat. The idea is that these hexagonal-shaped slabs and be used to clear snow and ice in trouble spots and light up to warn drivers and pedestrians of changes to the street use or to illuminate an area for public uses or even designate bike lanes and hazard zones. And because they’re permeable they can be used to absorb stormwater or melted snow and guide it to underground stormwater management systems.

Sidewalk Labs tell me that the pavers have “plug and play” holes, which allow things like bike racks, bollards, and sign posts to be inserted. Sidewalk Labs initially built these with wood, and the new prototype is the next iteration, featuring modules built from concrete.


On our radar

There is a lot of transportation-related activity this month.

The Geneva Motor Show: Press days are March 5 and March 6. Expect concept, prototype and production electric vehicles from Audi, Honda, Kia, Peugeot, Pininfarina, Polestar, Spanish car company Hispano Suiza, and Volkswagen.

SXSW in Austin: TechCrunch will be at SXSW this coming week. Here’s where I’ll be.

  • 2 p.m. to 6:30 p.m. March 9 at the Empire Garage for the Smart Mobility Summit, an annual event put on by Wards Intelligence and C3 Group. The Autonocast, the podcast I co-host with Alex Roy and Ed Niedermeyer, will also be on hand.
  • 9:30 a.m. to 10:30 a.m. March 12 at the JW Marriott. The Autonocast and founding general partner of Trucks VC, Reilly Brennan will hold a SXSW podcast panel on automated vehicle terminology and other stuff.
  • 3:30 p.m over at the Hilton Austin Downtown, I’ll be moderating a panel Re-inventing the Wheel: Own, Rent, Share, Subscribe. Sherrill Kaplan with Zipcar, Amber Quist, with Silvercar and Russell Lemmer with Dealerware will join me.
  • TechCrunch is also hosting a SXSW party from 1 pm to 4 pm Sunday, March 10, 615 Red River St., that will feature musical guest Elderbrook. RSVP here

Self Racing Cars

Finally, I’ve been in contact with Joshua Schachter who puts on the annual Self Racing Car event, which will be held March 23 and March 24 at Thunderhill Raceway near Willows, California.

There is still room for participants to test or demo their autonomous vehicles, drive train innovation, simulation, software, teleoperation, and sensors. Hobbyists are welcome. Sign up to participate or drop them a line at contact@selfracingcars.com.

Thanks for reading. There might be content you like or something you hate. Feel free to reach out to me at kirsten.korosec@techcrunch.com to share those thoughts, opinions or tips. 

Nos vemos la próxima vez.

Source link



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Amazon “seized and destroyed” 2 million counterfeit products in 2020

Published

on

Enlarge / Amazon trailers backed into bays at a distribution center in Miami, Florida, in August 2019.

Amazon “seized and destroyed” over 2 million counterfeit products that sellers sent to Amazon warehouses in 2020 and “blocked more than 10 billion suspected bad listings before they were published in our store,” the company said in its first “Brand Protection Report.”

In 2020, “we seized and destroyed more than 2 million products sent to our fulfillment centers and that we detected as counterfeit before being sent to a customer,” Amazon’s report said. “In cases where counterfeit products are in our fulfillment centers, we separate the inventory and destroy those products so they are not resold elsewhere in the supply chain,” the report also said.

Third-party sellers can also ship products directly to consumers instead of using Amazon’s shipping system. The 2 million fakes found in Amazon fulfillment centers would only account for counterfeit products from sellers using the “Fulfilled by Amazon” service.

The counterfeit problem got worse over the past year. “Throughout the pandemic, we’ve seen increased attempts by bad actors to commit fraud and offer counterfeit products,” Amazon VP Dharmesh Mehta wrote in a blog post yesterday.

Counterfeiting is a longstanding problem on Amazon. Other problems on Amazon that harm consumers include the sale of dangerous products, fake reviews, defective third-party goods, and the passing of bribes from unscrupulous sellers to unscrupulous Amazon employees and contractors. One US appeals court ruled in 2019 that Amazon can be held responsible for defective third-party goods, but Amazon has won other similar cases. Amazon is again arguing that it should not be held liable for a defective third-party product in a case before the Texas Supreme Court that involves a severely injured toddler.

Amazon tries to reassure legit sellers

Amazon’s new report was meant to reassure legitimate sellers that their products won’t be counterfeited. While counterfeits remain a problem for unsuspecting Amazon customers, the e-commerce giant said that “fewer than 0.01 percent of all products sold on Amazon received a counterfeit complaint from customers” in 2020. Of course, people may buy and use counterfeit products without ever realizing they are fake or without reporting it to Amazon, so that percentage may not capture the extent of the problem.

Amazon’s report on counterfeits describes extensive systems and processes to determine which sellers can do business on Amazon. While Amazon has argued in court that it is not liable for what third parties sell on its platform, the company is monitoring sellers in an effort to maintain credibility with buyers and legitimate sellers.

Amazon said it “invested over $700 million and employed more than 10,000 people to protect our store from fraud and abuse” in 2020, adding:

We leverage a combination of advanced machine learning capabilities and expert human investigators to protect our store proactively from bad actors and bad products. We are constantly innovating to stay ahead of bad actors and their attempts to circumvent our controls. In 2020, we prevented over 6 million attempts to create new selling accounts, stopping bad actors before they published a single product for sale, and blocked more than 10 billion suspected bad listings before they were published in our store.

“This is an escalating battle with criminals that attempt to sell counterfeits, and the only way to permanently stop counterfeiters is to hold them accountable through litigation in the court system and through criminal prosecution,” Amazon also said. “In 2020, we established a new Counterfeit Crimes Unit to build and refer cases to law enforcement, undertake independent investigations or joint investigations with brands, and pursue civil litigation against counterfeiters.”

Amazon said it now “report[s] all confirmed counterfeiters to law enforcement agencies in Canada, China, the European Union, UK, and US.” Amazon also urged governments to “increase prosecution of counterfeiters, increase resources for law enforcement fighting counterfeiters, and incarcerate these criminals globally.”

Stricter seller-verification system

Amazon said it had a “new live video and physical address verification” system in place in 2020 in which “Amazon connects one-on-one with prospective sellers through a video chat or in person at an Amazon office to verify sellers’ identities and government-issued documentation.” Amazon said it also “verifies new and existing sellers’ addresses by sending information including a unique code to the seller’s address.”

Most new attempts to register as a seller were apparently fraudulent, as Amazon said that “only 6 percent of attempted new seller account registrations passed our robust verification processes and listed products.” Overall, Amazon “stopped over 6 million attempts to create a selling account before they were able to publish a single listing for sale” in 2020, more than double “the 2.5 million attempts we stopped in 2019,” Amazon said.

The verification process isn’t enough on its own to stop all new fraudulent sellers, so Amazon said it performs “continuous monitoring” of sellers to identify new risks. “If we identify a bad actor, we immediately close their account, withhold funds disbursement, and determine if this new information brings other related accounts into suspicion. We also determine if the case warrants civil or criminal prosecution and report the bad actor to law enforcement,” Amazon said.

Amazon monitors product detail changes for fraud

One problem we wrote about a few months ago involves “bait-and-switch reviews” in which sellers trick Amazon into displaying reviews for unrelated products to get to the top of Amazon’s search results. In one case, a $23 drone with 6,400 reviews achieved a five-star average rating only because it had thousands of reviews for honey. At some point, the product listing had changed from a food item to a tech product, but the reviews for the food product remained. After a purging of the old reviews, that same product page now lists just 348 ratings at a 3.6-star average.

Amazon is trying to prevent recurrences of this problem, saying in its new report that it scans “more than 5 billion attempted changes to product detail pages daily for signs of potential abuse.”

Amazon also provides self-service tools to companies to help them block counterfeits of their products. Amazon’s report said that 18,000 brands have enrolled in “Project Zero,” which “provides brands with unprecedented power by giving them the ability to directly remove listings from our store.” The program also has an optional product serialization feature that lets sellers put unique codes on their products or packaging.

The self-service tool only accounts for a tiny percentage of blocked listings. “For every 1 listing removed by a brand through our self-service counterfeit removal tool, our automated protections removed more than 600 listings through scaled technology and machine learning that proactively addresses potential counterfeits and stops those listings from appearing in our store,” Amazon said.

Continue Reading

Biz & IT

Hackers who shut down pipeline: We don’t want to cause “problems for society”

Published

on

Enlarge / Problems with Colonial Pipeline’s distribution system tend to lead to gasoline runs and price increases across the US Southeast and Eastern seaboard. In this September 2016 photo, a man prepared to refuel his vehicle after a Colonial leak in Alabama.

On Friday, Colonial Pipeline took many of its systems offline in the wake of a ransomware attack. With systems offline to contain the threat, the company’s pipeline system is inoperative. The system delivers approximately 45 percent of the East Coast’s petroleum products, including gasoline, diesel fuel, and jet fuel.

Colonial Pipeline issued a statement Sunday saying that the US Department of Energy is leading the US federal government response to the attack. “[L]eading, third-party cybersecurity experts” engaged by Colonial Pipeline itself are also on the case. The company’s four main pipelines are still down, but it has begun restoring service to smaller lateral lines between terminals and delivery points as it determines how to safely restart its systems and restore full functionality.

Colonial Pipeline has not publicly said what was demanded of it or how the demand was made. Meanwhile, the hackers have issued a statement saying that they’re just in it for the money.

Regional emergency declaration

In response to the attacks on Colonial Pipeline, the Biden administration issued a Regional Emergency Declaration 2021-002 this Sunday. The declaration provides a temporary exemption to Parts 390 through 399 of the Federal Motor Carrier Safety Regulations, allowing alternate transportation of petroleum products via tanker truck to relieve shortages related to the attack.

The emergency declaration became effective immediately upon issuance Sunday and remains in effect until June 8 or until the emergency ends, whichever is sooner. Although the move will ease shortages somewhat, oil market analyst Gaurav Sharma told the BBC the exemption wouldn’t be anywhere near enough to replace the pipeline’s missing capacity. “Unless they sort it out by Tuesday, they’re in big trouble,” said Sharma, adding that “the first areas to hit would be Atlanta and Tennessee, then the domino effect goes up to New York.”

Russian gang DarkSide believed responsible for attack

Unnamed US government and private security sources engaged by Colonial have told CNN, The Washington Post, and Bloomberg that the Russian criminal gang DarkSide is likely responsible for the attack. DarkSide typically chooses targets in non-Russian-speaking countries but describes itself as “apolitical” on its dark web site.

Infosec analyst Dmitry Smilyanets tweeted a screenshot of a statement the group made this morning, apparently concerning the Colonial Pipeline attack:

NBC News reports that Russian cybercriminals frequently freelance for the Kremlin—but indications point to a cash grab made by the criminals themselves this time rather than a state-sponsored attack.

Dmitri Alperovitch, a co-founder of infosec company CrowdStrike, claims that direct Russian state involvement hardly matters at this point. “Whether they work for the state or not is increasingly irrelevant, given Russia’s obvious policy of harboring and tolerating cybercrime,” he said.

DarkSide “operates like a business”

This sample threat was posted to DarkSide's dark web site in 2020, detailing attacks made on a threat management company.
Enlarge / This sample threat was posted to DarkSide’s dark web site in 2020, detailing attacks made on a threat management company.

London-based security firm Digital Shadows said in September that DarkSide operates like a business and described its business model as “RaaC”—meaning Ransomware-as-a-Corporation.

In terms of its actual attack methods, DarkSide doesn’t appear to be very different from smaller criminal operators. According to Digital Shadows, the group stands out due to its careful selection of targets, preparation of custom ransomware executables for each target, and quasi-corporate communication throughout the attacks.

DarkSide claims to avoid targets in medical, education, nonprofit, or governmental sectors—and claims that it only attacks “companies that can pay the requested amount” after “carefully analyz[ing] accountancy” and determining a ransom amount based on a company’s net income. Digital Shadows believes these claims largely translate to “we looked you up on ZoomInfo first.”

It seems quite possible that the group didn’t realize how much heat it would bring onto itself with the Colonial Pipeline attack. Although not a government entity itself, Colonial’s operations are crucial enough to national security to have brought down immediate Department of Energy response—which the group certainly noticed and appears to have responded to via this morning’s statement that it would “check each company that our partners want to encrypt” to avoid “social consequences” in the future.

Continue Reading

Biz & IT

Apple brass discussed disclosing 128-million iPhone hack, then decided not to

Published

on

Getty Images

In September 2015, Apple managers had a dilemma on their hands: should, or should they not, notify 128 million iPhone users of what remains the worst mass iOS compromise on record? Ultimately, all evidence shows, they chose to keep quiet.

The mass hack first came to light when researchers uncovered 40 malicious App Store apps, a number that mushroomed to 4,000 as more researchers poked around. The apps contained code that made iPhones and iPads part of a botnet that stole potentially sensitive user information.

128 million infected.

An email entered into court this week in Epic Games’ lawsuit against Apple shows that, on the afternoon of September 21, 2015, Apple managers had uncovered 2,500 malicious apps that had been downloaded a total of 203 million times by 128 million users, 18 million of whom were in the US.

“Joz, Tom and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?” App Store VP Matthew Fischer wrote, referring to Apple Senior Vice President of Worldwide Marketing Greg Joswiak and Apple PR people Tom Neumayr and Christine Monaghan. The email continued:

If yes, Dale Bagwell from our Customer Experience team will be on point to manage this on our side. Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world (e.g. we wouldn’t want to send an English-language email to a customer who downloaded one or more of these apps from the Brazil App Store, where Brazilian Portuguese would be the more appropriate language).

The dog ate our disclosure

About 10 hours later, Bagwell discusses the logistics of notifying all 128 million affected users, localizing notifications to each users’ language, and “accurately includ[ing] the names of the apps for each customer.”

Alas, all appearances are that Apple never followed through on its plans. An Apple representative could point to no evidence that such an email was ever sent. Statements the representative sent on background—meaning I’m not permitted to quote them—noted that Apple instead published only this now-deleted post.

The post provides very general information about the malicious app campaign and eventually lists only the top 25 most downloaded apps. “If users have one of these apps, they should update the affected app which will fix the issue on the user’s device,” the post stated. “If the app is available on [the] App Store, it has been updated, if it isn’t available it should be updated very soon.”

Ghost of Xcode

The infections were the result of legitimate developers writing apps using a counterfeit copy of Xcode, Apple’s iOS and OS X app development tool. The repackaged tool dubbed XcodeGhost surreptitiously inserted malicious code alongside normal app functions.

From there, apps caused iPhones to report to a command and control server and provide a variety of device information, including the name of the infected app, the app-bundle identifier, network information, the device’s “identifierForVendor” details, and the device name, type, and unique identifier.

XcodeGhost billed itself as faster to download in China, compared with Xcode available from Apple. For developers to have run the counterfeit version, they would have had to click through a warning delivered by Gatekeeper, the macOS security feature that requires apps to be digitally signed by a known developer.

The lack of follow-through is disappointing. Apple has long prioritized the security of the devices it sells. It has also made privacy a centerpiece of its products. Directly notifying those affected by this lapse would have been the right thing to do. We already knew that Google routinely doesn’t notify users when they download malicious Android apps or Chrome extensions. Now we know that Apple has done the same thing.

Stopping Dr. Jekyll

The email wasn’t the only one that showed Apple brass hashing out security problems. A separate one sent to Apple Fellow Phil Schiller and others in 2013 forwarded a copy of the Ars article headlined “Seemingly benign ‘Jekyll’ app passes Apple review, then becomes ‘evil’.”

The article discussed research from computer scientists who found a way to sneak malicious programs into the App Store without being detected by the mandatory review process that’s supposed to automatically flag such apps. Schiller and the other people receiving the email wanted to figure out how to shore up its protections in light of their discovery that the static analyzer Apple used wasn’t effective against the newly discovered method.

“This static analyzer looks at API names rather than true APIs being called, so there’s often the issue of false positives,” Apple senior VP of Internet software and services Eddy Cue wrote. “The Static Analyzer enables us to catch direct accessing of Private APIs, but it completely misses apps using indirect methods of accessing these Private APIs. This is what the authors used in their Jekyll apps.”

The email went on to discuss limitations of two other Apple defenses, one known as Privacy Proxy and the other Backdoor Switch.

“We need some help in convincing other teams to implement this functionality for us,” Cue wrote. “Until then, it is more brute force, and somewhat ineffective.”

Lawsuits involving large companies often provide never-before-seen portals into the inner-workings of the way they and their executives work. Often, as the case is here, those views are at odds with the companies’ talking points. The trial resumes next week.

Continue Reading

Trending