January 2023 Update: Automotive Security, Chiplets...and Roman Emperors!

Wow, it's already the last Friday in January, so time for one of my monthly update posts where I cover anything that doesn't justify its own full post or which is an update to something I wrote about earlier.

Automotive Security

I have written about automotive security quite a bit. Here are a few posts:

• IEEE Computer Society: Automotive Cybersecurity
• Automotive Security: A Hacker's Eye View
• Have You Heard of ISO 21434? You Will

Firstly, don't confuse automotive security with automotive safety, things like functional safety (FuSa) and ISO 26262. You need security to have safety. But security is its own thing. In a modern connected car, there are two places for security vulnerabilities. One is in the car itself. And the other is back at base in the automotive manufacturer's (OEM in the jargon) datacenters, which the cars are connected to. Well, it turns out automotive manufacturers are not very good at security in either place. The title of this blog post by Sam Curry pretty much says it all: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More. I think they chose those brands to put in the title because it makes for a more dramatic title than using Kia and Acura. But lots of mainstream brands are on the list too.

He opens with an anecdote of why they decided to pentest automotive security:

While we were visiting the University of Maryland, we came across a fleet of electric scooters scattered across the campus and couldn't resist poking at the scooter's mobile app. To our surprise, our actions caused the horns and headlights on all of the scooters to turn on and stay on for 15 minutes straight.

That sort of thing is like a red rag to a security researcher bull:

[We] became super interested in trying to more ways to make more things honk. We brainstormed for a while, and then realized that nearly every automobile manufactured in the last 5 years had nearly identical functionality. If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely. At this point, we started a group chat and all began to work with the goal of finding vulnerabilities affecting the automotive industry. Over the next few months, we found as many car-related vulnerabilities as we could. The following writeup details our work exploring the security of telematic systems, automotive APIs, and the infrastructure that supports it.

Most of the rest of the piece is a detailed description of the security vulnerabilities they found. The ones listed in the blog post title are not even the most severe, and lots of more mainstream manufacturers than Ferrari and Rolls Royce were vulnerable. To give you an idea of how serious these issues are, here's just one of the entries in the post:

• Kia, Honda, Infiniti, Nissan, Acura
  • Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number
  • Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address)
  • Ability to lock users out of remotely managing their vehicle, change ownership
  • For Kia specifically, we could remotely access the 360-view camera and view live images from the car

The VIN is the "vehicle identification number." At least here in the US, it is usually (always?) on a little embossed plate just behind the windscreen, visible to anyone from outside the vehicle.

Also, the airline industry is just as bad. I won't go into the details, but the title of this post says it all: how to completely own an airline in 3 easy steps and grab the TSA nofly list along the way. By the way, the mainstream press has been reporting that the nofly list was kept in an Excel .csv file. I think it is much more likely that the nofly list is kept in a database that was not breached, but for some reason, someone dumped the list into a csv file to do some analysis in Excel, and it was that file that was compromised.

AMD's 146B Transistor Processor

At CES, the evening-before-the-first-day keynote was by Lisa Su, CEO of AMD. I wrote it up in my post CES 2023: AMD, Stellantis, Cadence, and More. One of the products she announced, and held up the chip, was the AMD Instinct MI300 Data Center APU. 

Paul Alcorn of Tom's Hardware got some time with AMD and managed to take some (not entirely successful) photos of it. Here's a succinct description of the design:

Make no mistake, the Instinct MI300 is a game-changing design - the data center APU blends a total of 13 chiplets, many of them 3D-stacked, to create a chip with twenty-four Zen 4 CPU cores fused with a CDNA 3 graphics engine and 8 stacks of HBM3. Overall the chip weighs in with 146 billion transistors, making it the largest chip AMD has pressed into production.

There's lots more in the article. See AMD Instinct MI300 Data Center APU Pictured Up Close: 13 Chiplets, 146 Billion Transistors.

It's not quite up to Ponte Vecchio's level, with 47 chiplets, but that is only (!) 100 billion transistors. 3D heterogeneous integration is clearly the way of the future. See any number of previous posts.

While on the subject of chiplets, this week was the Chiplet Summit in San Jose. I went along, and I will write up some posts on the topic in February.

Robots

I dropped Boston Dynamics' latest video into my preview of DesignCon since it is giving one of the keynotes. A day later it came out with a new video:

Perhaps more interesting to us engineers is the second video about how they made this one.

Energy

As you know, I'm very critical of journalists in how they cover many things, especially energy. My pet peeve is when articles confuse KW (a flow) and KWh (a quantity). My most recent rant on the topic was in my post Moss Landing. Journalists writing on economic topics often make the same mistake when they confuse income (a flow) and wealth (a quantity). If you have a lot of wealth, you are rich. If you have a lot of income, you can become rich.

If you read the mainstream press, you might assume that we are not far from a net-zero world and will have no problem in getting there by 2050. I don't believe it, and you can read more details about why in my post Earth Day: What Will It Take to Get to Carbon Neutrality by 2050?

OurWorldInData recently published a graph showing the trends from 1960 to the present day, and it is quite sobering. See How have the world’s energy sources changed over the last two centuries? If you go to that website, the graph is actually interactive. Below is just a download of the entire graph as a single image. Western countries may be shutting down coal-fired power stations (although Germany is reopening coal mines since it is desperate for energy) but China and India are not. In fact, it is probably still the case that your electric car is being charged by fossil-fuel-generated electricity. Yes, your Tesla runs on coal.

But no matter where the energy comes from, using less of it is good. For a start, it saves money for the user, especially important if the user is you. If we are talking about electronics, Cadence is at the forefront of tools to analyze and optimize energy and power (which is just energy over time)

The Bathtub Curve for Roman Emperors

Do you know what a bathtub curve is? If not, then read my post, Automotive Reliability: The Bathtub Curve. But it applies to many things. New products often have some problems with how they were put together. Then the product is fine for years. Then things start to wear out. This applies to lots of products such as cars or electronics at both the level of things like smartphones but also at the level of individual transistors (yes, transistors wear out). And even human beings.

It applies to Roman emperors too. It turns out 62% of Roman emperors suffered a violent death...and it follows a bathtub curve.

Here's a paper on Statistical reliability analysis for a most dangerous occupation: Roman emperor.

Popular culture associates the lives of Roman emperors with luxury, cruelty, and debauchery, sometimes rightfully so. One missing attribute in this list is, surprisingly, that this mighty office was most dangerous for its holder. Of the 69 rulers of the unified Roman Empire, from Augustus (d. 14 CE) to Theodosius (d. 395 CE), 62% suffered violent death
...
This work adopts the statistical tools of survival data analysis to an unlikely population, Roman emperors, and it examines a particular event in their rule, not unlike the focus of reliability engineering, but instead of their time-to-failure, their time-to-violent-death.
...
Nonparametric and parametric results show that: (i) emperors faced a significantly high risk of violent death in the first year of their rule, which is reminiscent of infant mortality in reliability engineering; (ii) their risk of violent death further increased after 12 years, which is reminiscent of wear-out period in reliability engineering; (iii) their failure rate displayed a bathtub-like curve, similar to that of a host of mechanical engineering items and electronic components.

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.