The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Ex-Apple Employee Accused of Stealing Self-Driving Car IP

by Chris Brook on Thursday July 12, 2018

Contact Us
Free Demo
Chat

Federal agents apprehended a former Apple employee last week suspected of stealing intellectual property, including engineering schematics on the company's secret self-driving car technology.

Is this shaping up to be the summer of the insider threat? It came to light this week - the second story involving the insider threat to make headlines this month - that authorities in California recently arrested a former Apple employee accused of stealing confidential data from the company’s secret, self-driving car project.

The FBI arrested the suspect, Xiaolang Zhang, July 7, before boarding a last-minute flight to Beijing, China at San Jose Airport, according to a criminal complaint filed Monday in the United States District Court for the Northern District of California.

Zhang is accused of stealing a slew of technical files, including engineering schematics, reference manuals, and a 25-page .PDF document containing electrical schematics for a circuit board that contains Apple's proprietary infrastructure technology for the self-driving car project.

Apple did not return a request for comment on Thursday but told the BBC on Wednesday that it was "working with authorities on this matter and will do everything possible to make sure this individual and any other individuals involved are held accountable for their actions."

It's the second case in the last month involving the theft of proprietary vehicle data. Last month Tesla filed a lawsuit against one of its former employees after discovering he not only stole data on its cars' operating systems but modified source code.

According to the court filing Zhang has worked for Apple's autonomous vehicles project since 2015 but recently shifted to the Compute Team, a department in which he helped design and test circuit boards to analyze sensor data, a role that granted him "broad access to secure and confidential internal databases containing trade secrets and intellectual property."

Apple CEO Tim Cook has been fairly mum on the company's self-driving car division. He acknowledged in June 2017 the company was working on the technology but has divulged little else about the project. According to the California Department of Motor Vehicles (DMV) Apple has state permits to operate 55 autonomous cars in the state.

Zhang, who was working for the project under Apple's Research and Development organization, was one of 2,700 "core employees” with access to the project's technical databases according to reports.

Per the complaint, Zhang took paternity following the birth of his child in April and traveled to China. Zhang made it clear during an interview with his supervisor at Apple upon his return that he was planning to take a position with Xiaopeng Motors, a/k/a XPENG Motors, a smartcar startup based in China. Xpeng, which raised roughly $348 million thanks to a round of funding led by Alibaba, Foxconn, and IDG Capital earlier this year, has offices in Palo Alto, Calif. but is based in Guangzhou, China.

This, understandably so, raised a red flag for officials at Apple, who at the end of the interview escorted Zhang off the company’s Cupertino campus and seized three of his devices: two iPhones and a laptop.

Zhang, in his defense, reportedly told his supervisor he was planning on moving back to China in order to assist his mother, who he claimed was in poor health.

Blog Post

Defining Intellectual Property

Given Zhang’s caginess around the whole situation, Apple's database security team reviewed Zhang's network activity and found that in the days leading up to his resignation he had carried out a series of bulk searches and downloading of data, including trade secret IP. Some files included information on prototypes and prototype requirements, like data on power levels, low voltage requirements, battery information, drivetrain suspension mounts, and so on.

If this wasn't concerning enough, Zhang is also being accused of airdropping data he purportedly took from Apple onto his wife's laptop. When Apple reviewed the machine they discovered a folder named "RECENT" that contained 40GB of data, although it's unclear exactly how much of it contained Apple IP. Zhang initially denied exfiltrating data to his wife's laptop but later told FBI agents that since he needed to turn in his Apple-owned laptop he transferred the files for access in the future. Upon review 60 percent of the data on the machine was deemed "highly problematic" by Apple's Digital Forensic Investigations team.

Zhang ultimately admitted a handful of his wrongdoings, including the physical theft of two circuit boards and a Linux server from Apple's hardware lab while on paternity leave. He claimed his actions were on account of him wanting to learn more about the data on his own time.

It's not like Apple didn't go to great lengths to protect its data. The company requires employees to log into to a VPN, be granted "disclosure" status to know about projects, and then on top of that, attain "core employee" status to access project data. Zhang signed an Intellectual Property Agreement with Apple acknowledging the importance of IP and even took a course that described the sensitivity of confidential material.

While it’s helpful Apple was able to review Zhang’s network history it’s curious the company wasn’t able to get an earlier jump on Zhang’s malfeasance. Apple's database security team didn't realize until it sat down with Zhang on April 30 that he may have had a reason to steal company data.

In actuality, Zhang downloaded the sensitive data in the days prior, April 28 and 29, then transferred it to his wife's laptop. Apple clearly had a way to monitor the downloading of data by employees but appears to have lacked the controls and policies needed to keep that data from leaving its systems. Apple also failed to detect Zhang's risky behavior, characteristic of some users preparing to leave a company.

Having enterprise data loss prevention and a data-centric security strategy in place could have mitigated this incident.

Tags: Insider Threat, IP Protection

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.