The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Insiders, Data Theft A Threat To Self-Driving Car Tech

by Chris Brook on Thursday April 4, 2019

Contact Us
Free Demo
Chat

Like many companies developing self-driving car technology, Tesla and its embattled CEO Elon Musk continue to fight data theft within its ranks.

The company recently filed lawsuits against a handful of former employees alleging they stole sensitive data, in one case, source code for its proprietary Autopilot technology, and in another, data that's critical to the company's warehousing, logistics and inventory control operations.

In one of the lawsuits, Tesla alleges that Guangzhi Cao, a former staff computer vision scientist at the company's Palo Alto location, copied more than 300,000 files relating to Autopilot's source code prior to leaving the company for a competitor a few months ago. Cao abruptly left Tesla and joined Xiaopeng Motors, a/k/a XMotors, a Chinese intelligent electric vehicle startup, in January.

While 200 people work full time on Autopilot - a driver assistance system that permits drivers to take their hands off the wheel but doesn't technically make the vehicle autonomous - Cao was one of only 40 employees to have access to the neural network's source code.

According to the lawsuit, in November, before Cao left Tesla, he created .zip files of all of Autopilot’s related source code repositories – including firmware, Autopilot, and neural net source code repositories -  and uploaded complete copies of the Autopilot source code to his personal iCloud account.

The highly guarded technology aids in Tesla's self-driving functionality by parsing camera and radar data. While the project's neural net source code doesn't technically run on Tesla's vehicles, it does help train the neural net, something which processes data from Tesla's onboard cameras to make decisions, using a dataset via machine learning.

Cao reportedly received a written employment offer from XMotors following an unspecified trip to China in early December and subsequently went on to delete over 120,000 files from his machine. He also disconnected his iCloud account from his company machine.

Tesla, pointing out that its spent hundreds of millions of dollars and more than five years developing the technology, is understandably upset and keen on learning what Cao has done with its intellectual property.

“Taken together, the Autopilot Trade Secrets would give a competitor an enormous advantage in attempting to replicate Tesla's current self-driving technology, and in anticipating future developments," Tesla said in the complaint from March 21.

Xiaopeng, for what it’s worth, said it wasn’t aware of the charges against Cao but told Reuters after the lawsuit was filed that the company “fully respects any third-party’s intellectual property rights and confidential information” and that “the company has been complying and will comply [with] all applicable laws and regulations.”

It's believed XMotors has its own Autopilot-esque feature, X-Pilot; the lawsuit also alleges the project employs at least five former Tesla employees, including Cao.

The case echoes one from last year in which Tesla sued another ex-employee, Martin Tripp, after he purportedly made changes to the company's source code and exported gigabytes of proprietary data to third parties. That story, it's worth noting, has been complicated by reports that Tripp was contracted by Sean Gouthro, a security manager at Tesla's Gigafactory battery manufacturer, to be an official whistleblower.

The same day it filed a lawsuit against Cao, the company also filed a lawsuit against Zoox, a self-driving startup based in California.

In the suit, Tesla claims that former Tesla - now current Zoox employees - misappropriated trade secrets, namely receiving and inventory procedures, internal schematics and line drawings of warehouse, and documents relating to Tesla's HR policies. Other information stolen included confidential parts pricing information, information relating to the tracking and monitoring of parts inventory, and analyses of both.

Zoox, famous for being the first company to gain approval in California to provide self-driving transport services for the public, did not return a request for comment on Wednesday

It’s not as if Tesla didn’t take steps to protect its confidential data. The company uses non-disclosure agreements requiring employees to safeguard the company's sensitive data, has security guards and cameras in place at its physical facilities, and uses password and firewall-protected networks and servers.

As we've seen, time and time again, an employee's word is only worth so much.

In the Zoox lawsuit, Tesla says it forbids its employees from sending confidential information to third parties and to their own personal email addresses. It seems this policy was only enforced by a written reminder that employees signed.

It appears, judging by the court document, there was no solution in place to stop the exfiltration of sensitive data – something that should have prevented the removal and emailing of confidential documents in the first place.

In the Cao complaint, Tesla says it prohibits employees from storing confidential data on unsecured systems like iCloud, Google Drive, or DropBox but again, it doesn't appear the company had the ability to block Cao from moving the data. Similarly, the lawsuit says the company was able to determine that Cao backed up repositories for the firmware, Autopilot, and neural net source code repositories but interestingly wasn't able to stop him from doing so.

When it comes to stealing proprietary information and trade secrets, it’s been open season on companies developing autonomous technology as of late.

On two separate occasions in the last year, Apple has accused ex-employees of stealing data on Project Titan, its self-driving car division. Both suspects were Chinese nationals who were planning on taking positions at a Chinese self-driving car company - one of them, Xiaolang Zhang, had been linked to Xiaopeng Motors in particular.

As competition around self-driving vehicles heats up, it’s likely we’ll continue to hear a lot more data theft stories like Tesla’s, at least until companies find a better way to protect data from leaving their premises.

Tesla image via Paul Hudson's Flickr photostream, Creative Commons

Tags: Data Theft, Insider Threat, IP theft

RECOMMENDED RESOURCES


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Find out why Digital Guardian has been named a “Leader” for 5 years in a row
  • Gartner’s yearly analysis of DLP vendors
  • DLP use cases and technology requirements

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.