Morning Read: Waymo’s Lawsuit against Otto & Uber
Welcome to the Morning Read, a daily post where I recommend and discuss a white paper, blog post, chapter of a book, or some sort of text I find useful for DFIR analysts.
Today’s Morning Read is details on the lawsuit between Waymo and Otto & Uber, alleging that Waymo LiDAR technology was stolen. You can read the full post here:
Overview
I found this post fascinating, not only because of continuing trouble for Uber (I recently and happily shut down my account), but also because of the digital forensic content inside. Have a look at this excerpt:
We found that six weeks before his resignation this former employee, Anthony Levandowski, downloaded over 14,000 highly confidential and proprietary design files for Waymo’s various hardware systems, including designs of Waymo’s LiDAR and circuit board. To gain access to Waymo’s design server, Mr. Levandowski searched for and installed specialized software onto his company-issued laptop. Once inside, he downloaded 9.7 GB of Waymo’s highly confidential files and trade secrets, including blueprints, design files and testing documentation. Then he connected an external drive to the laptop. Mr. Levandowski then wiped and reformatted the laptop in an attempt to erase forensic fingerprints.
Beyond Mr. Levandowki’s actions, we discovered that other former Waymo employees, now at Otto and Uber, downloaded additional highly confidential information pertaining to our custom-built LiDAR including supplier lists, manufacturing details and statements of work with highly technical information.
We believe these actions were part of a concerted plan to steal Waymo’s trade secrets and intellectual property. Months before the mass download of files, Mr. Levandowski told colleagues that he had plans to “replicate” Waymo’s technology at a competitor.
Highlights
- “…then wiped and reformatted the laptop in an attempt to erase forensic fingerprints.” ← That’s right. Evidence of your actions were still discovered. This is always a huge win for DFIR.
- “Once inside, he downloaded 9.7 GB…” ← That’s a somewhat precise number, and was likely generated from byte transfer logs or they know what was taken. Couple this with “…over 14,000 highly confidential and proprietary…” and the numbers are damning.
- “…searched for and installed specialized software onto his company-issued laptop.” ← I can only imagine the various evidence sources that were used to correlate this. Even if data was not recovered from the hard drive, there is still a possibility of proxy logs, traffic capture, and other network artifacts that could provide this data.
- Months before the mass download of files, Mr. Levandowski told colleagues that he had plans to “replicate” Waymo’s technology at a competitor. ← Given the quoted use of replicate, I wonder if the response team discovered chat or recorded communications of this allegation.
- “…former Waymo employees, now at Otto and Uber, downloaded additional highly confidential information…including supplier lists, manufacturing details and statements of work with highly technical information.” ← Great use of indicators, context, and suspicions to expand the scope of an investigation.
- One final highlight from this: Don’t fucking lecture people that the “insider threat is gone” and APTs are the only threat actors out there.
Suggestions for Analysts
One of my top suggestions for analysts, given this post as a reference, is to think about how you are writing your reports. Notice the flow of the first paragraph in the excerpt above:
At a particular time, we identified ABC happened. Then DEF. Then GHI. Then JKL. So on and so forth..
For the most part, the paragraph provides evidence. If you read it again, it is never stated that the user copied files to the external drive. That is simply implied by the course of actions and context at the time. It’s only in the last paragraph of the excerpt does the company state what they believe the actions and intentions of the insider were. (I’m not entirely happy with the line “To gain access to Waymo’s design server..”, but this may have been truncated due to a public post.)
Oftentimes, when I am reviewing reports or helping analysts write, I have to read something that is highly opinionated or makes too many assumptions about the reader or the attacker. Or, it interweaves opinions in such a way that the artifacts are not given the chance to stand on their own. My recommendation would be to try and write reports that provide artifacts and tell a narrative about the incident. Then let the artifacts do their job.
Until tomorrow.
