Racing to Win with the IT Privacy and Security Weekly Update for July 6th., 2021


We start on this week as a dot on a race track and end as a dot on the horizon as we go from privacy to no privacy at all, but … we think you will forgive us.

In between the start and finish lines are the hairpin turns of the Tokyo Olympics, an underwater primer on Submarine cabling, a vault skyward with British Airways, a VR story that needs a restart, a bit of ransomware and enough car stories to satisfy any gearhead.

We say, "Drivers start your engines, get set and let’s “go” for the best IT Privacy and Security weekly update …ever!!! "

Global: Echo Dots Store a Wealth of Data—Even After You Reset Them

Researchers from Northeastern University bought 86 used devices on eBay and at flea markets over a span of 16 months. They first examined the purchased devices to see which ones had been factory reset and which hadn’t. Their first surprise: 61 percent of them had not been reset. Without a reset, recovering the previous owners’ Wi-Fi passwords, router MAC addresses, Amazon account credentials, and information about connected devices was relatively easy.

The next surprise came when the researchers disassembled the devices and forensically examined the contents stored in their memory.

“An adversary with physical access to such devices (e.g., purchasing a used one) can retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (e.g., cameras, door locks),” the researchers wrote in a research paper. “We show that such information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset.”

Used Echo Dots and other Amazon devices can come in a variety of states. One state is the device remains provisioned, as the 61 percent of purchased Echo Dots were. The devices can be reset while they are connected to the previous owner’s Wi-Fi network, reset while disconnected from Wi-Fi, either with or without deleting the device from the owner’s Alexa app.

So what’s the upshot for you? They summarized the results this way: If a device has not been reset (as in 61 percent of the cases), then it’s pretty simple: You remove the rubber on the bottom, remove four screws, remove the body, unscrew the PCB, remove a shielding and attach your needles. You can dump the device then in less than 5 minutes with a standard eMMC/SD Card reader. After you got everything, you reassemble the device (technically, you don’t need to reassemble it as it will work as is), and you create your own fake Wi-Fi access point. And you can chat with Alexa directly after that.
Download Autopsy for free at Autopsy is the premier end-to-end open-source digital forensics platform. Built with the core features you expect in commercial forensic tools, Autopsy is a fast, thorough, and efficient hard drive investigation solution that evolves with your needs. is a tool for figuring out where a network is located.
The threats demonstrated in the research most likely apply to Fire TV, Fire Tablets, and other Amazon devices, though the researchers didn’t test them. The results are also likely to apply to many other NAND-based devices that don’t encrypt user data, including the Google Home Mini.
Amazon is working on ways to better secure the data on the devices it manufactures. Until then, truly paranoid users who have no further use for their devices have little option than to physically destroy the NAND chip inside. For the rest, it’s important to perform a factory reset while the device is connected to the Wi-Fi access point where it was provisioned.
Resets don’t always work as expected, in part because it’s hard to differentiate between a Wi-Fi password reset (pressing reset for 15 seconds) and a factory reset (pressing reset for at least 25 seconds). A researcher suggested that owners verify that the device was reset. For Echos, users can do this by power-cycling the device and seeing if it connects to the Internet or enters setup mode. Owners should also double-check that the device no longer appears in the Alexa app.

JP: Watch for Cybersecurity Games at the Tokyo Olympics

The cybersecurity professionals guarding the Summer Olympics are facing at least as much competition as the athletes, and their failure could have steeper ramifications.

It was a close call, but the 2018 Pyeongchang Winter Olympics almost ended before it started. A harmful cyberattack threatened to cause severe disruptions to the opening ceremony and the subsequent sporting events. Fortunately, a sleepless night at the Olympics’ technology operations center allowed for a speedy and efficient incident response process.

Three years later, the threat landscape has changed, and the Tokyo Olympics is no safer than its predecessor. In fact, the heavy reliance on technology means these Olympics might be the most vulnerable Games yet. Not only is the upcoming Olympics’ use of technology set to be the most innovative yet, but COVID-related audience restrictions mean spectators must keep up with events electronically. Now that there are events to keep up with, it’s not only the athletes who are preparing to show off their skills.

So what’s the upshot for you? The postponement of the Tokyo Games to 2021 gave the athletes — and the Olympics cybersecurity teams — an extra year of training. Moreover, increased attacks during the COVID-19 pandemic should have reinforced the importance of advanced cybersecurity efforts. In just a few weeks, the world will watch as athletes compete for gold. Those in the cybersecurity world will be watching for any signs of a possible attack. You have your thrills; we have ours.

Global: Ever wonder how the world connects over the Internet?

Submarine Cable 101
How many cables are there? As of early 2021, there are approximately 426 submarine cables in service around the world.

The total number of cables is constantly changing as new cables enter service and older cables are decommissioned.

How do cables work? Modern submarine cables use fiber-optic technology. Lasers on one end fire at extremely rapid rates down thin glass fibers to receptors at the other end of the cable. These glass fibers are wrapped in layers of plastic (and sometimes steel wire) for protection.

How thick are undersea cables? For most of its journey across the ocean, a cable is typically as wide as a garden hose. The filaments that carry light signals are extremely thin — roughly the diameter of a human hair.

These fibers are sheathed in a few layers of insulation and protection. Cables laid nearer to shore use extra layers of armoring for enhanced protection.

Do the cables actually lie on the bottom of the ocean floor? Yes, cables go all the way down. Nearer to the shore cables are buried under the seabed for protection, which explains why you don’t see cables when you go to the beach, but in the deep sea, they are laid directly on the ocean floor.

Of course, considerable care is taken to ensure cables follow the safest path to avoid fault zones, fishing zones, anchoring areas, and other dangers. To reduce inadvertent damage, the undersea cable industry also spends a lot of time educating other marine industries on the location of cables.

How many kilometers of cable are there? As of 2021, we believe there are over 1.3 million kilometers of submarine cables in service globally.

Some cables are quite short, like the 131-kilometer CeltixConnect cable between Ireland the United Kingdom. In contrast, others are incredibly long, such as the 20,000 kilometer Asia America Gateway cable.

Countries must have multiple cables to ensure reliable connectivity in case there is damage to a cable. If we use South Africa as an example, two cables connect on the west coast, while three extend from the east coast.

Why are there many cables between some continents but no cables between Australia and South America, for instance? To answer this, we’ll start with quote from Henry David Thoreau:

“Our inventions are wont to be pretty toys, which distract our attention from serious things. They are but improved means to an unimproved end, We are in great haste to construct a magnetic telegraph from Maine to Texas; but Maine and Texas, it may be, have nothing important to communicate.”

Undersea cables are built between locations that have something “important to communicate.”

Europe, Asia, and Latin America all have large amounts of data to send and receive from North America. This includes internet backbone operators ensuring that emails and phone calls are connected and content providers who need to link their massive data centers to each other. This explains why you see so many cables along these major routes.

Conversely, there’s just not much data that needs to go between Australia and South America directly. If that situation were to change, you can be sure someone would build a new cable in the South Pacific.

Who owns these cables? Cables were traditionally owned by telecom carriers who would form a consortium of all parties interested in using the cable. In the late 1990s, an influx of entrepreneurial companies built lots of private cables and sold off the capacity to users.

Both the consortium and private cable models still exist today, but one of the biggest changes in the past few years is the type of companies involved in building cables.

Content providers such as Google, Facebook, Microsoft, and Amazon are major investors in new cable. The amount of capacity deployed by private network operators – like these content providers – has outpaced internet backbone operators in recent years. Faced with the prospect of ongoing massive bandwidth growth, owning new submarine cables makes sense for these companies.

Who uses these cables? You do! This page is hosted on a server in North America. If you are viewing on it on another continent, your upstream internet provider almost certainly used a submarine cable to reach the server.

Users of submarine cable capacity include a wide range of types. Telecom carriers, mobile operators, multinational corporations, governments, content providers, and research institutions all rely on submarine cables to send data around the world. Ultimately, anyone accessing the internet, regardless of the device they are using, has the potential to use submarine cables.

How much information can a cable carry? Cable capacities vary a lot. Typically, newer cables are capable of carrying more data than cables laid 15 years ago. The new MAREA cable is capable of carrying 224 Tbps.

There are two principal ways of measuring a cable’s capacity.

Potential capacity is the total amount of capacity that would be possible if the cable’s owner installed all available equipment at the ends of the cable. This is the metric most cited in the press.

Lit capacity is the amount of capacity that is actually running over a cable. This figure simply provides another capacity metric. Cable owners rarely purchase and install the transmission equipment to fully realize a cable’s potential from day one. Because this equipment is expensive, owners instead prefer to upgrade their cable gradually, as customer demand dictates.

Why don’t companies use satellites instead? Satellites are great for certain applications. Satellites do a wonderful job of reaching areas that aren’t yet wired with fiber. They are also useful for distributing content from one source to multiple locations.

However, on a bit-for-bit basis, there’s just no beating fiber-optic cables. Cables can carry far more data at far less cost than satellites.

It’s hard to know exactly how much of all international traffic is still carried via satellite, but it’s very small. Statistics released by U.S. Federal Communications Commission indicate that satellites account for just 0.37% of all U.S. international capacity.

OK, but what about my mobile device. Isn’t that wireless? When using your mobile phone, the signal is only carried wirelessly from your phone to the nearest cell tower. From there, the data will be carried over terrestrial and subsea fiber-optic cables.

I saw Facebook is launching their own satellites and Google has internet drones now. Are cables really the future? Both of these companies are investing in these projects primarily as a way to bring internet access to less developed parts of the world where there is little or no access to the global internet. They are not looking to use satellites or drones as a way to offset their usage of submarine cables at this time.

Both Facebook and Google are continuing to build new submarine cables, such as the Havfrue cable in which they are both investors.

Don’t these cables ever break? Yes! Cable faults are common. On average, there are over 100 each year.

You rarely hear about these cable faults because most companies that use cables follow a “safety in numbers” approach to usage, spreading their networks’ capacity over multiple cables so that if one breaks, their network will run smoothly over other cables while service is restored on the damaged one.

Accidents like fishing vessels and ships dragging anchors account for two-thirds of all cable faults. Environmental factors like earthquakes also contribute to damage. Less commonly, underwater components can fail. Deliberate sabotage and shark bites are exceedingly rare.

I’ve heard that sharks are known for biting cables. Is that true? This is probably one of the biggest myths that we see cited in the press. While it’s true that in the past sharks have bitten a few cables, they are not a major threat.

According to data from the International Submarine Cable Protection Committee, fish bites (a category that includes sharks) accounted for zero cable faults between 2007 and 2014. The majority of damage to submarine cables comes from human activity, primarily fishing and anchoring, not sharks.

What happens to cables when they are old and turned off? Cables are engineered with a minimum design life of 25 years, but there is nothing magical about this time span.

Cables may remain operational longer than 25 years, but they’re often retired earlier because they’re economically obsolete. They just can’t provide as much capacity as newer cables at a comparable cost, and are thus too expensive to keep in service.

When a cable is retired it could remain inactive on the ocean floor. Increasingly, there are companies that are gaining the rights to cables, pulling them up, and salvaging them for raw materials.

In some cases, retired cables are repositioned along other routes. To accomplish this task, ships recover the retired cable and then re-lay it along a new path. New terminal equipment is deployed at the landings stations. This approach can sometimes be a cost-effective method for countries with small capacity requirements and limited budgets.

So what’s the upshot for you? well, now you know.

CN: DiDi, China’s Uber, recently listed on the US stock exchange, just got removed from Chinese app stores.

Chinese ride-hailing app DiDi Chuxing was on Sunday removed from local app stores on on grounds that it did not comply with data protection laws. The ban came less than a week after the company’s US stock market debut.

The Cyberspace Administration of China (CAC) issued the ban. In its notice of its actions the CAC wrote: “The DiDi Travel App has serious violations of laws and regulations in collecting and using personal information.”

The app was removed under the Network Security Law of the People’s Republic of China and the company ordered to rectify the information security issues.

Although existing users can still use the app, it is unavailable for download from Chinese app stores.

a day after its DiDi decision, the CAC announced reviews of more apps that recently floated in the USA. The apps were Huochebang and Yunmanman, which are owned by “Uber for trucks” analogue Full Truck Alliance, and recruitment site Boss Zhipin, owned by Kanzhun. The CAC said all were reviewed “to prevent national data security risks, maintain national security, and protect the public interest.”

So what’s the upshot for you? Is it Chinese data loss to the US or the communist party raising an iron fist? Only time will tell.

US: Can New US Laws Curb IP Theft by Foreign Spies?

The Safeguarding American Innovation Act is designed to prevent foreign powers – and especially China – from stealing or unlawfully acquiring U.S. federally funded research. It is the direct result of a major study published in December 2019 titled Threats to the U.S. Research Enterprise: China’s Talent Recruitment Plans.

The study declares, “The open nature of research in America is manifest; we encourage our researchers and scientists to ‘stand on the shoulders of giants’. In turn, America attracts the best and brightest. Foreign researchers and scholars travel to the United States just to participate in the advancement of science and technology.”

But it then warns that this openness is abused by foreign powers to advance their own national interests. The most aggressive of these is China with its talent recruitment programs. It has over 200 such plans, with the most prominent being the Thousand Talents Plan. This, says the report, “incentivizes individuals engaged in research and development in the United States to transmit the knowledge and research they gain here to China in exchange for salaries, research funding, lab space, and other incentives.”

The report goes on to note, “Talent recruitment plan members removed 30,000 electronic files before leaving for China, submitted false information when applying for grant funds, filed a patent based on U.S. government-funded research, and hired other Chinese talent recruitment plan members to work on U.S. national security topics.” Theft of U.S. intellectual property (IP) is a fundamental part of China’s stated intention to be the world leader in science and technology by 2050.

There are three primary prongs to Chinese acquisition of western – especially U.S. – intellectual property:

  1. straightforward hacking and cyber theft;
  2. the implant of physical insiders to research establishments and R&D labs; and
  3. hiring western experts to work in China.

Researchers lured to China with the promise of money, resources, and greater recognition, he or she is compelled by law to hand over all research to the Chinese government – even that resourced from the U.S. – while being prohibited from handing over any Chinese data to America.

Attracting top researchers to move to China is only part of the plan – it works in the other direction by embedding Chinese ‘researchers’ into U.S. universities and companies. These people are usually native Chinese citizens who intend to return to China and are consequently still bound by the Chinese laws.

So what’s the upshot for you? Spies will spy; and if one door closes, they will find another. There is only so much that federal laws can do to deter malicious activities – they cannot prevent it. It is up to the individual organizations, whether in academia or the private sector, to protect their own IP through increased visibility into and vigilance over their data. But they also need to understand that nation-state spying – from any nation-state – is a level up in sophistication over standard hacking group activity.

Global: How REvil Ransomware Took Out Thousands of Business at Once

On July 2, while many businesses had staff either already off or preparing for a long holiday weekend, an affiliate of the REvil ransomware group launched a widespread crypto-extortion gambit. Using an exploit of Kaseya’s VSA remote management service, the REvil actors launched a malicious update package that targeted customers of managed service providers and enterprise users of the on-site version of Kaseya’s VSA remote monitoring and management platform.

REvil is a ransomware-as-a-service (RaaS), delivered by “affiliate” actor groups who are paid by the ransomware’s developers. Customers of managed service providers have been a target of REvil affiliates and other ransomware operators in the past, including a ransomware outbreak in 2019 (later attributed to REvil) that affected over 20 small local governments in Texas. And with the decline of several other RaaS offerings, REvil has become more active. Its affiliates have been exceedingly persistent in their efforts as of late, continuously working to subvert malware protection. In this particular outbreak, the REvil actors not only found a new vulnerability in Kaseya’s supply chain but used a malware protection program as the delivery vehicle for the REvil ransomware code.

Spike in SophosLabs telemetry caused by REvil detections on July 2, 2021, showing hundreds of detections at their peak.
REvil’s operators posted to their “Happy Blog” today, claiming that more than a million individual devices were infected by the malicious update. They also said that they would be willing to provide a universal decryptor for victims of the attack, but under the condition that they are paid $70,000,000 worth of BitCoin.

So what’s the upshot for you? The tactics to evade malware protection used here—poisoning a supply-chain well, taking advantage of vendor carve-outs from malware protection, and side-loading with an otherwise benign (and Microsoft-signed) process—are all very sophisticated. They also show the potential risks of excluding anti-malware protection from folders where automated tasks write and execute new files.
We still don’t know exactly how many companies were impacted by the Kaseya ransomware attack. The company’s VSA product has around 37,000 active users. However, Kaseya says that the attack only affected “a small number” of their 6,500 on-premise VSA users.
Even so, since most of those users are MSPs, the total number of victims may be far larger. An early report from Reuters cited a figure of over 200 affected businesses. And security researchers at ESET say that their telemetry shows the attack spreading to multiple countries around the world.

Global: Ransomware Hackers Demand $70 Million In Bitcoin, Claim Massive U.S. Attack As Biden Investigates Possible Russian Involvement

A group of Russian-speaking hackers has claimed responsibility for a massive ransomware attack over the holiday weekend that hit 200 U.S. firms and hundreds more worldwide, with the group demanding $70 million in bitcoin to restore the companies’ data in the latest debilitating cyberattack to hit the U.S. this year.

The ransom was posted on Sunday on a blog ordinarily used by REvil, a major Russian-speaking ransomware group that recently extorted $11 million from the world’s largest meat processor, JBS, after wiping out one-fifth of U.S. beef production.

The group claimed responsibility for a ransomware attack—whereby hackers encrypt a user’s data and demand money for the key needed to decrypt it—executed Friday, which it says has affected more than 1 million computer systems.

The hack has affected at least 200 U.S. companies and shuttered hundreds of Swedish supermarkets over the weekend after the hackers breached Kaseya, a Miami-based IT firm, and used that access to break into its clients’ systems.

President Joe Biden, facing growing pressure to deal with escalating cyberattacks, directed intelligence agencies to investigate the attack on Saturday.

Biden said officials are “not certain” who is responsible and are “not sure” whether the Russian government is involved or not.

In their first face-to-face meeting in June, Biden warned Russian President Vladimir Putin against attacking U.S. infrastructure and vowed to retaliate against any future hacks.

So what’s the upshot for you? The U.S. has been subject to a string of severe cyberattacks in recent years, many pinned on groups believed to be based in Russia or have ties to its government. The FBI blamed REvil, the group claiming responsibility for this latest attack, for an attack wiping out 20% of the country’s beef-producing capacity. DarkSide, another hacker collective believed to have Russian links, attacked Colonial Pipeline in May, prompting gas shortages as the key East Coast pipeline went offline for several days. The government was able to recover the majority—$2.3 million of $4.4 million—of the ransom paid for the hack. But this is a good business. Once you make the kind of money these people are making, you don’t just stop.

Global: Facebook Just Gave 1 Million Oculus Users A Reason To Quit

It’s happened again. Facebook has broken a promise made by Oculus founder Palmer Luckey when he sold the company to the social network in 2014 that the VR headset would not target you with ads.

In a blog last month, Facebook announced that ads would be coming to its Oculus headset in a trial, starting with Blaston from Resolution Games and “a couple of other developers that will be rolling out over the coming weeks.”

But shortly afterward and after a fierce backlash from gamers, Resolution Games pulled out of the trial, saying the game “isn’t the best fit” for in-game advertising.

So what’s the upshot for you? Facebook owns Oculus, and that Facebook breaks promises all the time. Facebook’s entire business model is based on advertising.
You will soon have to have a Facebook account to use Oculus at all—and you pay for the product, so why should you be the product too?
So, is this latest news a reason to ditch your Oculus? Maybe, if you care about your privacy and prefer to avoid Facebook in general.

Global: Got a Windows server that is not used for printing? Disable the print spooler service.

As there is no patch yet for CVE-2021-34527, both Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) are encouraging administrators to disable the Windows Print spooler service in domain controllers and systems not used for printing. A vulnerability note from the CERT Coordination Center explains two options for disabling the Print spooler service, one for an individual computer and another for your domain through Group Policy.

Option 1 - Stop and disable the Print Spooler service

Open a PowerShell prompt
Run the command: Stop-Service -Name Spooler -Force
Then run the command: Set-Service -Name Spooler -StartupType Disabled

Option 2 - Disable inbound remote printing through Group Policy

Open Group Policy
Go to Computer Configuration/Administrative Templates/Printers
Disable the setting to “Allow Print Spooler to accept client connections”

So what’s the upshot for you? A good rule of thumb is to only run the stuff you are using. Shut down everything else.

UK: British Airways did What?

British Airways or BA just settled a lawsuit out of court for 30 million pounds (confidentially) that was based on a 2018 British Airways data breach, where the credit card details of 380,000 people were stolen thanks to a Magecart infection on its payment processing pages.

The airline had been saving card details in plain text since 2015 and hadn’t implemented MFA across the board, by the time regulators fined BA for its poor data security practices – including saving a Windows domain admin username and password in plain text.

A BA spokesman said: “We apologised to customers who may have been affected by this issue and are pleased we’ve been able to settle the group action. When the issue arose we acted promptly to protect and inform our customers.”
“The resolution includes provision for compensation for qualifying claimants who were part of the litigation. The resolution does not include any admission of liability by British Airways Plc,” Claimants got about 1200 quid each (after legal fees but before costs).

So what’s the upshot for you? Who wins? Let’s figure this out… Not the individuals who have had their PII compromised… they get about twelve hundred quid. Perhaps it was the law firm? Their payment on this lawsuit was capped at 35% or UK10.5 Million Pounds.

US: How Your Car Watches Everything You Do And Everywhere You Go

The airbag control module (ACM). This hidden part of the car records the approximate speed, the braking, and the amount of throttle used by the driver. The airbag module will typically only store data permanently in the event of a crash. The only information recorded is from the preceding seconds before the accident and during the event. Everything else gets wiped.

There are many other modules within a vehicle that may record data. Location information, for instance, could either be held in the entertainment systems or in the brake light module, depending on the vehicle. If a phone connects to the infotainment module, it can suck in all contacts from the device, as well as information about its make and unique identifying number. Whatever passengers and drivers have been watching or listening to could also be recorded within the relevant part of the car’s network.
There is over 25GB of data per hour flowing around this [car] network, and the modules have to communicate with one another to make the car actually just work. It’s up to the individual developers of those modules what they choose to record.

What are car makers, parts manufacturers, and their advertising partners doing with all that data flowing around a vehicle’s network? Just as internet giants like Facebook and Google make money from their users’ data by funneling it to advertisers, car companies are doing the same with their customers’ information.

The automotive market is just as convoluted as the internet industry when it comes to where people’s data goes and how it’s used. But there is, occasionally, some transparency. Take, for instance, GM’s privacy policy that notes it has “disclosed or sold Personal information to third parties for a business or commercial purpose in the preceding 12 months in the following categories: Identifiers and internet or similar network activity.”

“We give up our data every day, all day long, freely to these companies that use it in really more egregious ways than the government.”

So what’s the upshot for you? One of the most intimidating stories was from a seat sensor manufacturer (that maintained your distance and height settings relative to the pedals and steering wheel). It recorded your weight every day, “to improve performance”. Couple that with an auto-drive feature and it’ll prevent you popping into McDonald’s on the way home from work if it thinks you need to be in better shape, or it will let you go, and then you’ll notice a plethora of gym membership ads in your Facebook feeds!

Global: Cyber Incident Sees Official Formula 1 App Blast Users With Weird Notifications

Racing fans around the globe received some unexpected and very strange push notifications from the official Formula 1 app over the July Fourth weekend. It’s believed the notifications were linked to a targeted cyber attack. F1 app users received a pair of messages. The first read simply “foo,” which is a placeholder name for program elements often used by programmers especially when sharing sample code with others.

Weird, but hardly alarming.

The second message was a bit more jarring: “Hmmmm, I should check my security… :)” Tossing a smile emoticon on the end does nothing to minimize the seriousness of the message. Someone, somewhere, figured out how to blast out messages via the F1 app’s official push notifications without permission to do so.

So what’s the upshot for you? An F1 spokesperson told ESPN that their “investigation confirms that this targeted attack was limited to the Push Notifications Service.” The statement also noted that F1 will “continue to investigate, review and improve safety measures but, at this time, have no reason to believe that any customer data has been accessed during this incident.”
Racing fans, we got off lightly this time.

HR: Rimac is taking over Bugatti with Porsche’s help

You won’t find any privacy or security issues in this story, but for almost a year, a rumor has been circulating that Volkswagen Group plans to offload Bugatti to Croatian electric vehicle specialists Rimac. That rumor turns out to be true: on Monday Porsche and Rimac revealed that they are forming a new joint venture called Bugatti-Rimac at the end of this year. It will be headquartered in Zagreb, Croatia, although Bugatti’s manufacturing will remain where it is currently, in Molsheim, France.

Originally founded in 1909 by Ettore Bugatti, the company became known during the interwar period for cars that were at the apex of style and speed, winning Grands Prix as well as the approval of the ultra-rich. Based in Molsheim in the Alsace region, it foundered following Bugatti’s death in 1947 and disappeared in 1963, before being resurrected by industrialist Romano Artioli in 1987. In this incarnation, Bugatti set up a high-tech factory in Campogalliano, Italy to build the carbon fiber EB110 supercar, before a faltering global economy put paid to Artioli’s ambitions.

In 1998, Bugatti began its third incarnation when Volkswagen Group bought the name and returned the company to Molsheim. The driving force was Ferdinand Piech, VW Group’s CEO at the time and grandson of Ferdinand Porsche. Piech wanted a car that had 1000 metric horsepower and a top speed of at least 260 mph (418km/h), and Bugatti delivered it with the Veyron 16.4 in 2005. Since then its hand-built a series of increasingly quick, extremely expensive hypercars, but questions have increasingly been asked about Bugatti’s relevance within VW Group at a time when the rest of the brands are all going electric.

“We will not just recycle what we have, we will not like just restyle the Chiron to make a new car, or just hybridize the Chiron. We are developing a complete new product from the ground up—everything—because we think that’s the best way to go, and that product will still have a combustion engine,” Mate Rimac said.

“However, we are thinking long-term and we’re going to add this amazing brand, which has a lot of diversity in its heritage, can be used to make products that are not only hypercars, and they’re the opportunities to make very exciting, different cars that are very strongly electrified, and fully electric. So, I can tell you that within this decade, there will be fully electric Bugattis but I can also tell you that at the end of this decade, there will be still combustion engine Bugattis,”

“Considering the heritage of Bugatti, and the fan base, and having these two very distinct brands Rimac and Bugatti in the same company, we can do, very cool things. So with Bugatti focusing more on heritage, craftsmanship, details, quality, and Rimac focusing more on technology—you know geeks, data, stuff like that. But to answer your question there will be fully electric Bugattis but we believe that through intelligent combination of electrification and combustion engine, there is still time for the combustion engine Bugatti,” Rimac said.

So what’s the upshot for you? Security? Privacy? it’s a car story featuring Bugatti. Enough said.

Thanks for joining us this week. We hope you enjoyed riding shotgun and look forward to seeing you in Se7en!