top of page
Search

Mandatory remote kill switch in cars? One more thing we will be able to crack and use.

Writer's picture: Gary DeMercurioGary DeMercurio

We are all on the fast track to owning and controlling nothing. 

I first noticed an alarming trend starting to happen back in 2015 when John Deer decided that due to proprietary software, "the vehicle owner receives an implied license for the life of the vehicle to operate the vehicle, subject to any warranty limitations, disclaimers or other contractual limitations in the sales contract or documentation."  Basically, you don't own your $1 million combine, you're just paying for a license to use it.

Tesla has revoked charging privileges, removed extended battery ranges from customers that purchased vehicles used, revoked lifetime charging and autopilot. 

Most recently, a new law in the infrastructure bill will make "kill switches" mandatory in all new vehicles starting in 2026. 

Yes, in my humble opinion this is ridiculous. Companies expect you to pay outrageous sums of money, only to keep control of the thing you are purchasing. That however isn't the alarming part. Nearly every year we see a security research team (which is really just a more professional way of saying "a bunch of hackers hacked stuff") figure out a way to control vehicles, take over drones, open car doors and start cars with their phones. And, most recently the "trending" Kia and Hyundai thefts using a simple USB into the start button that was all over Tik Tok and Youtube causing vehicles to be stolen at an startling rate.

Many Police vehicles send data in the clear. It took until 2022 before some police forces began using encrypted transmissions. Most times, the Government's cyber security compliance is an absolute joke, as is most companies security posture. Yet, somehow we continue down this road and think that "remote control" is a good thing? Or perhaps a necessary thing? Police departments cyber security is not even laughable, to be laughable it would need to have a system in place that one would be able to laugh at. Now I'm not blaming them, the new cool thing to do is defund police, which in turn removes officers from the streets in an effort to have more funding for .... (insert great idea here). However, this ALSO defunds the departments ability to properly implement security. If you are the Chief of Police, and you need to choose between hiring 10 more officers for your already underfunded, understaffed force, or increase your cyber security, which do you think is going to be chosen?

Privacy laws are in a terrible state in the USA. We're trying to balance the ability to manage data (which for big tech equals money), and how to protect people's privacy. I asked a good friend of mine, privacy expert Paul Sonntag about how "we" are doing, In short, we probably can't make a bigger mess of it. Paul says "The US and EU have laws limiting law enforcement access to personal information such as cell phone and vehicle black box data. However in the EU, the GDPR imposes far stricter controls on what data business can collect than what we see in the US’s patchwork and much weaker regulations, and that has resulted in the collection of vast tranches of personal data in the US that can be legally sold commercially. Local law enforcement and federal agencies such as the FBI and Homeland Security have purchased this data in bulk, circumventing the Fourth Amendment, the need to obtain search warrants, and without the data subject’s being notified.

Let's lay this out here bullet point style: 


  • So here we have a trend where a third party is in control of an item a citizen has purchased. 

  • These items all have the ability to connect or be interacted with remotely.

  • The security behind these remote connections is constantly being bypassed.

  • The mandatory compliance in place is lacking (severe understatement, hence the constant bypassing) 

  • Companies are more interested in control and money rather than security. 

  • Law enforcement has the ability to interact with these devices, but doesnt have the funding to field a proper police force, much less the funding to have proper cyber security. 

  • Almost no privacy laws that protect you or the information that is being collected and transmitted from the item you've purchased. 


So with all the above in mind, let's look at some of the things hackers did this year; Lapsus$ claimed impressive hacking victories against some of the world’s largest companies like Microsoft, Nvidia, Samsung, Rock Star Games and a slew of other major tech companies. Uber was hacked, LA School district suffered a crippling ransomware attack, the state of California accidentally doxxed every single legal gun owner in the state and of course Log4j, and that is just the tip of the iceberg of what we DO know about. Yet here we are, effectively daring any and all hackers around the globe, to NOT try and brick your $1 million dollar combine, or enact the killswitch on a group of cars on the Golden Gate bridge? If we as a society took security seriously and had controls and monitoring in place, along with privacy laws that protected people, then this wouldn't be as alarming of an issue. We however lack the vast majority of controls that would enable this to even work remotely well. Let's forget about the issue about if we buy something, do we even own it (although I still really think that is important). 

We collectively aren't willing to secure basic common things, for God sakes county's all over the country leave courthouse windows open in the summer. We've broken into "high security" facilities by breaking off a leaf from a plant literally outside of the door, sticking it through the door and waving it around. I have had one of the largest cloud providers tell me I wasn't able to use nmap for pentesting because "it was a hacker tool and unallowed", or ANY "hacker tools" and then expect me to pass them for a FedRamp certification. I've had over 80% success rate (useable credentials and access) for phishing at companies with over 10k employees that house some VERY important data for other large important companies. 

I have hundreds of stories just like this, and I'm ONE hacker in a sea of many. This could take a turn into a plethora of different political debates, but politics aside, why aren't people thinking about how secure something is before attempting to implement it? We constantly have this view of getting the product or technology out the door, then worrying about IF it can be secure later. Even worse, companies like Sensys Network claim that their traffic systems are encrypted, but a few years back Cesar Cerrudo figured that they were lying about that. He was able to walk down the street in Washington DC a few blocks from the White House and change traffic lights with his laptop and an antenna. 

I've worked with companies that care, security is important to them, they do their level best and that is all you can ask for. Work in security long enough though and you start to realize those companies are the exception, not the rule. I would like to think, it's due to poor leadership, or lack of information. Perhaps the CISO or CTO simply doesn't have the background or hasn't surrounded themselves with enough smart people to realize how wrong it all is? 

Whatever the reasons a company or the Federal/State government have for continued poor security, it doesn't really matter. In the end, hackers like me will continue to laugh, circumvent, walk into banks and find the vault combination, steal security codes through Social Engineering, lock your car doors or the building doors so you can't get in. The future is really exciting through, when we take control of your car, drive that combine down the street from our laptop at Starbucks or intercept police data to include the prisoner transfer manifest, laughing the entire time because it really shouldn't be THIS EASY .... But it is. 

2 views0 comments

Kommentare


bottom of page