In the latest instance of people realizing vehicular connectivity is just one massive liability, we have a Norwegian probe into Chinese buses. Norway is presently growing its fleet of all-electric, Chinese-built transit vehicles and the government has become concerned that the connectivity features equipped permit a way for the buses to be remotely shut down. However, this isn’t a problem that’s limited to Chinese-made products — as the odds are good that your own vehicle boasts similar vulnerabilities.
According to CarBuzz , hundreds of buses were fitted with “Romanian SIM cards” that were hidden inside the system. Ruter, the nation’s main public transport operator for Oslo, has suggested this represents a potential risk for those buses to be deactivated remotely.
However, your car undoubtedly has a SIM card of its own (assuming it’s modern enough) and they don’t need to be of the Chinese-Romanian variety in order to shut down your vehicle remotely. They don’t even need to be all-electric vehicles. General Motors has had the ability to remotely disable automobiles since about 2009 and just about every other automaker under the sun could presumably do the same if you downloaded a targeted update commanding the car to brick itself.
In fact, we’ve actually already seen automakers do this accidentally via some bad coding. I believe the most recent example of this came from Jeep. But we’ve known cars could be wirelessly hacked since demonstrations proved it was possible in the early 2010s.
My suspicion is that the hubbub in Norway partially stems from Ruter’s wanting to support local labor and new laws requiring the country to actually test government-bought vehicles for cyber security issues. It examined Dutch and Chinese-made buses and — wouldn’t you know it — only the models from the Zhengzhou Yutong Bus Company were deemed suspect. While there certainly could be more to the matter, the idea that allegedly hidden SIM cards are the only way to hurt a vehicle is patently false. Ruter likewise stated that it had not uncovered any intentionally malicious activity stemming from the SIM cards.
Right-to-Repair advocate Louis Rossmann, who arguably broke the story for our part of the world, noted that the OEM only had access to over-the-air software updates, diagnostics, in addition to the battery supply and power control systems. He suggested that only the latter item could be viewed as potentially unusual.
Coverage of these situations often comes with some clarification that this may or may not be a bad thing. But your author sees little reason to sugar coat the issue. Automotive connectivity has clearly been a net negative for the end user and a net positive for manufacturers and other entities (e.g. governments) keen on scrounging up data.
In what was perhaps one of the dumbest decisions in human history, the owners of things have ceded control (often unwillingly) to the company that sold it and any third parties gain access via partnered deals or illegal trickery. In exchange, the former owners of goods have been issued promises that their private data that’s up for grabs by basically anyone with an internet connection is actually safer than ever before.
As lies go, it’s not even a very good one.
On the mundane end of the spectrum, you’ll find drivers like me screaming at their new car because Amazon’s Alexa constantly chimes to let me know she’s having trouble connecting. This is because we have intentionally deactivated all connectivity features. But we also have never once said her name, the car just assumes we have because voice-command systems are frequently absolute garbage.
I never wanted Alexa or any other connected services on my vehicle. No manufacturer has managed to convince me they offer any tangible benefit to my life. But they’ve become obligatory, padding the price of modern automobiles. Worse yet, climbing the trim ladder in order to get a more powerful engine or something like heated seats is often accompanied by even more connectivity nonsense and other invasive tech features.
However, on the more serious side of things, connectivity has led to the kind of digital gatekeeping that our grandparents would have thought unimaginable. Last week, Amazon Web Services (AWS) crashed and managed to take out loads of smart devices in the process. This applied to mobile applications, computer software, and even some home appliances. For example, owners of Eight Sleep’s “high-spec internet-enabled mattresses” found the beds that locked themselves in the upright position with the heat setting maxed out.
The beds effectively became human-sized George Foreman Grills because the connectivity services the beds used when out of whack. However, loads of automakers are similarly reliant on Amazon Web Services — with the crash throwing their IT services, manufacturing databases, and remote vehicle diagnostic capabilities into a tailspin.
AWS and other cloud services also store countless hours of real-time driving data used to both maintain and evolve automakers’ advanced driving systems. Ditto for the telematic data they steal from you and then sell to third parties.
The amount of vulnerability that’s been built into modern systems is honestly kind of mind boggling. Even if you’re absolutely fine with the notion that the cabin of your car could be doing some amount of spying on you, it’s still hard to rationalize numerous industries creating a wide-open access port for maleficence. Despite all claims to the contrary, your private information has never been less secure or more vulnerable — and it’s all thanks to your appliances, communication devices, and automobiles being permanently affixed to the internet without your say so.
In the instance of the Norwegian buses, the Chinese manufacturer claimed the SIM cards were necessary for remote software updates and technical troubleshooting. This is often the case with connected vehicles and the same goes with concerns that the setup could technically be used to remotely disable those vehicles.
From CarBuzz:
According to Yutong, those SIM cards enable remote software updates and technical troubleshooting. While that may be true, the connection also gives Yutong the theoretical power to stop the buses or render them inoperable via a software update.
At this stage, Ruter has emphasized that it has found no evidence of malicious activity.
The Ruter tests were part of a broader cybersecurity audit designed to assess vulnerabilities in electric vehicles. Ruter CEO Bernt Reitan Jenssen emphasized that the agency is now “moving from concern to concrete knowledge,” implementing new safeguards and tightening procurement standards to ensure full local control.
These measures include creating internal firewalls, isolating the buses from external cloud systems, and working with national authorities to strengthen cybersecurity protocols across the transport sector.
As previously mentioned, most modern cars have SIM cards and are now capable of over-the-air updates. That effectively means whatever vehicle is parked in your garage right now is basically susceptible to being remotely disabled. The real concern with the buses was that the OEM happened to be Chinese and the initial risk assessment missed the SIM cards.
But your own car is probably loaded up with Chinese parts, assuredly has a SIM card, and may have seen final assembly somewhere in Japan, Europe, Mexico, South Korea, Canada, or the United States. It could have even been built in China if you’re the owner of a Lincoln Nautilus, Buick Envision, or select Volvo models.
Of course, what does that matter if the end product is still reliant on a collaboration of data hubs situated across the globe? Even companies that may have most of their locations situated in your home country will probably have secondary sites in places like Israel, China, Germany, France, Russia, Japan, Australia, Singapore, or the Netherlands. The rest just outsource to businesses like Microsoft, Google, IBM, Oracle, or Amazon.
The problem isn’t really that the buses were electric or even that they were manufacturers in China. It’s that manufacturers have undermined the very concept of ownership by building de facto backdoors into connected products that now make up a majority of what’s on the market. Cybersecurity would not even be an issue if data harvesting were not viewed as more lucrative than building quality products by the groups manufacturing them.
Disconnect your vehicle. You have nothing to lose but your chains.
And that’s been Norway’s temporary solution to the problem. Ruter has stated that the hundreds of suspect buses can continue to function independently by removing the SIM cards, effectively keeping operations localized and offline.
[Images: Ruter; Yutong]
Become a TTAC insider. Get the latest news, features, TTAC takes, and everything else that gets to the truth about cars first by subscribing to our newsletter.
