Monday, April 1, 2024
Friday, March 29, 2024
IBC / Equite Clowns at the Wheel? Do IBC and Equite have any idea how to stop auto theft?
The funny thing is Equite, the investigative arm of the Insurance Bureau of Canada, never mentions talking to automotive cyber security experts even though most vehicles being stolen in Canada today are all being stolen by a cyber attack. A cyber attack is a relay attack, key duplication or Can Bus attack which Equite mentions all the time but never mentions talking to auto cyber security experts like Blackberry and what they recommend. Blackberry has plenty of cheap and quick software solutions to end auto theft. IBC and Equite even seem to turn a deaf ear to the largest auto cyber security software suppliers like Argus. Argus is headquartered in Israel and founded by a former Israeli military cybersecurity team. It is now owned by Continental AG, one of the largest OEM auto suppliers in the world. It’s not as if the IBC or Equite would have to spend a lot of time getting useful information from these suppliers since they have videos all over the internet discussing the very issue they are supposedly investigating. Argus as an example has a video telling automakers they will face $24 billion in costs from lawsuits if they don’t install software they currently have to end auto theft. Automakers have known for years their push button start cars were prone to cyber attacks and even patented inventions to stop it - but they never used them. Lots of questions could be asked.
Pro tip to IBC / Equite investigators - you need to educate yourself on auto cybersecurity and identify experts that will aid in your investigations. Perhaps IBC or Equite have never heard of YouTube, or maybe they prefer the explanations of the automaker representatives who are pushing a “layered approach” and that it is the fault of organized crime.
Automaker’s have bought into SDV (Software Defined Vehicle). It is the new way of making money in the auto business by replacing hardware with software you sell by subscription. It needs an “always on” telematically equipped vehicle to work. Hackers love this “always on” system since that is their one and only way to hack into the car. Increased cybersecurity software will stop this cold.
In Canada we have approximately 25 million cars and trucks on the road and over 105,000 are being stolen each year with that number rising. In Japan, a country 3 times our size, they have 61 million vehicles on the road but less than 3,000 auto theft nationwide. 3000? Yes 3000. Why? Because they have government laws mandating increased auto cyber security software be put in cars before they are sold is one big reason. No that software isn’t in the cars they export to North America for some reason. Maybe the IBC / Equite investigators could ask more questions.
Auto theft in Canada could be reduced by 80% in 6-12 months with a software fix if the IBC and Equite started questioning the automakers with the aid of the auto cybersecurity experts in the room.
To IBC / Equite, we live in a digital age, we have a digital problem, we need a digital solution. You want to stop cars being stolen in the first place, not spend your time and money looking for them after the fact.
In the words of the leading auto cybersecurity experts in the world “auto software without cyber security is like a car with no brakes”.
Car Companies Master Plan Caused The Auto Theft Crisis And they know how to fix it
Sometime around the late 1990’s car companies started to embrace a brand new concept that had the potential to make them a lot more money. They called it SDV (software defined vehicle) or “connected vehicles”.
Replacing expensive hardware with cheap software was now the new cocaine for the auto industry, and the savings would be enormous
SDV meant that no longer would the buyer get a choice of different engines, transmissions, radios, etc - hardware choices would now be turned into software choices by a Netflix monthly type subscription. No longer would they need to build two radios, one with navigation and one without, just add navigation software to the one radio and bingo! You then have two different radios but one piece of hardware instead of two.The same applies to engines and other hardware. For example, bigger engines could be eliminated by a piece of software that turned one engine into four with a simple software update, giving the engine more or less horsepower or gas mileage; genius really. Want more horsepower?. No problem, we have software for that. We’ll give you 50 more hp for $9.99 / mth or get it bundled with the Nav package for only $15.99 / mth, all done with one engine instead of four. Just to design and develop one new engine is well north of a billion dollars.
The first step was to start fitting all cars with telematics and push button start since the SDV scheme wouldn’t work without a vehicle being able to communicate with a call center, which, in turn, needs to collect reams of data on the driver in order to figure out what they may like to subscribe to (GM’s OnStar was an early example). An SDV car would be modeled after a cell phone, with one fatal exception; you would never be able to turn it off or have a user selectable password since the system needs to be “on” even when parked. Ford even mentions this “always-on relationships with customers” in their 2021 Q4 SEC filing. and how subscriptions are critical to future revenue. It is also mentioned under the “Risks” section as well.
As a bonus SDV fit electric vehicles perfectly, they were all software based already. The savings in hardware would be enormous on all types of cars, in the billions, and the subscription revenue stream would keep on giving for the life of the car. If you wanted a concept to make auto makers weak in the knees, SDV was it. It only had one minor side effect, increased auto theft.
A Hacker’s dream
It turns out the SDV “always-on” telematics was a Hacker’s dream, a way in, a failure point. You might as well have put out a welcome sign. Automakers immediately started building millions of vehicles with telematics and push button start. Hackers loved it; a few electronic bits and you have one key for thousands of cars.
Back in the lab the automaker’s engineers knew there was going to be a big problem with hacking of their telematics. They even coined the term we use today “relay attacks” or relay station attacks, all this before they ever put telematics and their push button start systems in any car. They filed dozens of patents on stopping the hacking they were likely to face, some going back 20 years and they all worked. They rarely, if ever, used them. Automakers did use the odd one here and there; for example one to lock out your local mechanic so they could charge them for temporary access to the car's internal computer system. Another example was used in 2021 that worked like a charm stopping all sorts of attacks on Dodge Chargers in Canada. It was a simple 12 minute software update, no hardware required and it was called “Security Enhanced Mode”. You simply entered your own 4 digit PIN on the infotainment screen and the car wouldn’t go faster than a few mph. Hackers' hearts sank. How would they guess thousands of different PIN codes? Game over. Nope, game on, Hacker’s catch another break. FCA only fitted it to 240 cars - then recalled all the cars 6 months later and removed the feature so they could sell them on a subscription router they would fit to the car at no charge. BMW had a PIN system in 2000 for a year or two then it disappeared. User PINs gone never to be seen again. Dodge Police cruisers have a factory installed system called Secure Park / Idle Guard that was also a software based solution that could be fitted to all late model cars with a simple software update, but this seems to be a bit of a state secret with Police even though it’s all over the internet. It’s not available to the general public.
Mathematically the Software Defined Vehicle looks like this;
SDV = Subscriptions + Telematics x (privacy - Auto Theft)
This formula appears to be acceptable to the auto companies for the time being. They aren’t worried about reputational damage since all car companies are having their vehicles stolen. So it’s a wash with consumers since it doesn’t matter what car brand they buy. They all get stolen. Police and politicians have formed mutual admiration societies telling everyone they’re working on solutions and sharing information. Police aren’t looking for the root cause, they're looking for organized crime.
Auto journalists are trying to bring the issue into focus but it’s a complex issue and writing about cars and computers is a known sleep aid to the general public. Automakers' constant stream of fear mongering and Jedi mind control tricks (used on Police and Politicians) severely undermine the journalists’ efforts and dominate the news coverage of auto theft. There have been articles on why we don’t have our own PINS like our cell phones, how your data from the car is being sold and used against you and how much money the auto companies are making on subscriptions. These are critical news stories and should be promoted as urgent public information. The politicians, automakers and police never mention them ever.
Unsurprisingly auto makers have been turning a deaf ear to their own SDV cybersecurity software suppliers like Elektrobit / Argus, started by former Israeli Military cybersecurity experts in 2013. It is a global leader in automotive cybersecurity and its client list includes every major automaker on the planet. Their software is used in 600 million cars so yes, they know a thing or two. Astonishingly, they have told the automakers to get their vehicle’s cyber security updated or face billions in lawsuits. In a YouTube video posted by Argus a few months ago, Argus states the legal threat to be $24 Billion by 2025 at the 7:55 mark. The fix is a cheap software update, yet the automakers double down and say they are working on it. Their standard refrain - “this is a matter of organized crime, there are no silver bullets and we are working closely with police and insurance companies”.
SDV is really an unlocked cell phone on wheels so expect a future like this;
An avalanche of emails and texts from car companies for everything from oil changes to software updates. Your favorite car app will disappear or freeze unexpectedly, more warning lights will come on that the dealer can’t fix, the radio will be stuck on low volume, a lot more dealer visits, a lot more recalls. In short it will be a nightmare. Imagine owning a second glitchy cell phone without a password, that can’t be turned off and is stolen every few months.
Since approximately 1996, the automakers have spent billions on the SDV subscription scheme. They have had ample opportunity to mention their many tested solutions. During the Takata airbag scandal it was found out the auto companies knew years before they had had a problem, and it cost them billions. When will automakers learn that it is cheaper to fix a problem than a scandal? If you’re one of those people who drank the kool-aid, yes there are silver bullets for auto theft, developed, designed and tested years ago, software based and sitting on a shelf. It’s almost criminal. The current Auto Theft Crisis isn’t an accident, it’s a side effect.
M. Whinton
Graduate University of Guelph 1984 B.A. Economics
Graduate Queen's University 1985 B.Ed. Tech Studies Automotive
Recognized Ontario Superior Court Automotive expert - 24 years
Independent Auto Insurance Forensic Investigator major insurers - 25 years
Owner Carquestions YouTube Channel - 17 years
Licensed Automotive Service Technician Red Seal (National) - 42 years
Licensed Truck Coach Technician - 42 years
Retired Department Head Tech Studies Automotive - 28 years