PRIVACY ADVOCATES SAY government officials are talking out of two sides of their mouths when it comes to cybersecurity. The latest case in point: Assistant Attorney General John Carlin calling for super-secure, hack-proof cars at an automotive conference on Tuesday, even as FBI Director James Comey continues to pressure phone manufacturers and technology companies to roll back their security to allow for law enforcement access.
“There are things you can do to mitigate the risk, protect yourselves and your companies, and ultimately, the cybersecurity of the United States,” Carlin said at the SAE 2016 World Congress conference in Detroit. “First, design with security in mind.”
But driving a car in 2016 is not totally different from using a cellphone — and protecting either of them against hacking raises the same issues. These days, dozens of networked electronic control units manage things like braking and accelerating by communicating with each other, and more and more cars are connected to the internet, or accessible via Bluetooth. Securing the conversation between your brake pedal and your brakes is a lot like securing your banking app or your intimate phone conversation.
While Carlin is telling car companies that bulking up their cyber defenses is key to their long-term success, Comey has publicly suggested that phone manufacturers and communications providers like Apple, Google, and WhatsApp, who provide their customers with unbreakable encryption to secure their communications, should rethink their business models.
“It’s ironic to see the head of the FBI pressing companies to deploy less encryption at the same time the Justice Department’s top national security lawyer is highlighting just how important and hard it is to secure our devices and networks in an increasingly connected and hostile digital environment,” Kevin Bankston, director of the Open Technology Institute, wrote in an email to The Intercept.
“You can’t listen to Comey and [NSA Director Michael] Rogers get up and say cyber is the No. 1 threat while at the same time asking companies to weaken security without seeing some hypocrisy,” Amie Stepanovich, U.S policy director for digital rights group Access Now, told The Intercept.
Comey wants companies to design their products securely, she explained — but not so securely that law enforcement can’t get in. And that’s not compatible with the needs of every company.
Plus, encryption poses no existential threat to law enforcement for several reasons, a panel of experts at Harvard’s Berkman Center for Internet and Society concluded in a February report.
Meanwhile, hackers have already shown they can take control of a moving car in the middle of the highway, as demonstrated in a widely read story in Wired by Andy Greenberg last year.
Sen. Ed Markey, D-Mass., commissioned a report in February 2015 on the privacy and security risks of internet-connected cars. It concluded that the auto industry, as it currently exists, is extremely liable to dangerous cyberattacks, especially as it gathers more and more information, like geolocation data.
Indeed, the same law enforcement officers who want access to cellphones to gather evidence might soon wish our cars were less secure, too. “They take in quite a bit of user information that law enforcement may want access to,” Stepanovich said.
If the DOJ had managed to force Apple to weaken its security to hack into a phone belonging to San Bernardino killer Syed Rizwan Farook, she said, the “case could have been used as a precedent to apply to cars in the future.”
Top photo: A driving demonstration in a prototype Acura RLX sedan in Detroit, Sept. 9, 2014. The car has cameras that monitor lane markings, multiple radar sensors, a beacon that uses laser beams to scan the car’s surroundings, and GPS to help it stay on a previously mapped course and follow the speed limit.
Hi, Jenna :) If authorities are sincere, all they need to do to have a hack-proof car is rescind universal covert car control standards
http://divinecosmos.com/start-here/davids-blog/1137-financial-tyranny-free-fall
skip down to the part “REMOTE-CONTROLLED AUTOMOBILES: LEGALLY REQUIRED IN THE U.S. SINCE 2008?”
thank you for your pursuit <3
I wonder how much of this is due to profound ignorance on the part of the government. On a related topic, yesterday the Burr (chair of the senate intel committee) said that the bill he and Feinstein were putting forward would not require back doors on encryption but merely require that providers follow court orders.
Now, perhaps my experience is too limited to qualify me as an expert, but I have never met a judge or lawyer who could coherently explain even the simplest scientific or mathematical principles. I am sure there are some who are knowledgeable, but would bet hard cash that my experience describes the majority. Certainly the majority of politicians (who after all are mostly lawyers). Unfortunately, politicians seem also to be affected by hubris, making it virtually impossible to educate them on the realities of the physical world. It really is an elementary concept, you know: If you make a system vulnerable to intrusion by one person, it becomes vulnerable to intrusion by another. The government, and the tech firms too, have been repeatedly demonstrated to not have a monopoly on either cleverness or programming prowess.
How about NO cars? The environmental damage done by driving (mostly by consuming and burning oil, but there are other harms like the roads themselves and killing wildlife) is far more important than whether someone can hack into a car’s control systems.
the whole idea of a fleet of networked, remote-accessible thus inherently insecure cars doubling as data hoovers strikes me as a mind-bogglingly idiotic deviation from good engineering sense anyway. sure who wouldn’t like to work while being driven around but how about we forget about this whole goddamn software-defined cars business until we get that right? fuck that industry. in my mind they’ll be responsible for every single death caused by it, not to speak of the further loss of privacy caused by knee-jerk networking of everything in sight.
cars that talk to each other are a solution to a problem that only exists in the minds of self-serving industry and academic “visionaries” who’ve missed the last 20 years in computer security. linking up motor electronics with entertainment system, for OTA updates while we’re at it, is simply unforgivable.
Because hacking into the control module(s) of a moving motor vehicle is a potentially life threatening act, prosecuting auto hackers to the full extent of the law seems like a necessary justice of miscarriage (budda bing?).
Unfortunately most novice hackers are able to operate anonymously, and phones themselves are a major vector toward attacking vehicles, since they interact with them regularly and are somewhat trusted.
a) It’s gonna be hard to figure out precisely *which* North Koreans they are, and b) it would be foolish of them anyway to tip their hand before they can hack into millions of cars at once.
Michael Hastings comes to mind.
The story he was working on has never surfaced.
In a world where one who’s challenging this empire should unquestioningly trust almost no one, a State Department wife looking way out of his league and like she graduated from a Valarie Plame school of charm raised some red flags in this paranoid, especially when coming out publicly against any possible foul play so soon after his death. Now we’re learning it’s been easy for some time to hack control functions such as steering and acceleration, and doesn’t that just make you want a newer car.
“Possibly” because of this?
// __ http://en.wikipedia.org/wiki/Michael_Hastings_%28journalist%29
~
Death: … Some media referred to the accident as “peculiar”. In an interview with the Huffington Post, Richard Clarke, former US National Coordinator for Security, Infrastructure Protection, and Counter-terrorism stated that Hastings’ car accident was “consistent with a car cyber attack.” He explained that hacking the control system of a car was relatively easy, and that “there is reason to believe that intelligence agencies for major powers” have this know how. However, he did not claim that a hack had occurred. One neighbor on the scene reported having heard an explosion, and another said that the car’s engine had been found 50-60 feet from the accident scene.[42]
~
[42] Was Michael Hastings’ Car Hacked? Richard Clarke Says It’s Possible:
http://www.huffingtonpost.com/2013/06/24/michael-hastings-car-hacked_n_3492339.html
~
// __ In Response to Theories on Michael Hastings’ Fatal Crash
http://www.youtube.com/watch?v=yUC3GFDoO4s
~
Also, you don’t even have to be working in a “story”, just standing in the way of “freedom” and “democracy” may hurt you:
// __ http://en.wikipedia.org/wiki/News_International_phone_hacking_scandal
Death of Sean Hoare: On 18 July, former News of the World journalist Sean Hoare, who was the first reporter to tell of “endemic” phone hacking at the publication for which he used to work, was found dead at his home in Watford, Hertfordshire. A police spokesperson said the death was treated as “unexplained” but not suspicious.[129][130][131]
// __ INVESTIGATED: Elite Hacker Barnaby Jack Murdered by NSA?
http://www.youtube.com/watch?v=TjHbQJERoso
~
RCL
He was going to meet with Barrett Brown for an interview, I am hoping Barrett will one day soon shed some light on this.
Jenna,
Do you not see these comments as classical diversion? The FBI, CIA, and NSA can already hack into your car and do whatever these guys in the link claim they can do. If not, they would hire them and tell them to keep their mouths shut for a big chunk of cash. What these guys really want is to control ALL of us. I am a huge Tesla fan, but I fear the “autonomous” car is really a cool tool for authoritarians to shut down anyone who disagrees with their views. Can’t drive, can’t work, or escape oppression.
Can’t have cash? They just shut off your debit card and you are done.
Extremely worrying, and something I wish the Intercept would take a little more seriously.
The “live in your car” phenomena is serious. In puerto rico (a wonderful place) on friday and saturday evening, the population gets in their vehicles and cruises the strip in San Juan. It’s a huge event.
In the u.s., homeless persons can now be very comfortable and connected in a vehicle. And it’s mobile so if a job is elsewhere, not a problem. Not much difference with other life forms migrating to sources of food as they change. Could be a trend. Certainly is a smart move. Beats renting.
more and more cars are connected to the internet, or accessible via Blu-ray.
Errrrrr. Bluetooth is slightly different from Blu-Ray.
It’s “Bluetooth” not “Blu-ray.”
FBI Director Comey seems to be following in J. Edgar Hoover’s footsteps, perhaps with a more corporate flavor. The central agenda of the FBI in recent decades has been the protection of corporate business interests. When Obama chose Comey as FBI director, he knew he was picking someone who had demonstrated loyalty to Wall Street interests.
How do we know this? Consider his record: Comey left the FBI c.2005 and went to work for Lockheed Martin, whose largest non-U.S. government customer is the Saudi dictatorship; Obama and Clinton helped deliver a gigantic arms deal to the Saudis which greatly benefited Lockheed Martin. If Saudi Arabia was ever accused of human rights violations (the bombing of Yemen, or the beheading of non-violent protesters) or of supporting terrorism (see the classified 28 pages of the 9/11 report, or the flow of funds and arms to ISIS and Al Qaeda in Syria) , that would put arms sales to the Saudis at risk, hurting Comey’s ex-employer, Lockheed Martin.
This could help explain why Comey made no effort to investigate the Saudi ties of the San Bernadino killers (who were married in Saudi Arabia; the woman attended a Saudi-financed radical Wahhabi school in Pakistan). Such investigations could threaten the business interests of his previous employer, Lockheed-Martin.
Instead, he attempted to use the attacks as a justification for expanding domestic mass surveillance strategies, which could be used to go after any political protest movement which threatens the Wall Street interests that Comey is loyal to. Environmental protesters targeting fossil fuels or agribusiness? Classify them as eco-terrorists and conduct invasive surveillance and disruption campaigns. Occupy Wall Street? Same deal.
Comey’s loyalty to Wall Street – in line with Obama & the FBI’s refusal to investigate criminal behavior in the 2008 economic collapse – is also seen in the case of HSBC’s money-laundering case. Loretta Lynch, Obama’s pick to head the Justice Department, refused pursue a criminal indictment against HSBC. Despite proof that they were laundering money for the Sinaloa cartel, she offered them a ‘deferred prosecution agreement’ and Comey then took a job with HSBC to help them with ‘due diligence'; his next job was Director of the FBI. If that’s not gross corruption, what is? Do street level drug dealers get ‘deferred prosecution agreements’? No, they get long prison terms – but those who launder billions in cartel money get sweetheart deals. Grotesque corruption, is what it is.
Hence, the Justice and the FBI want to have more access to domestic mass surveillance strategy. The public outrage over widespread government corruption is a threat to the FBI itself, as the above issues demonstrate. What if FBI insiders, disgusted at the corruption inside their own agency, decide to leak information to journalists? Comey wants to be able to keep tabs on journalists, I think, and remotely monitoring journalist’s cell phones would help with the Obama anti-whistleblower agenda – the Espionage Act prosecutions, the use of Nixonian-style ‘Plumbers’ to track down leaks – the exposure of government corruption and incompetence is something that the White House, the Justice Department and the FBI are out to prevent. Their view is that the general American public cannot be trusted and must be monitored continuously.
Now, other government agencies concerned with things like military security and preventing foreign hackers from breaking into secure networks, electrical grids, nuclear power plants, etc. have taken the opposite view – that undermining crypto-security is detrimental to national security.
The corporate technology world has also taken this opposing view, because they know that people want to buy secure systems because they don’t want their business deals and personal communications spied on by sleazy government spooks from any country.
What’s really needed is an independent investigation of FBI corruption, and both Comey and Lynch should be fired over their sleazy HSBC deal.
Thanks for the post. An informative, well formatted case on Comey.
Continuing a long tradition, the FBI is rotten at the top.
“It’s ironic to see the head of the FBI pressing companies to deploy less encryption at the same time the Justice Department’s top national security lawyer is highlighting just how important and hard it is to secure our devices and networks in an increasingly connected and hostile digital environment,”
Why is it ironic that two government officials have different opinions about a government policy that has yet to be clearly defined by law?
It would be ironic if either of the two said phones open, cars not but I do not believe that appears to be the case. Sometimes this website is gratuitously bashing the United States government. Step up your game, people. Are you journalists or editorial writers? If you are editorial writers, maybe you should identify as such?
Do you work for the FBI or other government agency in a PR capacity? If so, maybe you should identify as such.
My identity is no mystery. Type my user name into google or any other search engine… you can find out who I am in a few seconds. I even have my own website for goodness sake.
I’m a social worker and an artist. I do not work for the government. I am a registered Green Party member. My life is centered around sustainability and not consumerism. I am probably much like you. But you can reach your own conclusions.
“Sometimes this website is gratuitously bashing the United States government.”
If you really are a Green, you ought to know darn well that there’s so much wrong with our government these days that The Intercept has yet to even come close to “gratuitously bashing” it. Perhaps it might seem that way to someone if they have previously been exposed to high amounts of CNN, MSNBC, FOX, etc.; those media organizations rarely cover anything that displeases the Democratic/Republican ruling Establishment. Heck, they nearly IGNORED the protest in Washington DC a few days ago, devoting only a few scant seconds to a protest in which hundreds of people were arrested (including Cenk Uygur from The Young Turks).
And yes, I am a registered Green Party member as well; I was even elected precinct committeeman in the March primaries here in Illinois (we have Established Party status in the 5th and 12th districts). I just think that what TI has been doing doesn’t constitute “gratuitous bashing”, but instead adversarial journalism, something that our country sorely needs if it is to eventually break free from its trend of authoritarianism, plutocracy, and militarism.
“but instead adversarial journalism, something that our country sorely needs if it is to eventually break free from its trend of authoritarianism, plutocracy, and militarism”
The strange thing is that I wholly agree with what you wrote, specifically what is quoted. Adversarial journalism is good for democracy. I don’t refute that one bit and that is the main reason why I come here daily. TI has some really good journalists.
But in my opinion, this article, and there are some others, is not good journalism. I do not believe it’s a journalist’s job to tell us what is ironic. I believe a journalist’s job is to lay out the facts and let the reader decide whether the facts are ironic. In this specific instance, I do not believe the author is even stating something ironic. You are free to believe otherwise.
Thank you for calling me lazy even though we have never met, never spoken to one another and you know very little about me other than some internet comments I’ve made!
Liberals tend to think we know better, we act better, we are better human beings. But in the end, all you really need to do is open your eyes to see that it’s not just Trump who has the capacity to bully, liberals can be assholes also.
Just because her bio says she has been a blogger in the past does not mean her reporting here has been labeled as a blog. My assertion is that maybe the TI staff should have a section labelled blogs. This article and many others on this site are essentially blogs and not journalism. You are free to believe otherwise. It is not necessary to insult somebody for having a different opinion.
I’m not “insulting” you for having a different opinion. I’m calling you out, which you might consider an insult, for writing: If you are editorial writers, maybe you should identify as such? You clearly had never opened the link to Jenna’s bio wherein she “identifies” herself. And also, in her bio, it says, “She previously covered national security and foreign policy at Mother Jones magazine as an editorial fellow” Jenna doesn’t claim to be the CNN “journalist” that you indicate is what you think defines “journalist.”
Actually you did insult him by calling him lazy. And fwiw I reckon Charliethreeee’s posts are about the most cogent and humane on this site.
Blu-Ray? I think you mean Bluetooth.
There is one and only one way to secure a car. Do NOT connect it to the Internet, or otherwise subject it to frequent software uploads. Seriously … this shouldn’t be a hard thing for people to wrap their heads around. We didn’t grow up with cars connected to the Internet and they worked just fine.
The problem is, it seems very hard even to get someone to give you a count of how many different transponders and back doors are being put in these new cars. If the Intercept wants to leak something big, how about leaking what we have to do to make sure one of these modern vehicles cannot be hacked from North Korea — and how many years in jail we’re likely to get for trying.
They are also being stupid thinking that the impact of a hack is one person or another being toyed with. That’s not how this goes down. What they’re gonna do is hack into EVERY SINGLE VULNERABLE CAR ALL AT ONCE. We’ll have millions of people getting into accidents at the same moment as their cars make whatever suicidal maneuvers their designers were crazy enough to enable remotely. And once the roads are completely stopped with accidents, and all the emergency responders are desperately trying to do something to the few people they can get to … that’s when the computer viruses in the office do their thing and cause fires and set them all to burning. No, the fire department is NOT on the way – not today, not tomorrow.
That’s not even the worst scenario. The worst scenario is Stuxnet-style cyberwarfare viruses gaining access to a large number of nuclear reactor systems in the United States, taking over the industrial control systems, and driving the reactors into simultaneous Fukushima-scale meltdowns.
Obama’s team refuses to mention this at events like the Nuclear Security Summit (he instead said that a terrorist with a dirty bomb was the big threat) – because it’s bad for the nuclear industry and the big utilities like Exelon, which owns a large fleet of aging nuclear reactors that they don’t want to have to shut down or spend more money on upgrading their security. Exelon was one of Obama’s big money backers as Senator; he’s very loyal to their interests. Thus, Obama makes no mention of what is unarguably the biggest cyber-vulnerability in the United States.
I dunno… it’s been a long time since nuclear reactors were being built. Would someone really dig into their ancient custom-made control systems and rig them up with an Internet connection just so that the North Koreans can hack into them and blow them up? ( http://phys.org/news/2015-10-nuclear-power-cyber.html – yeah, I guess so! ) Amazing what kind of innovation people in this country are still capable of when their goal is something so *completely* stupid that even a *child* would know it was idiotic.
This comment is a complete fallacy:
“communications providers like Apple, Google, and WhatsApp. who provide their customers with unbreakable encryption”
Any communication that is on a smart-phone is not secure especially when the government has their hands on companies like this: https://www.iqt.org/iqt_portfolio/mobileiron/ and this: http://www.sec.gov/Archives/edgar/data/1470099/000110465915032566/a15-10125_1def14a.htm
See Pg 6 on their Board of Directors Mathew Howard.