Ask Hackaday: Does Your Car Need An Internet Killswitch?

Back in the good old days of carburetors and distributors, the game was all about busting door locks and hotwiring the ignition to boost a car. Technology rose up to combat this, you may remember the immobilizer systems that added a chip to the ignition key without which the vehicle could not be started. But alongside antitheft security advances, modern vehicles gained an array of electronic controls covering everything from the entertainment system to steering and brakes. Combine this with Bluetooth, WiFi, and cellular connectivity — it’s unlikely you can purchase a vehicle today without at least one of these built in — and the attack surface has grown far beyond the physical bounds of bumpers and crumple zones surrounding the driver.

Cyberattackers can now compromise vehicles from the comfort of their own homes. This can range from the mundane, like reading location data from the navigation system to more nefarious exploits capable of putting motorists at risk. It raises the question — what can be done to protect these vehicles from unscrupulous types? How can we give the user ultimate control over who has access to the data network that snakes throughout their vehicle? One possible solution I’m looking at today is the addition of internet killswitches.

The Scope of the Problem

[Chris] and [Charlie] remotely hacked into a Jeep, disabling its brakes remotely and sending it careening into a ditch.
As any hacker knows, a connected computer is a vulnerable computer. In vehicles, not only are the embedded systems connected to the internet, but they’re also capable of controlling vital safety systems. While many wrote off these concerns as unrealistic, the uncomfortable truth came home to roost in 2015. Security researchers [Charlie Miller] and [Chris Valasek] were able to remotely take control of a Jeep Cherokee, with just a laptop and a 3G data connection. The duo were able to scan the internet for further targets, and could even track various Chrysler automobiles around the country thanks to GPS and their in-dash entertainment systems.

This discovery led to the recall of 1.4 million vehicles, with Chrysler sending out firmware upgrades on USB drives to patch the vulnerability. Additionally, a change was made to lock down access to individual Jeeps over the Internet. This measure protects against the intrusion by itself, as the attack can’t proceed without a connection, a measure which will protect unpatched vehicles in the wild. This showed the value of cutting the data link in terms of making a vehicle resistant to attack.

While the hack was limited to Fiat-Chrysler automobiles fitted with Uconnect infotainment systems, it highlighted the broader risks to all connected vehicles. The fact that a hacker was able to remotely target a car over the internet, and interfere with the transmission, brakes, and other functions was a wake-up call for the industry. It made it clear to both automakers and the public that matters of cybersecurity are present on the open road.

A Potential Solution

Flawed code is everywhere, and it’s unrealistic to believe that automakers will ever be able to produce cars with zero vulnerabilities. While over-the-air updates and improved basic security practices will help stem the tide, there will always be the occasional zero-day exploit that sends everyone for a loop. For personal computers, this is considered an acceptable risk. However, a compromised car can put lives at stake. Additionally, while useful, an internet connection is not actually a requirement for a car to provide transportation.

Thus, a useful tool in defending against automotive cyberattacks could be a simple one — give the user the ability to disconnect the vehicle from the internet entirely. While this would shut down streaming radio services and certain other non-essential facilities, it would also make remote attacks impossible. All the tricky firmware hacks in the world are worth naught if you can’t make a connection to the vehicle to deliver the payload, after all.

In order to make this easy, vehicles could ship with an internet killswitch to shutdown all wireless and cellular communication to the vehicle’s systems. It would require a careful and considered design, and ideally would have a standardized form across manufacturers. Naturally, a concerted effort to educate the public in this device’s use would be required. Printing a small note in the back of a 200+ page manual simply won’t cut it.

Basic solutions exist to protect us against webcam hacks. A similar approach may be valuable in cars.

The benefits of such a device would be manifold, covering concerns of both security and privacy. In the event that an exploit is used in the wild, it would allow users to continue safely driving their cars while waiting for a patch to become available. Compare this to the current status quo where anyone wanting to disable wireless connections to their vehicle would need to navigate software menus different for each make (and possibly model) of vehicle, or go truly old school and start pulling fuses.

The simple fact is that the average person is unlikely to take their car off the road while manufacturers scramble to fix a problem; previous recalls have shown that people are complacent and will drive recalled vehicles with abandon. Some may even choose to drive with their car permanently offline, just in case — akin to those who tape over laptop webcams to evade snooping hackers.

Potential Downsides

Of course, there are potential drawbacks, too. Consumers are notoriously difficult to educate. It’s likely that many will inadvertently activate the switch, before rolling up to their dealership in a fury over their entertainment system which refuses to stream music, or fails to connect their phone for hands-free use. Any IT help desk worker will be familiar with the pain caused by hardware WiFi switches hidden on the sides of laptops, unbeknownst to hapless users. Additionally, if not placed in a clear and obvious location, or if the functionality is hidden deep in a menu system, many drivers will fail to use the system entirely.

Hacking one car is achievable; creating a zombie horde of vehicles remains unrealistic. That’s not to say nobody will try.

Despite this, it seems crazy that modern connected vehicles don’t have a way to quickly and easily shut down their wireless connections. In the same way the Firestone tyre controversy led to tyre pressure monitors becoming mandatory, it may take a widespread controversy to push governments into action. Short of driving around with a cellular jammer, there seems little the average motorist can do to protect themselves against vehicular cyberattacks. If automakers are unable to protect consumers, we may see the community find their own solutions, even if it’s as simple as not paying their cellular service bills.

In the meantime, we wait with bated breath for the next major automotive hack to hit the spotlight. Hopefully measures are in place sooner rather than later, lest we all succumb to hordes of zombie vehicles, a la the Fate of the Furious.

We’d like to hear what you have to say about. Do you think vehicles need a reliable way of toggling the data connections built into them? Is the automotive internet killswitch a reasonable option for mitigating exploits in automobiles or is it merely a bandage on a larger problem that’s not going away anytime soon? How do you think the average consumer would react to the appearance of an “internet off” button on the dashboard? Let us know what you think in the comments below.

103 thoughts on “Ask Hackaday: Does Your Car Need An Internet Killswitch?

        1. So far.

          Meanwhile, dealers are increasingly using “Payment assurance devices” (remote kill switch) on new cars to ensure people don’t miss their payments. It’s not much of a stretch before the police or the insurance companies start to demand similar devices on all cars.

          1. Yah it is a very rotten practice and those devices are usually very cheaply made and the installation often is questionable at best.
            I’m pretty sure the practice has resulted in a few cars burning down and maybe even shutting down on a free way on ramp and causing fatal accidents.
            If you find one I suggest attaching a battery to it and having it fedexed to somewhere far away or attaching it to a shipping container.

          2. Just drive an older vehicle that has no requirement of monthly payments

            There are more older vehilces on the roads in the USA than the UK for example. You have FAR more cars from the 90’s and dont even get started on classics.

          3. It’s quite the stretch, unless one’s heavily vested in pseudo-slippy slopes. A significant difference between “you own the vehicle” and “someone else owns the vehicle”.

          4. >”A significant difference between “you own the vehicle” and “someone else owns the vehicle”.”

            As long as you have to buy insurance and have your vehicle tested for emissions and condition every few years, you’re not in full control of your “property”. For example, insurance companies start offering discounts for people -with- the remote kill-switch, which in reality means jacking up the prices for everyone who doesn’t install one in their car.

            For example, many insurers offer discounts if you have On-Star enabled and paid – which means they can track your speed, location, and whether you’ve been speeding a lot. On-Star sells this information to the insurers.

            As long as there’s the argument that “It saves lives”, or at least reduces cost to the insurers by being able to deny coverage, then there’s going to be people who are trying to save everyone from themselves by making these things mandatory. After all, wouldn’t you want to be safe when the sky is falling?

          5. Besides, as they will inevitably try to outlaw gasoline engines and anything that emits CO2, you get electric vehicles like Tesla that have OTA software updates that apply to absolutely everything.

            The Model 3 was being tested by Consumer Reports and they complained the braking distance was too long. Tesla did an overnight update, magic, the braking distance got shorter. Apply in reverse: a hacker can update your car to have no brakes, or Tesla may be forced to hand over the encryption keys to the police, who then gets the ability to disable the cars remotely.

        2. Any car registered as an antique is exempt from the emissions requirements. You are limited by the states restrictions on usage though (i.e. miles per year, days per week, destination, etc.). In my state, you are only allowed to drive it once per week, unless driving to a car show, parade, event, etc. But, during the summer months, it’s not common to NOT have an event you could go to every day of the week.

          1. [Eric]
            I’m not sure of any State, but when I was looking around to insure a “classic car” (1942 1 ton Ford truck) some of the insurance companies had such limits, (depending on how much you were willing to pay for coverage).
            Don’t ask who insures it, it is not insured, (it is not running either).

      1. There’s no state that outlaws old cars. Probably never will be. Car culture is deeply ingrained in the American state of mind. Dunno if that’s a good thing, but there it is.

        The environmental concerns are valid, but this strategy of aiming it at consumers is a crock cooked up by technocratic ghouls to shield the ones really responsible for most of the pollution—themselves. The eight largest oil tankers and container boats create enough emissions with their own locomotion to offset every single land vehicle. on. EARTH. If we really want to cut emissions, let’s start by sinking those. It would instantly be equivalent to converting every single car in every single nation to solar-electric. Obviously the single most significant single measure we could take. The offshoring of our economies is what did this, not regular folks. And neoliberals love offshoring, despite their contrived, play-act hand wringing about the environment. They don’t really care. They’re just securing their own class interests.

        Trying to foist the responsibility on you, the consumer, is and always will be a con and they know it and won’t legislate against you being able to drive an old car. They are already getting what they want, which is paralyzing guilt and resignation and defeatist thinking. Because it’s obviously impossible to get seven billion people to all come around and change their ways simultaneously, even if they know it’s for their own good and accept it. It just doesn’t work. Saying everyone should just spontaneously do better without incentive is the same as shaking your fist at a cloud for raining on you. But they’d rather us try to do just that unsuccessfully forever (or at least until we all fry) than march up to their industry and start removing bolts to defend our grandchildren. Can’t have that. A real revolution always has been and always will be aimed at power and industry, not masses of common people.

        1. This is incorrect, the claimed number is only for sulphur emissions and is 16 as large as the absolute largest (not that there are actually 16 that large according to the source on these claims). This figure is also based on fuels allowed in 2012, the permitted sulfur content has dropped. I’d look for a more up to date source on this but I don’t see the point for a claim that never gave one.

    1. From a woman who knows squat about automobiles, if two spark plugs are disconnected, will jt prevent a vehicle from being started.

      I live a few miles from a small town where tweekers/car thieves seem ti it really often from a near by town where a lot of drug addicts seem to live.

      Silly suggestion?

      1. While it is not brake disabling, a entertainment system suddenly on full blast is quite a danger still.
        Is the GPS part of the entertainment system? People a know to blindly follow it.

        Personally I don’t want internet in my car since I will never know what is going on in the background.

  1. entertainment should not be on the same network as system critical and safety features. Entertainment has too many flaws and vulnerabilities. Internet connectivity is just one entry point. usb media, cd/dvd/blueray players are all entry points to be hacked.

    1. Correct. Internet connectivity is needed by NONE of the critical systems required for driving.

      There’s the inevitable question of when this switch should be flipped. Only after someone hears that an attack is taking place on the news? How does that defend against zero days when you could simply push out a patch automatically instead?

      The tech savvy among us might yearn for a switch to turn all these asinine annoyances off, but the average user doesn’t. To ask for a kill switch to entrust that very same user with the responsibility to make the right call.

      Time and time again, if you present ordinary users with the option to cripple their stuff to mitigate what is to them a theoretical risk, they will choose not to do it. Better to make sure there is no risk to their safety in the first pace by maintaining isolation.

      1. How about a latching switch/button that the user has to press every time they enter/start their vehicle to allow it to *connect* to the internet… rather than have a switch to find and activate to *disconnect*.

        The opposite of what is being presented here: the user has to deliberately “opt in”, and if it is a ‘use every time’ button (just like the “start” button that is now commonplace in new cars), users will know to press the button to get their connection, dealers will have to show it off when they sell cars, etc.

        1. Same problem, regardless of whether you’re opting in or out. In this case users get trained into automatically pressing the the magic internet button every time they get into their car.

          Opting in only makes sense if it’s an informed decision, not a mindless habit required every time.

          The above argument hinges on this being a decision that shouldn’t be left to ignorant users. In fact, it’s a decision no one should have to make because it is entirely preventable.

  2. Why does the entertainment system need to be connected to the internal functionality that’s required for the vehicle to operate?

    It seems like the internal computers for the fuel injector, ABS, and other essential functions should never need internet connectivity and should never have it. Any updates to these functions would require hardware access, sure, but that seems like something you probably don’t want to auto-update without the owner’s explicit action anyway.

    The entertainment system should be an entirely distinct system that does not communicate or have any connection with the essential functionality in any way. That can have internet connectivity. Sure there will be some hacks that let an attacker crank the volume way up, but nothing that will stop a motorist from safely pulling over.

    Just my two cents.

    1. This any update should require taking it to a dealer or plugging in a USB thumb drive into another port vs pushing it over the air.
      If they insist on an over the air updates such as cough Tesla cough part of the key needed to decrypt it so it can be installed should be sent via another communications channel either as an SMS message or an email that the owner needs to key in.
      This last one won’t stop nation state backed entities and larger crime syndicates but at least would make their work harder.

    2. My infotainment system is connected to my safety systems, and for completely valid safety reasons. If I don’t fasten my seatbelt, a chime sounds from the stereo. While I’m driving and the car has a warning that a safety system has failed, such as COLLISION WARNING NOT AVAILABLE (because rain or snow is blocking the radar), it reduces the volume of the stereo, plays a chime sound, then returns the volume, which is a much more effective attention-getter than a chime trying to compete with a loud music track. If the backup sensor detects an obstruction in the left rear quadrant, the left rear speaker sounds a beep. And if the collision system detects an imminent threat, it mutes the audio source entirely and beeps loudly from the front speakers.

      These are all good and useful behaviors that effectively engage the driver’s attention, and make the car safer for everyone inside as well as anyone outside. And they require an interconnection between the safety systems and the sound system. Simply severing the link would reduce the safety.

      And before anyone thinks “I’m a better driver than that and I don’t need those systems “, even if you were correct, don’t ignore the larger issue. Remember, Joe Sixpack also has those systems in his car, and someday they might help him not collide with your car. Your safety isn’t isolated to you.

      1. They require a uni-directional connection between the critical and non-critical systems. This is the detail that is lost in most modern implementations. For years there have been connections between flight critical and non-flight-critical systems onboard aircraft. These are physically uni-directional. It is impossible to impact the flight-critical systems from the non-flight systems, even though the non-flight systems can monitor the flight-critical ones. This isn’t rocket science. It just requires actually thinking beyond ‘oh, well clearly we need a REST interface between these two things, and if we use HTTPS it will be SUPER-SECURE and we’ll all be fine!’. Assume your code is always buggy and design accordingly.

  3. I think I will be stockpiling aluminum foil, just in case…

    I already have a hat made from tinfoil, used it as wallpaper, don’t use it for my lasagna (but that’s a completely different story, google “lasagna cell” if you want to know more). For a hobby I made solid poslihed spheres from it.
    So wrapping my new car in doesn’t seem strange to me.

  4. The best solution would be separate data buses – one for entertainment and one for actual automotive functionality. The only bridge between the two should be an inherently-one-way-by-hardware-design link that allows the entertainment system to know things like current speed, but DOESN’T allow data to flow from the entertainment system to the one that controls the engine, steering, brakes, accelerator, etc.. Anti-theft remote kill switches aside, there’s no excuse for having a vehicle’s data bus exposed wirelessly.

    If I had a car with the kill switch described, I’d turn the switch off, epoxy it in that position, and break off the actuator. I’m an old fart – I don’t need a connected car. Just give me a GPS, an AM/FM radio with an input jack, and my smartphone – I have no interest in driving just another IOT appliance.

    1. This is the best solution when the ‘smart’ features are mostly entertainment or GPS. It’ll be more difficult to separate these features as manufacturers add features to operate the car remotely like Tesla’s phone app, remote anti-theft systems, self driving car updates, etc.

    2. The famous Jeep hack had a one-way CAN chip that did exactly what you describe. That chip was one-way due to firmware restrictions, so the researchers just reflashed it as part of their attack, making it a two-way chip.

  5. A better idea might be to have the manufacturer to be able to kill internet connectivity remotely when a security vulnerability is found.

    This could be a secured function with 4 modes:
    Mode 0 – Internet open / Normal function – Internet works as normally.
    Mode 1 – Internet restricted to software updates only – All internet functions except for software updates are disabled. Software will be checked each time you start the car, if no signed update is found, internet & bluetooth will disable itself completely a short time after starting the car.
    Mode 2 – No internet & bluetooth at all. Software updates can only be installed physically via a USB stick.
    Mode 3 – No interent and No USB. Software updates can only be installed at dealership for a fee.

    If the mode is set, it can only be disabled (to Mode 0) by installing a software update. This is then a signed function that can be used after a zero day is found, but before a fix is developed. So it requires the manufacturers signature to enable.

    Here is my idea how the modes are meant to be used:

    Mode 0 – Normal function
    Mode 1 – Used when a security vulnerability is found which does NOT affect firmware updating – for example if there is a vulnerability in the entertainment system allowing rogue internet users to for example disable brakes or similiar.
    Mode 2 – Used when a security vulnerability is found which WOULD allow an attacker to load an unauthorized firmware via the firmware update function, for example a RCE or buffer overflow in the firmware update subsystem.
    Mode 3 – Used when there is a security vulnerability that also would allow an attacker to load an unauthorized firmware via the USB port, for example by breaking into the car.

    By having these modes, it would allow the manufacturer to gradually shut down the internet in cars, in response to a vulnerability.

    Note that the kill switches on laptops, are NOT designed for security. Actually, these killswitches are actually designed to allow you to physically disable the wireless in cases you move into a area where radio communication is prohibited either by law or by local rules.
    Disabling wifi in the operating system would then not disable wifi completely, there would still be communications – like responses to certain broadcast packets and magic packets, that is implemented in hardware, even when the card is disabled in network manager.

    Some motherboards do have a ability to control a “digital” GPIO hardware switch that cuts off wifi physically like a real switch, via the operating system.

    But in some cases its not accepted with a “soft-switch” and thats why many laptop makers still have a hardware switch. The cover on webcams is for privacy, but its kinda for paranoid users – there is a light that will turn on when the webcam is in use – if the light is not on, youre not filmed – PERIOD.

      1. Which will then “fail secure” – since the remote-kill cannot be disabled without installing a new software update. Of course, the function should be simple, secure and cryptographically signed.

        Basically, you can only turn off internet with the remote-function, not turn it on.

    1. Why do you accept to pay a fee in mode 3? The vulnerability is not your fault, it is the fault of the manufacturer. I expect him tp pay for a fix..

      But I would not accept a disabled USB port anyway. If somebody breaks into the car, then their is much more damage than software.

      1. The fee is to cover the costs of labour & garage since you would need to book a garage time for the software update. But since software updates are part of normal service intervals, you could live without internet & USB functions until next scheduled service point and then get it for free.

        The reason a USB port would need to be disabled if there was a serious vulnerability that would for example allow somebody to infect your USB with a virus via the internet and then install this virus in the car when you plug in the USB into the car for software update or listen to music.

        Of course, mode 3 should only be used by the manufacturers when there is a serious flaw, where inserting a infected “human-killer-USB” could mean your brakes stop working at random times.
        Not because a infection would be able to overwrite the navigation system for example.

        In most cases only a mode 1 lock would be needed, since the firmware update function should be in the bootloader, and should be secure and simple. There should not be any fields for firmware lengths or any possibilities of buffer overflows or similiar, it should just be the firmware binary, a secure signature, and a very simple signature verification function, that writes firmware to a buffer before flashing it, to avoid race conditions.

        But *IF* there happen to become a fault in the firmware function that would allow bypassing the secure signature function and flash unauthorized firmware, mode 2 or 3 would be required depending on if it affects the USB or not.

        Mode 2 could be for example if there was a fault in some internet packet function that would allow writing arbitary data that would happen to land where the firmware is stored, and mode 3 would be used in cases where there is a outright bypass in the signature verification function.

  6. The end user needs a physical disconnect, not a sw disconnect(cant’ trust them). I can reconnect when at home at MY convenience. I can reduce my hacker attack surface significantly.

    So many phone or pc updates end up causing functional issues or maybe even bricked devices. I don’t want that on my car.

    At some point I would expect someone will propose to make it illegal to disconnect your car from the internet. What happens then…? Maybe I have to add my own firewall device to control traffic that the vendors are not willing to do. Just look at the state of phone/pc security today. They have proven they can’t fix it over and over , why would cars be any different ?

    It Seems some are drunk on technology and desperate to find ways to sell/use it where not really needed or before it is fully ready.

  7. This is exactly the right idea, and you can do it right now on most connected vehicles, as long as you’re not afraid of popping some trim panels. You’ll need a bunch of Fakra-to-SMA cables and SMA terminators. (I’ve never seen natively-Fakra terminators for sale.) If the telematics module has a SIM card, pop that out too.

    The question is how much functionality you lose when you do this. Will an EV still charge if it doesn’t know whose EVSE it’s plugged into? Will the sat-nav still function if it can see satellites but not pull maps from an offboard service? Do you have a hard-key backup for when your phone-as-a-key function doesn’t work?

    1. Will your insurance cover your vehicle if they figure out you’ve disabled all the tracking spying features?

      You can drive without GPS, but driving without insurance can land you in jail.

  8. Sounds like “putting your car into airplane mode”. While this terminology might provide a shortcut to consumer education, I would be repeatedly disappointed when wings do not sprout from my vehicle when activated.

  9. With a separate connection for entertainmaint/navigation and one for ‘maintenance’ and a requirement for the ‘maintenance’-connectivity that the vehicle is stationary and operations are manually confirmed, most dangers should be avoidable. *Ahem* – provided the two systems are not connected.

  10. If the “smart” car works just as fine as my “smart” televison, then it it sits idle most of the day but as soon as I want to use it, it starts to download an “important” update.

    1. My smart television is a dumb piece of old hardware connected to a linux box of my own making. Beats the hell out of any smart TV on the market. Cheaper too, no idea why I’m the only one I know who does it. It’s not even that hard.

      My car is the same way. It’s good to have the ability to rip all that garbage out. Bit of a hassle when state inspection comes around, but you can keep the old computer in there crippled and blinded with spoofed signals fed into it so it thinks all’s well and still presents its OBDII port to inspectors. But it has no say in the daily workings of the machine anymore.

  11. Or… just design things in a more sane way to begin with!

    How about some separation between features? There can be an “entertainment” computer w/ internet access that handles things like navigation, streaming music, etc… This should be an entirely SEPARATE system from the important automotive functions.

    Except.. you might want to mix status information into your “entertainment” display. No problem! That can be handled with a ONE WAY serial connection from the automotive computer to the entertainment computer.

    Yes, I too dream of driving along, car optimized for fuel efficiency, getting in the mood for some power and telling my car computer to switch profiles to one optimized for that. Manufacturers are never going to implement anything like that, it will only ever exist as a hack we do ourselves so yes, 1-way is just fine.

    But.. what about updates? I never received any updates for the software running my old pre-connectivity cars! Do we have to have that at all? Well, if you really need it then here you go…

    There can be a second serial line going the opposite way, from the entertainment computer to the automotive computer. But… there is a catch. It goes through a relay which is hard-wired to the ignition. Updates simply cannot occur when the car is turned on. They may be cached in the entertainment computer for later, that is all.

    And of course.. any updates must be encrypted and checksummed. Otherwise anyone who hacks the entertainment computer could still perform a delayed hack on the automotive one by either modifying or outright faking an update.

    Would that make it 100% impossible to hack? Probably not. But I think it might at least make it difficult enough to require state-level resources to do so. That’s good enough, if the government wants me dead a better car computer will not save me. I’d rather they run me into a tree than spike my food with polonium anyway.

  12. I still hold the belief that entertainment and vehicle critical systems need to be separate. Heck, I am against drive by wire. I could tell the brake line in my truck was going bad because the steering wheel had a tug to the side when the brake was pressed. You lose that extra sense if you go to a vehicle that is designed to be turned using the tip of a single finger even on a road in bad condition.

    I installed an aftermarket marine sound system in my truck and hid the head unit in the ash tray. Turn the keys and i get to listen to pandora or spotify off my phone, but flip the ash tray closed and you wont know it isnt just an old 92 GMC with a cap and rotor for the spark plugs and an AM radio in the dash. (former company truck. previous owners didnt want to shell out for FM)

  13. The only problem with this solution is that it does nothing for malicious code that is already running. A smart attacker will just replace the entertainment center’s firmware with one that can mess with the driver autonomously. Unplugging the network isn’t helpful after the virus has installed itself.

  14. It would be interesting to get the opinion of engineers who design automotive systems to comment. It seems to me that the is a lot of domain specific knowledge that comes into play here.

    1. I wonder if, like the windows start button, each feature has a comittee working on it. Things that used to be engineered by a few people with a brain, common sense, and a slide rule, are now huge group projects – probably with marketing and the legal department at the wheel….

    2. Guarantee you the engineers are all frustrated and defeated because the accountants and marketing hacks are the ones who are in charge of every decision. I’m sure they’re capable of building an adequate system—if only they were allowed to do things the right way with a proper budget.

  15. If you don’t like being connected but still use Pander or Spot-eye to interface you and “your” music to IT (it), you are missing part of the point. If you listen to the same song more than a few times get it in good form instead of streaming it’s watery cousin. No entity will know when you listen to whatever at all. With terabytes of storage on a car, streaming or any connectivity is not needed. A good car radio or Nat WX radio is all you need. Not interacting with anything but traffic is what’s needed on the road.

  16. I don’t believe a car should be connected to the internet at all.
    My Lady and I were hit by another vehicle and our 2006 car had to go into the shop.
    We rented a 2018 Buick Regal. This thing had GPS, backup camera, collision alert, and more
    dings, dongs, and warnings than I’d ever seen. We made a left turn and the anti-theft system
    alerted. We were backing into the driveway and the collision avoidance system alerted even
    though we were 20 feet from the garbage cans. Seriously, do we really need all this felgercarb?
    How about just a normal radio (maybe with CD player), a normal dash with speedometer etc.
    We spent more time trying to figure out what the car was trying to tell us. We had it for 6 days
    and not only was it a PITA to get in and out of, it didn’t even have a key to start the thing.
    Needless to say, we drove it as little as possible. I can understand the normal alerts like a door
    being open or your seatbelt not being secured, but we had groceries in the back seat of this
    thing because we couldn’t figure out how to open the trunk. There wasn’t a handle, and the
    thing they said we had to have on our person to start the car wasn’t much help.
    Because there was weight in the back seat the thing reminded us to check the back seat.
    What’s next? A reminder to wipe when I go? We were very glad to turn this thing in.
    I refer to it as a thing, because even though it resembled a car, it did things in my humble opinion
    a car shouldn’t do. I’d like to know what geniuses come up with these crazy ideas.
    Don’t get me started on the gas cap. This thing had none, just some port to stick the gas hose in.
    We got our 2006 car back. No dings except the seat belt. No cameras, GPS, dings, dongs, whistles,
    warnings or other felgercarb. And, a good old fashioned key to start it and a handle for the trunk.
    Ah simplicity. Keep up the maintenance, fill it with gas, make sure all the fluids are good and a car
    will go for a long time. Internet in a car….bah. Next you’ll see the internet needed in order to wipe
    when you go. If we ever have to rent a car again, and I hope we never do, it will be an older model.
    One designed in an era where a car is a simple machine.

    1. Recently I was giving driving lessons to a friend and her new golf beeped and bought up all sorts of nonsense on the dash that often it nearly drove me mad.

      It was information overload.

    2. I think it was no problem with the car actually. The problem was the person behind the wheel. Seriously… You couldn’t figure out how to open the trunk – which usually is a button with a picture of a car with its trunk open.

      A quick internet search showed that the trunk release button is located here:

      And if you look at the picture, it should be evident that its the trunk release button….

      And how could a car be a PITA to get in and out from?

      And whats wrong with a “capless gas port” (basically a hose port with a automatic cap door?)

  17. A switch that disconnects the the drive train from the internet connected systems or at a least kills the cellular modem should be a requirement for all manufactures.
    We’re not at a the point of someone making a zombie army of killer cars yet but government entities and crime syndicates may already be hacking cars as a means to assassinate people.

  18. I’m extremely surprised no one has linked to this yet.

    First things first:
    I like simple vehicles, less to break and I add only what I want. I usually like Lewin’s articles, but the diesel one got a lot of stuff wrong,
    1. CO2 is lower (vs gas) on a diesel and
    2. as long as diesel is:
    2a. a more dense energy source
    2a. safe to transport in bulk
    2b. safe for emergency personnel to extract people from those vehicle (some fire departments won’t extract from electric vehicles,
    then diesel will be around.

    I’m yanking the gas/petrol engine out of my vehicle with 271k miles and dropping a diesel in, the 1980’s era diesel (non-General motors) will get nearly twice the fuel economy, and the drivetrain will be all mechanical including the transmission.
    Diesel’s days may be numbered, but that number is easily a multiple of 10,000 days.

    As for the internet kill switch, I have bluetooth in the above vehicle and also gps, the only other signals in the vehicle will be from my cell phone, as the vehicle is over 20 years old, and one of the most capable vehicle on the planet, no need to trade it in.

    I’ve strongly considered a Transit full size van but they too likely have the same issue the Transit Connect vehicles have as shown on the video I linked to. No reason to expose myself or my family to that. My wife and I both love our 18 and 20+ year old vehicles and I can still teach my kids how to work on them.

    I like the idea of a kill switch, but the idea of an older vehicle is much more attractive to me for so many reasons.

  19. I’m extremely surprised no one has linked to this yet.

    First things first:
    I like simple vehicles, less to break and I add only what I want. I usually like Lewin’s articles, but the diesel one got a lot of stuff wrong,
    1. CO2 is lower (vs gas) on a diesel and
    2. as long as diesel is:
    2a. a more dense energy source
    2a. safe to transport in bulk
    2b. safe for emergency personnel to extract people from those vehicle (some fire departments won’t extract from electric vehicles,
    then diesel will be around.

    I’m yanking the gas/petrol engine out of my vehicle with 271k miles and dropping a diesel in, the 1980’s era diesel (non-General motors) will get nearly twice the fuel economy, and the drivetrain will be all mechanical including the transmission.
    Diesel’s days may be numbered, but that number is easily a multiple of 10,000 days.

    As for the internet kill switch, I have bluetooth in the above vehicle and also gps, the only other signals in the vehicle will be from my cell phone, as the vehicle is over 20 years old, and one of the most capable vehicle on the planet, no need to trade it in.

    I’ve strongly considered a Transit full size van but they too likely have the same issue the Transit Connect vehicles have as shown on the video I linked to. No reason to expose myself or my family to that. My wife and I both love our 18 and 20+ year old vehicles and I can still teach my kids how to work on them.

    I like the idea of a kill switch, but the idea of an older vehicle is much more attractive to me for so many reasons.

  20. One disturbing trend is auto makers are looking for ways to co-locate multiple systems on one SoC using hypervision. Eg. Placing the display cluster controller with infotainment; the former is a safety critical system. What happens when navigation+media+image processing causes the SoC to heat up and the other side to thermally throttle? There are a lot of bad ideas in automotive.

    I recently interviewed at large automotive supplier’s vehicle security division. Their idea for prevention of these sorts of attacks was to design a supervisor that would set on every vehicle bus and look for inconsistent access patterns. They completely missed the point of what happens when their device gets compromised… #foreheadslap

  21. I recenlty replaced the battery on my Chevy Silverado. It quit the day after getting back from a long trip. On less sophisticated vehicles, that is, every other car or van I have ever owned, you generally have some warning as a battery fails. It gets harder to start, etc. On this truck, it just quit completely, seeming with no warning. In hind sight, there were some small warnings, like the “anti-theft” system giving more error warnings than usual- it gives them often enough (such as any time you start the truck with the key and not the remote start fob) that you learn to ignore them. After researching some, it turns out these trucks have a very sophisiticated energy management system, and start turning of “non-critical” stuff to save the battery. Apparently the bright bulbs that program this stuff are clever eneoug to do that part, but not smart eneough to maybe warn you that the vehicle is shutting things down to save power, and maybe there is a problem you should know about. Maybe if I was using the on-star it would send a warning to the DEALERSHIP, but since I dont care to pay a subscription for stuff my phone does for free, like navigation, the car does not bother to display anything on the expensive touch screen sitting on the dash right in front of the driver. Likely had I looked closely at the analog style battery guage I mighth have noticed an issue, but WTH everything else is so automated why would you need to look at a guage every day to see if the battery is OK?? Goofy!! On start is integrated into everything on Chevy and GM trucks, and it may be handy in an emergency, but seems mainly a way to charge you a subscription for your car. If it was 50 bucks a year, maybe, but 40 a month or more is rubbish.

  22. Internet kill switch – YES.
    Turn off all radio broadcasts by the car – YES.

    People with implantable medical devices have to be careful about being around other radio broadcasty things. (e.g. can’t lean over a running engine).
    Also need to be careful around strong magnets.

    Implantable medical devices are becoming more common
    (not just pacemakers, but defibrilators, insulin thingies, various other devices.)

    I don’t want to have to remember where the broadcast items are in a car,
    (so I can avoid getting too close to them)
    I want to just turn them all off so I don’t have to think about it.

    In addition to hearts, pancreas, etc., memory is another thing which often decays in older folks – so having to remember which areas to stay away from is also a problem.

    Most of the cars I have owned have been 20+ years old.
    Will manufacturers still be doing security updates, etc. for 20+ year old vehicles?
    I wouldn’t bet on it. Need to be able to turn off internet connection both
    to protect the passengers/car/cars around, and to protect the surrounding radio spectrum.
    (Even if nobody listens to the signals from a 20+ year old car, it
    is still radio noise which might interfere with other systems.)

    You need a radio kill switch:
    For blasting zones.
    The radio quiet zone. (Or other places near radio telescopes, etc.)
    Driving to another country, where the radio connection your car uses
    may not be acceptable.
    If you have been victim of domestic violence/stalker.
    If you are a celebrity.
    If you are a law enforcement officer/judge/etc.
    If you work at Planned Parenthood.

    Of course the internet connected car is a great surveilance/tracking mechanism.
    (Nobody has to put a tail on your car – it comes pre-installed.)
    (Not just for law enforcement/government, but also for anybody else who
    wants to know – where police cars are, or where the cars of government officials,
    or where cars belonging to whoever you don’t like (be it ex, one of “them”, etc.)

    1. That’s why all car at some point will be internet connected.
      In the UK we pay a lot of tax on fuel.
      If we move to electric how is that going to take place?

      One theory is that it will be done by smart meters that talk to the device using the power and charge accordingly.
      Another is that we will end up paying per mile use of the roads which means always being connected.

      Over in NZ I believe for diesel vehicles they pay their tax based on mileage travelled. For petrol its done at the pump.
      For diesel they pay every time the car is inspected, that’s every 6months IIRC.
      A simple system of checking the odometer.

      Yes, you can adjust the milage and I’m sure it happens. Just like someone will figure out a way around an internet connected system.
      But it’s far far far more simple with less costly infrastructure just to read the odometer.

      Why EVERYTHING must be connected to the internet?
      For most “internet solutions” there is likely an easier way which doesn’t involve it.

      I do consider myself a technology luddite
      I know more than the average joe and I want us to go back to the 90’s as the current path is quite horrible

      1. “I do consider myself a technology luddite
        I know more than the average joe and I want us to go back to the 90’s as the current path is quite horrible”

        Yeah, I agree.
        A couple months ago I got a “new” (used) smartphone. I’ve resisted giving Google permission to access my Contacts, Calendar, Location, and SMS. It is inconvenient, and Gag-all probably has most/all of that info anyway, but I’m not willing to give them any more.

  23. Industry and the government are moving us to a Total Information Awareness society.The theory is that they will know everything about us 24/7/365.It snuck up on us and its too late to go back.
    Btw i drive a 1976 Internatiinal Scout. If i stick my cell phone in the metal glove compartment i become invisible. Till i hit a traffic cam.

  24. OnStar is easy to disable once you physically get to the box. It’s usually up in an awkward spot behind the glove box. At least back in 2014, all you had to do was open it up, unplug the modem from the main board, reassemble and reinstalall. This way it’s still in the canbus loop as designed but can’t communicate with the outside world.

  25. picture a reboot of the movie “runaway” where autonomous cars are remotely hacked and the occupants held for ransom…I’d watch that.

    “give us 200 bitcoin or your daughter hits that 35MPH curve up ahead at 120! 15…14…13…12….”

  26. Ugh all this car ‘security’ has no purpose whatsoever and as we see only makes it more insecure in practice. Like I’m sure somebody in this thread will chime in about an experience of having their car stolen or taken for a joy ride, but that is so vanishingly rare these days. We’re still building security for problems we had in the seventies and eighties. Those problems are gone.

    Know what my hack is for my vehicles? I take out the ignition security measures and install a switch. Just a switch the gives power to the ignition system. And a button for the starter motor. Not a button that checks for the presence of an RFID tag—just a button. No key, no security, never lock my doors. I live in a fairly major city. Been driving around like that for about a decade. Nothing has happened. On my motorbike it’s extremely obvious that there is no ignition security. The whole thing only has a couple buttons and a big toggle switch, no keyhole. If I’m feeling paranoid for some reason, I’ll pull the main fuse and stick it in my wallet.

    There will never be enough security. Or to be more precise, enough security optics. It doesn’t even really matter if it’s real security or an easily exploitable joke, because there’s really nobody out there who is going to take advantage of either at a statistically significant rate. The more technology we get, the more security, the more surveillance, and the more networking exploits we’ll build into everything. It’s totally unmoored from how dangerous the world is i.e. not at all. People counterintuitively get more paranoid the safer they are. It’s a great self-reinforcing market for security trash. Don’t even get me started about Ring.

    Every new vehicle I get I’m going to be ripping out the ignition computer and putting in simpler ignition control that can be activated just by pulling one pin high. Or by simply connecting 12v to the power bus, even better. And I’m ripping out every dumbass frustrating touchscreen entertainment system that’s basically an ipad glued to your dashboard that nobody should ever use while driving and I’m replacing it with something with knobs and tactile buttons. Probably still a computer; I can put rotary encoders and a keyboard on a raspberry pi. I fucking hate car computers, not because I don’t like computers in general—because they’re designed by morons who are cargo culting that utter hack Jony Ive or something. That asshole has done more damage to computer hardware design than any other single human, although he has plenty of competition on the software side. Computers in cars need to be operable without sight, that’s so damn obvious. Voice control is a partial solution, but it needs a physical backup.

    And having the entertainment system in contact with functionally critical systems is madness, as many others have already mentioned. Just so fucking lazy. Auto manufacturers don’t give a damn about you and will cut costs until the recalls and lawsuits get more expensive than just building the machine slightly better. They will never design an adequate system after they’ve worked out this accounting calculus, and all new car companies will get there eventually. Just how capitalism works, sorry—you get shoddy consumer trash with no other practical option.

    1. How do you get around all the systems being tied together? If you replace the ignition switch with an actual switch, the engine computer does not talk to the darn key and ignition, on many vehicles, and will not start. I had to replace a worn out ignition switch on a 1999!!! Honda Odysee van, and aside from the cost of the new ignition “module” the engine computer needed to be programmed to talk to the new key/ignition and of course to just hook up to it and reprogram the engine computer the shop charges around $100 for the 5 minutes of “work” to reprogram it. grrrrrr. I think you are on to something- if we could find out how much all of this “theft prevention” rubbish costs, including the wasted time and annoyance, I bet it iw WAY more than what is lost in stolen vehicles. I suppose you could start with the switch, then build your own engine computer ….

  27. Install killswithes and jammers from every side of the car, and most probably get hacked anyway…
    Or… just start developing your applications on Carrier

    A solution in which hacking is impossible by design, because here applications are not designed to communicate on their own.
    They can only make use of the API of the Carrier, an autonomous p2p communication layer that sends 100% of network packets.

    Thanks to this, for example, it is possible for the authentication step to take place before the step of connection ;)

  28. Internet kill switch would disable only one (although a big one) attack vector. How about other stuff..?

    By sending bogus TPMS signals (which are wireless and easy to reverse engineer) one can do all kinds of evil stuff, from annoying the driver with warnings to crippling the car, depending on the manufacturer implementation.
    Also, I believe that someone with enough knowledge could use repeater jamming against the vehicle’s collision avoidance radar and make it instantly stop wherever they want.

    And let’s face it, car makers have proven numerous times that they don’t care much about security of their systems. Alas.. I still prefer driving the modern car to driving some old junk with cassette player and no airbags :•)

  29. internet control to a car?, are you all fucking nuts?. really?. it wolud be a mayhem and it will be like a month or three to stabilize speed across the system and i mean system as a city, of 5 million hbs

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.