A

From Recorded Future News and prx, this is Click here. If you've bought a car in the last few years, chances are it has a touchscreen. Your touchscreen works much like a smartphone. State of charge and current speed show at the top, as does the detected speed limit of the road you're on. Almost every new car has one. And it's not just screens anymore. Cars have added all sorts of other features.

B

I don't know how necessary these are, but if you're into massages, the massage is really, really good. I really, really, really enjoy this massage. Now to the infotainment. It's got Apple CarPlay, Android, Auto.

A

We forget how quickly our cars have evolved. Not long ago, navigation meant a clunky GPS device that you bought and then stuck on the dashbo suction cup.

B

Now we flipped a little antenna up and I pushed this button. Originally, these cost hundreds of thousands of dollars. And like all technology, it's gotten so cheap that now anybody can have one for 500 or $1,000.

A

That was in 2002. Today, the map comes built into the dashboard because we expect our vehicles to be smarter than they used to be, to update themselves, to download apps, even learn our habits. And sometimes that makes them vulnerable.

B

People, you know, they want new features. They want the sexy new biometric car thing where as soon as it sees my face, it knows how I like the temperature, it knows how tall I am. So it'll automatically adjust, but you know, it's kind of a trade off. This is a never ending battle between, you know, convenience and cool features versus cybersecurity.

A

From Recorded Future news and prx, this is Click Here's Mic Drop. A longer listen to one of our favorite interviews of the week. I'm Dena Temple Rastan. On Tuesday, we brought you the story of a Volvo software update gone wrong and the digital risks we sign up for when cars become computers on wheels. Today we continue that conversation with Kamel Ghali, a white hat car hacker in Japan whose origin story actually starts here in the US With a simple slice of pizza. Stay with us. Support for Click here comes from CleanMyMac. If you're like me, your cloud drives are packed with files you don't actually need. Sync duplicates, old backups, random junk, just gobbling up storage. CleanMyMac takes care of that with a new cloud cleanup feature. It connects to Your accounts on iCloud OneDrive and GOOG Google Drive and scans to find large space wasters both in cloud storage and on your device. And while my Mac health is apparently excellent. CleanMyMac found 8 gigabytes of junk on my computer and tons of duplicate downloads. And it removed a bunch of leftover applications I never use. Who knew? And this happens locally on my Mac so my data stays safe. CleanMyMac has a whole suite of other features too, including their moonlight anti malware engine. With just a click, the anti malware tool scans and removes viruses, ensuring your Mac remains threat free. Not everything deserves eternal storage, so why pay for it? Get tidy today with CleanMyMac. Try it free for seven days and use the promo code. Click to save an additional 20% on your purchase@cleanmymac.com this show is supported by Odoo. When you buy business software from lots of vendors, the costs add up and it gets complicated and confusing. Odoo solves this. It's a single company that sells a suite of enterprise apps that handles everything from accounting to inventory to sales. Odoo is all connected on a single platform in a simple and affordable way. You can save money without missing out on the features you need. Check out odoo@o d o o dot com. That's o d o o dot com. I'm Dena Templewost and this is Click. Here's Mic Drop. Kamil Ghali was always a tech kid, the one taking things apart just to see how they worked. And growing up outside of Detroit, he never imagined he'd be hacking cars for a living. Back then, he wanted to be a.

B

Doctor, go to medical school, and then work in robotic prosthetics. This was my original career plan. At the ripe age of 19 years.

A

Old in 2017, he was a junior at the University of Michigan in Dearborn studying computer engineering. And then came this day that changed everything.

B

We had a new dean of the computer and electrical engineering department, and he was holding a short get together for the students to talk about his plans on how he plans to change the curriculum, things about accreditation, you know, all this stuff. Kind of boring, not gonna lie, but they're giving away free pizza.

A

Free pizza. That's how these things start.

B

So I go and, you know, I'm sitting there enjoying some cheese pizza in the front row and guys talking about how, you know, graduates from our school, you know, they go on to work in all sorts of places in the world. Like, we have some graduates.

A

During the Q and A, a student behind him mentioned an internship in Japan. So Kamel wiped his hands, turned around and asked, what internship?

B

And he tells me, like, yeah, I'm working for a startup. We're specializing in cybersecurity for the automotive industry. We're working on making technology that helps prevent cars from being hacked. And my brain just kind of, like, exploded. I was like, what do you mean, hacking cars? That doesn't make any sense. And I thought about it. I was like, oh, my God. Self driving cars. That's a thing that people are talking about. Oh, my God. And it just kind of clicked. I was like, wait, that's horrifying. I was like, oh, my goodness. What happens if the computer controlling the car gets hacked?

A

He went home and fell down a rabbit hole. Stories about white hat hackers who'd taken control of a Jeep, cranking up the radio, blasting the ac, even putting a picture of themselves on the dashboard screen.

B

And it just kind of like, blew my mind. I was totally out of my depth, but I basically begged this company to give me an internship, and they did. I had decided, yeah, med school is not happening. This is what I want to do. I suspect the kid who got me that job was also there for free pizza.

A

He moved to Japan in 2020, and he's been there ever since.

B

And now, as far as my day job goes, I'm the chief operating officer of Kage Corporation and the director of automotive cyber security at Akatsuki, another new nonprofit organization that we started here in Japan, not only for automotive security, but for cybersecurity awareness and education in general, and helping to support the, you know, need for hackers in society.

A

And that need is real and growing.

B

So the bad news is there's, you know, very many different, what we call damage scenarios that you can actually put into effect, you know, as an attacker, like eavesdropping or taking pictures of someone's home and. Or stealing their contacts from the head unit. So those things are theoretically possible, right? Anybody who tells you that any system is perfectly secure and will never, ever be hacked, this person is lying. People discover vulnerabilities in software and libraries and systems, you know, every day.

A

But there's some good news, too. The field of automotive cybersecurity is no longer niche. Car companies are hiring white hats like Kamel to find bugs before criminals do.

B

There really has not been a lot of, you know, automotive cybercrime. The reason for that is that when you think about, like, the absolute worst case scenario, God forbid, someone hacks a car or multiple cars and causes them to crash into a building, commits an act of terrorism or an assassination, God forbid. These are, like, theoretically very real possibilities.

A

Though for now, the most terrifying scenarios, things like mass hacks and swarm attacks, still belong to Hollywood. Like the iconic scene in Leave the world behind. That 2023 apocalyptic thriller about a mysterious cyber attack that cripples modern society. In the movie, Tesla's head gone rogue.

B

See anyone?

A

There's nobody here.

B

Hey, someone's coming. Clegg, in the car. What are you doing? Shouldn't we flag them down? Maybe they know something.

A

No one in that car.

B

Practically very difficult, but still theoretical.

A

These days the motivation is still something a little more basic from the perspective of a criminal.

B

People want to make money.

A

So the hack so far are mostly.

B

Related to vehicle theft because it's the easiest way to turn that exploit into some money.

A

But even those thefts can be shockingly low tech. Like the so called Kia boys phenomenon. A TikTok trend that morphed into a crime wave.

B

Watch this shit. Ready? Fire in the hole. No problem. No security light, nothing crazy, right? A certain range of model years of vehicles produced by Ikea were just overly easy to steal.

A

Break a window, climb in, then plug a USB drive into the steering column.

B

Now here's the thing. The data on the USB drive doesn't matter. You know, you hear about it, you're like, oh my God, what kind of exploit? They got some malware on the. No, no, no, no, no, no, no. It's literally just the shape of the USB port is the right shape to fit in the hole.

A

Which sounds crazy, I know, but it turns out those cars were missing immobilizers. The system that checks if your key fob is inside.

B

It's like when you buy like the ADT side and you stick it in your yard. You don't actually pay for ADT or whatever the security company is. It's kind of the same thing. Okay, well, everyone assumes there's an immobilizer. We can save money by not actually putting in an immobilizer.

A

Kia eventually offered steering wheel locks and free software updates. Then there was the headlight hack.

B

A group of thieves actually realized that, hey, we can approach this vehicle from the outside, actually physically unplug the headlight. Take a piece of hardware that we disguise as Bluetooth speakers. They'll just unplug the headlamp, plug this in instead of. And you're off to the races.

A

In some cars, the headlight was on the same network as the key fob. So if you plug into the wiring behind the headlights, you could essentially impersonate the smart key and start the car.

B

This left headlight is on the same network as the smart key device. So that's exactly why this attack was possible. These kinds of principles that have been commonplace in information security in the IT industry for years now just didn't really occur when designing this vehicle's in vehicle network environment.

A

The center for Auto Safety says the US Needs tougher laws around vehicle software design and testing, especially rules to keep signals from crossing. Kamel agrees, because an industry can't really police itself, though he says carmakers are learning fast. That's when we come back. Stay with us.

B

Foreign.

A

Support for Click here comes from GiveWell when it comes to issues of health and poverty around the world, there's so much going on, it's hard to know how to help. For starters, how do you find organizations that are truly making a difference? That's where GiveWell comes in. GiveWell is an independent resource doing rigorous and transparent research. They figure out which charities do the most good for every dollar donated, and they only recommend programs with the biggest impact on saving lives. Over 150,000 donors have already trusted them to direct over $2.5 billion to great causes around the world. So check out GiveWell next time you're giving to charity. If this is your first gift through GiveWell, you can have your donation matched up to $100 before the end of the year or as long as the matching funds last. To claim your match, go to givewell.org and pick podcast and enter Click here at checkout. Make sure they know you heard about GiveWell from click here to get your donation matched again. That's givewell.org code click here to donate or find out more.

B

You should tell the people who we are and what our new show is. I'm Robert Smith, this is Jacob Goldstein, and we used to host a show called Planet Money. And now we're back making this new podcast about the best ideas and people and businesses in history and some of the worst people, horrible ideas, and destructive companies in the history of business. We struggled to come up with a name. Decided to call it business History. You know why?

A

Why?

B

Because it's a show about the history of business. Available everywhere you get your podcasts.

A

Car software rules vary by country. In the US they focus mainly on national security and supply chains. Just this year, the Commerce Department finalized a new rule. Starting with the model year 2027, automakers must limit their use of car software and hardware from China and Russia, but that still leaves a cybersecurity gap. Japan and Europe require incident response plans and software support for the life of a car, but the United States doesn't. Right now, though, Kamel hopes that'll change.

B

Over the last few years, the automotive industry has come around to cybersecurity testing. You have to be responsible for this vehicle's cybersecurity and updating its software for so on and so forth. And this will be different from country to country based on, like, the laws and the way they implement it. But point is, you know, the industry is taking it very seriously.

A

Consider Rivian, an ambitious premium electric vehicle startup.

B

Rivian cybersecurity operations really includes four different functions. We have our corporate cybersecurity team, our cybersecurity operations center, followed by our detection response team, and also our cybersecurity threat intelligence team.

A

And Kamel says the fact that there's an army of hackers out there shouldn't be alarming. He says it's actually reassuring because many of them are white hats. Like Duncan Woodbury.

B

I've been in the car hacking industry for a long time. I was first hired when I was in high school at a company called Battelle. On the first and I think, most prolific automotive red team in the history of the automotive sector.

A

Duncan and Kamel now work side by side at the car hacking village at defcon.

B

Welcome to DEF con. Hello, DEF con.

A

Teaching engineers, hobbyists, and even law enforcement how to spot digital weak points before criminals do. And they've been joined by others, like Ben Gardner, who brings the same vigilance to the trucking world.

B

So trucking is a big space. There's a whole lot of things moved across North America by truck. The cybersecurity program was started at the NMFDA roughly seven years ago, just a little over.

A

It's easy to think of hackers as the problem, but these white hats, the ones working behind the scenes, see themselves a little differently. They see themselves as a kind of immune system, testing the defense so the body stays healthy. And they're doing it one line of code, one vulnerability, and one car at a time. The work can feel endless because as cars get smarter, the risks pile up. That's the trade off of the modern road. The industry has learned a lot since that GPAC a decade ago. And while no system is ever perfectly safe, there are more people watching and testing and building defenses than ever before. And for Kamel, who has now spent years inside that digital trench, he thinks the future of the car should look a little less like the next big upgrade and maybe a little more about getting back to something, well, simpler for me.

B

If you ask me, my sweet spot would be like 20, 15, 16. Like, I've got Bluetooth, I've got good audio quality you know, I can unlock my car with the key fob. That's like my bare minimum amount of tech. And I won't like really want anything.

A

Too far after that because sometimes the smartest technology is knowing when enough is enough. From Recorded Future News, this has been Click Here's Mic Drop. It was written and produced by Megan Dietrich, Sean Powers, Erica Gaeda, Zach Hirsch, Lucas Riley and me, Dina Templest. It was edited by Karen Duffin. We'll be back on Tuesday with an all new episode of Click Here. Have a great weekend.

B

Looking for more of the cybersecurity and intelligence coverage you get on Click Here? Then check out our sister publication the Record from Recorded Future News. You'll get breaking cyber news from reporters in New York, Washington, London and Kyiv, among others. And you'll see for yourself why it attracts hundreds of thousands of page views every month. Just go to the Record Media.