Peter Rothschild (2:30)

A friend of mine who lives basically on top of a mountain in Carmel, has a beautiful house. Amazing. And everything was fine going up to his house. But coming down the mountainside, which is a one lane road without much of a guardrail, when the trouble started.

Dina Temple-Rastan (2:54)

It was all caught on Peter's dash cam video. At first it looked like a postcard of Northern California. Monterey pines, a wisp of fog, the Pacific Ocean glinting in the distance.

Peter Rothschild (3:06)

This road was cut into this mountain. It's a very windy road.

Dina Temple-Rastan (3:11)

Then suddenly, the picture jolts and the car lurches. It's as if the Volvo had a mind of its own, taking curves at speed. And Peter couldn't stop.

Peter Rothschild (3:22)

This Volvo is extremely heavy car. It's a hybrid car. It's got a battery in it. And I kept trying the brakes and trying the brakes. I was so focused on keeping this car on the road.

Dina Temple-Rastan (3:34)

And what's going through your head?

Peter Rothschild (3:36)

How do I stay alive? I mean, you didn't know what was on the other side of the curve, right? It could have been a school bus filled with kids. And I realized, you know, this car's not going to stop unless I stop it myself.

Dina Temple-Rastan (3:49)

And as Peter struggled to keep the car on the road, time seemed a stretch. And in that strange, suspended moment, his mind flashed back to the dealership.

Peter Rothschild (4:00)

And the other thing I thought, I wish I didn't get that update.

Dina Temple-Rastan (4:04)

And that's where the story turns. Because what happened next says a lot about how quickly the line between car and computer has disappeared. I'm Dena Templerest, and this is Click Here. We tell true stories about the people making and breaking our digital world. We used to think of cars as metal and rubber, pistons, carburetors and crash test dummies. But these days, they're just as much ones and zeros as they are nuts and bolts. And as legacy carmakers race to behave like tech companies, shipping fixes over the air instead of through a mechanic, the stakes have changed. It isn't just about new bells and whistles. It's about code and bugs and sometimes even brake failure.

Peter Rothschild (4:51)

And I still scratch my head. How can a company with a reputation like Volvo come out with a software update that basically could kill you?

Dina Temple-Rastan (5:02)

That's after the break. Stay with us.

Recorded Future News Announcer (5:07)

If you're looking for a daily guide to cybersecurity news and policy, sign up for the Cyber Daily from Recorded Future News. It serves up today's most interesting and important cyber stories from our sister publication the Record, and then aggregates all of the big cyber stories you might have missed from news outlets around the world. Just go to TheRecord Media and click on Cyber Daily to get all you need to know about the world of cybersecurity right in your inbox.

Dina Temple-Rastan (5:38)

From Recorded Future News, this is Click here. When you think of software update, you probably picture your phone or your laptop, maybe a spinning progress bar and a restart. You don't usually picture a 2 ton SUV on a steep mountain road, but as car companies rebrand themselves as mobility tech firms, they've adopted a very Silicon Valley move fast, break things and fix later. Only when Your product weighs 5,000 pounds. Carrying humans inside that strategy can have real consequences. Something Peter was viscerally aware of as he barreled down that mountain road, trying frantically to figure out how to stop this car.

Peter Rothschild (6:30)

I was always taught that if you use your emergency brake, you can lock up your tires and spin out and totally lose control of your car. So I didn't want that to happen.

Dina Temple-Rastan (6:39)

Then he had a flash of inspiration.

Peter Rothschild (6:42)

You know, what do big trucks do when they come down a hill and they lose their brakes? Will they go off on the side on these ramps that go uphill? And so I figured, well, let me just make one of those.

Dina Temple-Rastan (6:54)

He swerved hard into the dirt and rocks.

Peter Rothschild (6:57)

The momentum carried it over the rocks and back onto the road, believe it or not. And then it stopped. I looked down the side, the other side of the mountain, and I just go, oh, my God. I couldn't believe I was still alive.

Dina Temple-Rastan (7:16)

According to the dash cam, it only lasted about 20 seconds. But to Peter, it felt like forever. When he got home, he started looking for answers. Why did his brakes just go out? He searched online and discovered he wasn't alone.

Peter Rothschild (7:32)

I'm facing some problems with the software updates.

Dina Temple-Rastan (7:35)

Well, this is a new one here. The camera is just completely not working.

Florian Road (7:38)

Come on, Volvo.

Peter Rothschild (7:40)

It barely slows down when you let off the gas. Why?

Dina Temple-Rastan (7:44)

As far as he could tell, this wasn't a mechanical failure. But it did happen just hours after a software update. Could a simple patch have somehow disabled the brakes?

Peter Rothschild (7:55)

I wanted this to be looked into immediately because it was so incredibly scary what happened to me. I mean, I've never been that scared in my entire life. And I do a lot of driving. So the next day after the accident, I sent the video to Volvo and I sent it to nhtsa.

Dina Temple-Rastan (8:17)

Nhtsa, the National Highway Traffic Safety Administration, opened an investigation. So did Volvo. A few weeks later, the company confirmed what Peter had already suspected. The culprit was software version 3.514, the same update that was supposed to fix his rear view camera. And if you scan through the update notes, one line stands out. The foot brakes should feel less stiff right after starting the car. Apparently, that line of code told the brakes to ease pressure after about 90 seconds of coasting downhill in something Volvo calls B mode. It's a setting that lets the car slow itself by using the electric motor's resistance instead of the regular brakes.

Peter Rothschild (9:02)

It's like, okay, when you tested this software, did you not do that? Did they not drive it down a hill for over 100 seconds? How much was this software before it was released? This bug thick software for a minor issue, even tested the big issue for me is I tested their software for them. I was like a beta tester.

Dina Temple-Rastan (9:23)

We asked Volvo about this and the company told us this was a rare error, that it follows robust testing and verification procedures. We asked if they'd walk us through those procedures step by step, and they declined, calling the process, quote, a key competitive differentiator and proprietary. We did find someone who's been on the inside to help us make sense of it though.

Florian Road (9:48)

I'm a car guy basically, as you would call it. Right.

Kamel Gali (9:51)

Always interested.

Dina Temple-Rastan (9:52)

That's Florian Road. Yep, that's his real last name. He's a German system engineer and he oversaw Tesla's software releases for about five years now. He helps automakers modernize their fleets and he says software is a big part of that. Updating a car using code is a big money saver for automakers. A quiet revolution under the hood.

Florian Road (10:16)

You know, you have hardware products, they age, right, and over time they break. Software doesn't break over time.

Dina Temple-Rastan (10:23)

It's also just a lot easier to send out software updates than require drivers to come into the shop and physically replace parts. But there is a lot happening under the hood nonetheless. This is how Florian explains the process.

Florian Road (10:38)

You have a bring up period and you have a verification and validation period. And then at the very end, you have what is called an acceptance test. And after this is done, you actually have a piece of software that can be sent onto a piece of hardware to perform a certain functionality.

Dina Temple-Rastan (10:55)

So first bring up period, then verification, validation, and then finally acceptance. And during verification and validation, when the code is written, that's when it's tested for bugs, the digital equivalent of crash testing. And it's only after that stage that the code gets sent out to update the car. He says they're usually contained because of how most auto software systems are designed. The safety systems in entertainment systems are supposed to live in separate worlds. What's on your entertainment screen shouldn't be talking to what's on your brake pedal, for good reason. Florian compares it to WI fi at a hospital. There's often a network for guests and one for hospitals equipment. That way if the guest WI fi goes out, the heart monitor doesn't crash too.

Florian Road (11:48)

And if that monitor has a WI FI connection as an example, right, it loses WI fi, but it should not lose the vital monitoring, so that has to be decoupled.

Dina Temple-Rastan (12:00)

That's the idea anyway. But even the best testing can't predict every real world combination. How a human might drive, how a mountain might slope, or how long someone might coast downhill, tapping the brakes Those kinds of corner cases are hard to predict afterwards.

Florian Road (12:19)

You know, hindsight is 20 20. It's very obvious. You look at the numbers and it's like after 1 minute, 48 seconds or whatever it is this and this happens. But you're looking at millions of lines of code. So to find a specific corner case is sometimes not as easy as it sounds.

Dina Temple-Rastan (12:32)

Once a glitch is spotted, a fix is written and alerts are sent out to drivers who then have a couple of options. They could bring it into their dealer who plugs the car into a computer system.

Florian Road (12:43)

The computer pings the controller, let's say your radio, and says, hey, I have new software for you. Go into software update mode.

Dina Temple-Rastan (12:59)

Or drivers can get these updates without doing anything at all. It happens automatically. Each year, automakers push out thousands of updates as OTAs over the air repairs. The same way your phone gets a new iOS update.

Florian Road (13:15)

What you usually do in OTAs, you're running them in so called waves. You don't do the CrowdStrike approach where you do a big bang rollout and everything fails. So you run a smaller group you monitor, then you run the next larger group you monitor.

Dina Temple-Rastan (13:28)

CrowdStrike, it's a cybersecurity company that sent out one bad update and accidentally crashed millions of computers all over the world all at once. It was a cautionary tale. So what happened to Peter's Volvo? Florian doesn't have access to Volvo's software, so he can't say for sure. But he suspects it wasn't just one rogue line of code, but something more fundamental. A design flaw that let one system reach another. It shouldn't have, like that hospital example, but without the siloed WI fi. Volvo, for its part, told us the problem came from one of its suppliers, but didn't say which one. And the company made clear they addressed the issue as soon as they found out about it. According to NHTSA and Volvo, roughly 11,000 cars downloaded the same faulty update. So almost as soon as they realized what happened, Volvo issued a recall. The fix, ironically, was another software update.

Peter Rothschild (14:35)

So basically it was a bug fix to fix a bug fix. That's something you really don't want to hear from a car dealer.

Dina Temple-Rastan (14:43)

Volvo said it had received three reports of related accidents with no injuries and that they'd stopped delivering it to effective vehicles right away. And within a week they'd rolled out a patch. But as of late October, 150 drivers still haven't installed it. Which means under the right conditions, say a long coast downhill of about 90 seconds their brakes could potentially fail too. Unfortunately, in a world in which car companies become tech companies, software glitches like that aren't the only thing to worry about.

Kamel Gali (15:21)

What happens if the computer controlling the car gets hacked? I do some research, and I find out that, hey, two dudes were able to kill the engine on this thing without ever laying a hand on it after the break.

Dina Temple-Rastan (15:34)

What happens when the code that controls your brakes isn't broken? It's breached. Stay with us.

Florian Road (15:44)

Every day, it's getting harder to tell what's real and what's not.

Dina Temple-Rastan (15:47)

Alex reassured me that he was a fully licensed and certified psychologist. But in fact, Alex is not a person. But it is an unfeeling chatbot.

Florian Road (15:59)

I'm Dexter Thomas, and every week on my podcast, Kill Switch, we look at the right now of living in the future. To help you take back control of your life, listen to Kill switch in the iHeartRadio app, Apple Podcasts, or wherever you get your podcast.

Dina Temple-Rastan (16:25)

The fact that your car can now upgrade itself remotely, whether it's to add features or fix bugs, is, in one sense, really comforting. One less trip to the mechanic. But that same connection that makes updates possible is also what makes cars hackable.

Kamel Gali (16:44)

There is a lot of damage that can be done through reverse engineering the software in these vehicles, finding vulnerabilities, and then, you know, developing exploits.

Dina Temple-Rastan (16:54)

Kamel Gali is a professional car hacker, A white hat hacker, that is. He lives in Japan, where he tests cars for flaws before criminals can find them.

Kamel Gali (17:05)

We'll essentially analyze the system and report any vulnerabilities that we find and give the customer recommendations on how they can be remediated.

Dina Temple-Rastan (17:14)

Ever since cars started getting screens, sensors, and gps, cybersecurity researchers have been warning that every new feature adds a new doorway. The wake up call came in 2015. A couple of researchers remotely took control of a Jeep Cherokee and then filmed it.

Peter Rothschild (17:30)

Do it. Kill the engine.

Dina Temple-Rastan (17:32)

So we're killing the engine right now. Guys, I'm stuck on the highway. What are you saying? Oh, I think he's panicking.

Florian Road (17:39)

He's not gonna be able to hear.

Dina Temple-Rastan (17:40)

Us with that radio.

Florian Road (17:41)

It's so loud.

Kamel Gali (17:43)

They were able to kill the engine on this thing without ever laying a hand on it. That was really the turning point in history when they forced the whole world to like, hey, let's pay attention to this. This could have happened to someone.

Dina Temple-Rastan (17:57)

The scariest thing about it is that while hackers took a year looking for vulnerabilities, ultimately it wasn't some complex hack. They'd simply Guess the car's WI fi password. That's all it took to turn someone's Jeep into a remote control car. These days, at the DEFCON hacking conference in Las Vegas, there's an entire car hacking village where researchers can legally try to break into real vehicles to make them safer.

Peter Rothschild (18:27)

We've got a lot of wonderful things going on here.

Dina Temple-Rastan (18:29)

As you can see, we've got a.

Florian Road (18:30)

Rivian vehicle here that you can actually hack into.

Dina Temple-Rastan (18:32)

We also have a semi truck here if you're interested in in learning how to hack a semi truck. Most modern cars contain millions of lines of code. And according to one car hacker we talked to, there's a bug every 30 lines. That's what keeps penetration testers like Kamel busy hunting for worst case scenarios.

Kamel Gali (18:51)

What if all the ambulances or police cars in a city got ransomware and just couldn't drive unless you paid 200 bitcoin?

Dina Temple-Rastan (18:57)

Well, now you have a problem that hasn't happened yet. And Kamel says there's a reason. After that, GPAC automakers began taking security seriously. Today, every update they send carries a cryptographic signature, a kind of digital seal of authenticity. So when your car is told to update, it first verifies, is this an update from the car manufacturer or could this be a hacker?

Kamel Gali (19:23)

That means that you use a private key to actually sign an update, so that if the update is tampered or if there's an error in transmission, that it won't send a faulty version of that update to the target vehicles to make sure that, you know, random people aren't able to modify the Software.

Dina Temple-Rastan (19:41)

In the U.S. nHTSA issued updated cybersecurity best practices for cars. But it was just guidance. It's non binding. In other words, automakers are encouraged but not required to meet specific cybersecurity mandates in the US and the US is a bit of an outlier. Other countries are requiring much more robust changes.

Kamel Gali (20:06)

There are laws now that are saying, hey, automakers, you have to invest time and money into making this happen. In Europe and Japan, for example. In America, not yet, but we might get there someday.

Dina Temple-Rastan (20:18)

Japan's National Institute of Information and Communications Technology helps automakers proactively detect threats. In the European Union, the UN Regulation 155 requires a cybersecurity management system for vehicles and mandates incident notification rules. Under the EU's Cyber Resilience act, manufacturers must tell owners and regulators when a hack happens, essentially 72 hours after they know. Michael Brooks with the center for Auto safety hopes the US catches up.

Florian Road (20:54)

It is completely 100% up to the manufacturers to ensure the cyber security of their vehicles. And right now I would say they're not doing it because security is an added expense for them that, you know potential buyers. Ultimately, that's not something you're looking for in a car.

Dina Temple-Rastan (21:13)

He says there are no federal standards for testing car software, nothing like the crash test certifications we see for seatbelts in aviation. Michael says the feds vet plane designs before they're built, but cars are basically self certified. Manufacturers build them, check a safety box and start selling. So the people who are supposed to be protected, the drivers, end up being the testers. And Michael argues that needs to change.

Florian Road (21:44)

Now that we're entering this new software era, I think there should be a renewed call for that type of thing.

Dina Temple-Rastan (21:50)

To occur in America. And Peter Rothschild, the former Volvo evangelist, couldn't agree more.

Peter Rothschild (21:58)

The Insurance Institute for Highway Safety needs to start evaluating the software of these cars. Software controls the car, and you cannot say this car is safe without evaluating the software.

Dina Temple-Rastan (22:12)

The institute told us many of its tests already involved software around things like auto braking and lane assist. But that combing through millions of lines of code, testing every possible corner case just isn't realistic. Still, Peter's story is a warning. The old measure of safety, the steel cages and crumple zones, no longer tell the whole story. Cars today are computers with wheels. They update themselves while you sleep and sometimes fail while you drive. We spent a century crash testing metal. Maybe the next safety test should be for code. Because when car companies start acting like tech companies, sometimes the bugs aren't just in the system, they're on the road. This is Click Here.

Recorded Future News Announcer (23:11)

Looking for more of the cybersecurity and intelligence coverage you get on Click Here. Then check out our sister publication, the Record from Recorded Future News. You'll get breaking cyber news from reporters in New York, Washington, London, and Kyiv, among others. And you'll see for yourself why it attracts hundreds of thousands of page views every month. Just go to the Record Media.

Dina Temple-Rastan (23:35)

Here are some of the top stories in the world of tech this week. It's Tuesday, November 11th. Meta is under fire again, this time not for what people say on its platforms, but for what they sell. According to newly leaked documents, as much as 10% of Meta's revenue last year, which is roughly $16 billion, came from advertising scams and banned goods.

Kamel Gali (24:00)

I mean, 15 billion exposures to paid scam attempts every day just on Meta's platforms. It's a lot.

Dina Temple-Rastan (24:09)

The lot includes fake investment schemes, counterfeit medicine, even illegal casinos. All appearing as sponsored posts. Meta reportedly bans advertisers only when it's 95% certain that they're scammers. If it's less than certain, it simply charges them more for the privilege of advertising. Reuters reports that Meta executives have discussed cutting down on scam revenue, but they're worried that to do so too quickly will hurt their bottom line. Meanwhile in Europe, a reminder that even the rulemakers of privacy aren't immune to being tracked. Journalists posing as ad tech workers bought access to the location data of hundreds of EU officials. The data sets they bought included nearly 6,000 GPS points tied to more than 700 devices so they could track commutes, favorite restaurants, even home addresses of Parliament staff. All that in spite of the continent's super strict GDPR privacy law, which is supposed to require consent for data collection. It turns out plenty of mobile apps still gather and sell user data without clearly saying so. The European Commission called the findings oring, and yes, they've issued another set of guidelines.

Florian Road (25:30)

The Congressional Budget Office confirmed Thursday that.

Dina Temple-Rastan (25:33)

It was compromised by a hack cybersecurity officials suspect Chinese state backed hackers cracked into the cbo. The breach may have exposed emails between the CBO and congressional offices, the kind of insider policy analysis that foreign intelligence agencies crave. The CBO is where economics forecasts are born and where lawmakers quietly figure out how much their ideas might cost. China, for its part, denies any role in the break in. And finally, the holidays have arrived early. And so has the backlash. Coca Cola released a new AI Generated Christmas ad, a minute long swirl of animated nostalgia that some viewers have called unsettling. Many of the comments on this year's ad on YouTube are pretty negative.

Kamel Gali (26:20)

More than a minute of pure AI suave.

Dina Temple-Rastan (26:24)

Among other things, the ad features Coca Cola trucks rolling through a snowy town and a menagerie of polar bears, squirrels and sloths that look to be the creation of completely different algorithms. According to the Wall Street Journal, the final cut used 70,000 AI generated clips and more than 100 human editors. Coke says this new ad took less time and money than their usual holiday offerings. Viewers say it cost the drink known as the real Thing. Something else. Authenticity.

Zach Hirsch (27:07)

Click Here is a production of recorded Future News and prx. Today's episode was written and produced by Dina Temple Rastan, Megan Dietry, Sean Powers, Erica Gaeda and me, Zach Hirsch. I was the lead producer on this episode. The story was edited by Karen Duffin and fact checked by Darren Ancrum. It contains original music by Ben Levingston with additional music from Blue Dot sessions. Our staff writer is Lucas Riley and our illustrator is Megan Gough. Jesse Niswonger and Jake Cook are our sound designers and engineers. Join us Friday for Click here's Mic Drop When Kamel Galli explores the dark side of connected cars.

Kamel Gali (27:47)

People want new features. They want the sexy new biometric car thing where as soon as it sees my face, it knows how I like my seat, it knows how I like the temperature. But it's a never ending battle between, you know, convenience and cool features versus cybersecurity.

Zach Hirsch (28:04)

That's Friday.

Peter Rothschild (28:05)

We'll see you then.

Recorded Future News Announcer (28:10)

If you're looking for a daily guide to cybersecurity news and policy, sign up for the Cyber Daily from Recorded Future News. It serves up today's most interesting and important cyber stories from our sister publication the Record, and then aggregates all of the big cyber stories you might have missed from news outlets around the world. Just go to the Record Media and click on Cyber Daily to get all you need to know about the world of cybersecurity right in your inbox.