August 14, 2025 • 52 mins
Today's automobiles are brimming with technology. Most of the time, that's pretty cool. But it stops being cool when sneaky hackers breach the systems and have a field day. Those are crimes…ridiculous crimes.
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Ridiculous Crime. It's a production of iHeartRadio.
Speaker 2 (00:03):
Zaren Burnette. We meet again, Elizabeth Dunton. How you doing good?
So good to see you.
Speaker 3 (00:10):
Interns told me you're going to be early, and I
was like, well, I'm going to be late.
Speaker 2 (00:15):
You're looking sharp today in your little stress mariner's shirt.
Speaker 3 (00:19):
I'm like a French mariner over here.
Speaker 2 (00:21):
I love it. It's cute. I'm gonna get you a
can of sardine. Make your day quick question. Sure you
know what's ridiculous?
Speaker 3 (00:29):
I do.
Speaker 4 (00:30):
So.
Speaker 3 (00:31):
Hearkening back to when I was telling you about the
Buddhist monks, I mentioned about Stevie Wonder going around at
the Shaolin temple and it's like, oh, he must have
been enjoying listening to the temple. If you ever heard
the theory that Stevie Wonder actually can see, I have right,
there's a lot of celebrities have talked about it.
Speaker 2 (00:45):
Yeah.
Speaker 3 (00:46):
So I have one here that I think is just
absolutely not proof positive.
Speaker 2 (00:49):
But there's some interesting video proof.
Speaker 3 (00:51):
It's interesting. Yeah. So Elton John has this evidence that
Stevie Wonder may be able to see. That I thought
was very convincing because the two of them happened to
be Colorado at the same time, and they, you know,
kind of bumped into each other. That's not the evidence
they were Basically they did a snowmobile tour. But I'll
let out and John tell the story. Quote musicians passing
through Denver or Boulder would drop by to visit. Stevie
(01:13):
Wonder turned up one day and took out a snowmobile,
insisting on driving it himself. Now, to preempt your question, no,
I have no idea how Stevie Wonder successfully piloted a
snowmobile through the rocky mountains of Colorado without killing himself
or indeed anyone else in the process. But he did.
Speaker 2 (01:30):
And it's not like it's a Stevie's house, No, he just.
Speaker 3 (01:33):
Like he doesn't know this track. He is not like, oh,
I've got this worked out. He took. Yeah, he went
out there and drove a snowmobile. Like, I don't think
I could do that that well and not run the
risk of bumping into something apparently flawless Stevie Rascal. So
I'm just saying, is there's an interesting one can.
Speaker 2 (01:51):
Be like you can be like technically blind.
Speaker 3 (01:55):
Right, you know, I guess varying degrees of Yeah, there's.
Speaker 2 (01:58):
Different levels of blind, so it might not be completely
you know.
Speaker 3 (02:02):
Yeah, so much like UFOs and UAPs. I'm keeping an
open mind about Stevie wonder whether or not.
Speaker 2 (02:09):
Wow, there you go, very ridiculous, right, that is ridiculous.
Speaker 3 (02:13):
John always got the.
Speaker 2 (02:14):
Tea, always always. Do you want to know what else
is ridiculous?
Speaker 3 (02:19):
Please?
Speaker 2 (02:19):
Hacking a car? Bro This is Ridiculous Crime, A podcast
(02:44):
about absurd and outrageous capers. Heis and cons It's always
ninety nine percent murder free and one hundred percent ridiculous.
Speaker 3 (02:53):
I know you done heard that.
Speaker 2 (02:54):
I done heard it so many times. Hi, Elizabeth, Hey,
my name is Werner Brandis my voice? Is my passport?
Verify me?
Speaker 3 (03:03):
Excuse me?
Speaker 2 (03:04):
Do you know what that's from?
Speaker 3 (03:05):
No, that's right, Zaren.
Speaker 2 (03:07):
You're correct. It's one of my all time favorite movies. Sneakers.
Oh Hi, my name is Werner Brandis my voice? Is
my passport? Verify me?
Speaker 3 (03:18):
Is it like a security check?
Speaker 2 (03:19):
Yeah? So if you haven't seen have you seen Sneakers?
Speaker 3 (03:22):
Yeah? But way back in the day, watch it again.
Speaker 2 (03:24):
Because I love it so much. Yeah, it's like a
voice cod werner brandeis He's like a He's a tech guy,
uh an executive at this tech company, and so it's
a voice recognition, and so they needed to make a
recording of his voice to sneak in without him the
protagonists in this film, and anyway, they so they record him,
(03:49):
but they get like a honey trap. This woman has
to go and like get him to say these words
so they can piece it together on a blind date.
And so she's like, oh, you know what word, I love?
Passport And he's like, passport. So when it gets played back,
my voice is my passport. Anyway, I love that movie.
It's the story of some former and like side gig
(04:11):
hackers who do what's called penetration testing for tech security
at companies. White hat hackers. They use their powers for good,
although I believe they'd be gray hat hackers in some sense.
Speaker 3 (04:23):
What's the distinction there?
Speaker 2 (04:24):
A gray hat hacker is someone who engages in hacking
activities without permission, but their intentions are not always malicious,
and they may include reporting vulnerabilities you know, that they
find in these targeted organizations or even like to the public.
Speaker 3 (04:39):
So if they break into to the Department of Defense
and then leave a note I found exactly and I
can tell you how I did.
Speaker 2 (04:44):
Precisely, and they can exploit vulnerabilities for like personal gain
or demonstrate a point, you know, either way. In Sneakers,
the team which is led by Robert Redford, they go
up against Redford's old altruist college hacking buddy turned power
hungry tech villain, and there's some great hack in along
the way.
Speaker 3 (05:02):
They hack it up, side it up. Oh, he's so good.
Speaker 2 (05:06):
In that, Yeah, dan Ackroyd, that's right, hacking, hacking, so
much hacking, River Phoenix Hacking. I was thinking about that movie,
as I do sometimes when, and it got me thinking
about white hat hackers, those who used to hack illegally
for profit and or power, and then they go straight
(05:27):
and they help the authorities bust back the Yeah. I
like that idea. One of the most annoying characters on television,
Penelope on Criminal Minds, was a bad hacker. Yeah, and
then she was recruited by the FBI to hack the
world in pursuit of horrible violent criminals. And then they
also needed her to like teeter around the office in
(05:48):
clown costumes, Yeah, spouting out like stale slang while holding
something from the Archie McFee cap her. Oh I can't.
Like she's just running around with a rubber chicken pen
with a feather puff at the end.
Speaker 3 (05:58):
What a rubber chicken?
Speaker 2 (06:00):
Doesn't that sound like something she'd hash.
Speaker 3 (06:02):
That's some real clan behavior.
Speaker 2 (06:03):
Yeah it is. Anyway, I was poking around with the hackers,
basically hacking my way through Google's lousy search model, and
I found something. I caught a case there. I caught
a couple of cases. I think you're gonna like them. Please,
I should warn you that, just like the last time
I told you about hacking.
Speaker 3 (06:20):
Crime, you got hacked.
Speaker 2 (06:23):
No, I'm going to use a lot of technical language.
Much of it is going to go over your pretty
little head. Probably don't be intimidated, like some of us
are just more tech savvy and smarter.
Speaker 3 (06:34):
No, it's very to true.
Speaker 2 (06:35):
So I'm going to use terms like hacking and mainframe
and motherboard.
Speaker 3 (06:41):
Are these terms like DJ's used like a motherboard? I'm
on my motherboard?
Speaker 2 (06:44):
The ones and two, database and network? Have you heard
those before?
Speaker 3 (06:47):
No? None of the all new to me keyboard keyboard?
Oh like oh yeah, like with the with the piano
correct correct USB drive?
Speaker 2 (06:55):
Nope, Like I said, I don't want you to be intimidated.
The truth is that I has but a tenuous grasp
on all of those concepts and the items myself. So
we're on this digital journey together.
Speaker 3 (07:07):
You do know, I have a bunch of friends who
are like hardcore, and then they talk to me about
stuff and I'm like, I use yellow legal pads. I
don't know what you're talking about.
Speaker 2 (07:14):
No, I'm just like, you know, I'm like, why isn't
everything opening? Oh, I'm not connected to the internet. Cars,
I'm not talking about the Pixar movies there and back up,
I was like, you're going to I'm talking about the
things we drive down the street. Cars are full of
(07:35):
micro chips totally. And wasn't that part of the supply
chain issue during the early days of COVID, Remember there
was like the chip shortage for new cars and that's
like the cost of new cars.
Speaker 3 (07:45):
And then cars they have all the screens.
Speaker 2 (07:48):
Now they got like a forty inch television screen smack
in the middle of the dash.
Speaker 3 (07:53):
Video games.
Speaker 2 (07:54):
Yeah, you can't text and drive. That's good, but you
can have a small TV like in your lap drive.
Speaker 3 (08:00):
You're making.
Speaker 2 (08:03):
In some cars that'll remain nameless. It's on those screens.
We have to do stuff like adjust the AC or
like put on the turn signal.
Speaker 3 (08:11):
I've heard about this, Yes, that's the wild one.
Speaker 5 (08:12):
To screen.
Speaker 2 (08:14):
You have to tell the car not to run over kids.
Run over fewer kids, you know, like we don't. We
don't have buttons anymore. I love buttons there, I like.
Speaker 3 (08:24):
I even like knobs.
Speaker 2 (08:26):
The best car I ever owned was in nineteen eighty
nine Ford Bronco. Yes, you're not a chip in sight.
Speaker 3 (08:32):
No, I don't think so.
Speaker 2 (08:33):
You could fix it with like a ball, peen hammer,
a butter knife and some electrical tape. Could It was perfect.
So now now I have this Subaru, right, I love it.
Speaker 3 (08:43):
Yes, I've heard you talk about.
Speaker 2 (08:44):
It has all sorts of not just chips and electronics,
but like online stuff. Oh really, I can lock and
unlock it with an app.
Speaker 3 (08:52):
Do you use any of this? You know?
Speaker 2 (08:54):
If I if I am already gone to bed and
I can't remember if I lock the car. Sometimes I just.
Speaker 3 (08:58):
Check lock it.
Speaker 2 (08:59):
I could start it remotely if I wanted from an app.
You can look on the app and see where it is.
It's like, oh it's in my driveway still, But like
if someone stole it, I can see where it was
and turn off the engine on them.
Speaker 3 (09:11):
That's kind of fine like that, and then did would
they crash the car if you?
Speaker 2 (09:15):
Yeah, Well, what do I care? I'm not in it?
Speaker 3 (09:18):
Curious kind of like a good idea until you realize
what you've readen No.
Speaker 2 (09:22):
I think it just boo powers down, no help, Okay,
I stole the wrong flashing lights come on and let's drive.
Speaker 3 (09:28):
Other drivers know exactly.
Speaker 2 (09:31):
It texts me when there's an.
Speaker 3 (09:32):
Issue, used like a snarky tone.
Speaker 2 (09:35):
I ran out of wiper fluid, and it kept reaching
out to me via text like a democratic fundraiser, totally
to let me know, like, hey, don't forget about me.
Speaker 3 (09:43):
But is it like the duo lingo. It's kind of snarky,
like have you forgotten that?
Speaker 2 (09:46):
It's very sincere and I just text back, wow, needy,
just keep going keyless entry peep peep. There was a
time recently here in Oakland where ladies were getting carjacked,
like up and down this very busy street near me,
and it seems to have calmed down, but it was
happening almost regularly for a while, like summer carjackings. Others
(10:07):
like guys would just run up, break the passenger window
and steal a purse on the seat.
Speaker 3 (10:11):
Us like a spark plug break the window.
Speaker 2 (10:13):
Yeah, and so for the carjacking. That's why I keep
my keys in my pocket when I'm driving instead of
like in my bag or like the cup holder, because
if I have my keys on me and they forced
me out, they aren't going to get very far because
you has to be close to the car to run, Sarah,
and you have to stay on the ball, keep your
head on a swivel. I don't think Subaru foresters are
(10:33):
like the hot Cardiff steal, but you never know.
Speaker 6 (10:38):
So.
Speaker 2 (10:38):
And that's another peril of the keiless entry fob is
that people can buy devices that clone keys to use.
Speaker 3 (10:45):
For stealing the RFD.
Speaker 2 (10:47):
Yeah, they walk by houses at night with a thing
and they can, you know, the hackens and they pick
up a signal from the keyfob and then they can
use that to start the car out.
Speaker 3 (10:56):
They're buddy holding up like a wire and they're like
trying to get I would have thought it was a.
Speaker 2 (11:01):
Total urban legend, but I've seen home like break camera
stuff of it, and it happened not a couple of times,
not too far from me. So you know what I do.
I put my keys in a Faraday box by the door.
Speaker 3 (11:14):
I love it.
Speaker 2 (11:15):
I probably overreacting, but whatever, it's a cute box.
Speaker 3 (11:17):
I'm anyway, Yes, plants on it. You can override a
garden seed box.
Speaker 2 (11:22):
Yes, no, it's very it's tasteful. It's brown and leathery.
There anyway. You can override the key with sentry. Other ways.
One involves a USB stick how so, but not in
the way you think, Zaren, I'm thinking nothing. It's physical hacking.
(11:43):
I'm sure you've heard of the Kia challenge.
Speaker 3 (11:45):
Oh yes, okay, yes, this was a hacking.
Speaker 2 (11:49):
I know, I totally did. It's a viral trend on TikTok.
In twenty twenty two is when it started. So people, okay, teens,
They learned how to steal certain Kia.
Speaker 5 (11:58):
And Hyundai vehicle using only a.
Speaker 2 (12:01):
USB cable and it started as this form of car theft,
but it quickly became a social media challenge, and like
vehicle thefts just surged across the US.
Speaker 3 (12:12):
They just joy ride these cars, they don't write.
Speaker 2 (12:15):
So they targeted Kias and Hyundais made between twenty ten
and twenty twenty one.
Speaker 3 (12:19):
So that's a.
Speaker 2 (12:20):
Pretty broad stretch. That's because they had traditional metal keys
not pushed to start, and the cars also didn't have immobilizers,
so those are like basic anti theft devices that keep
the engine from starting without the correct key. And apparently
the car alarm wouldn't go off if you broke the
back window.
Speaker 3 (12:39):
Oh okay to know.
Speaker 2 (12:43):
Yeah, what all that means is that it was possible
to get into the car without the alarm going off,
remove the steering column cover, use a USB cable or
anything shaped like it to turn the ignition switch, and
then start the car and drive away.
Speaker 3 (12:56):
Oh you didn't have to like drop it down and
pull the wires out.
Speaker 2 (12:58):
Oh no key. No hacking tools required. A group calling
themselves the Kia Boys posted videos anytime you put boys
in it, it's just you just took the wind out
of yourself. You know what I mean?
Speaker 3 (13:12):
Kia Boys.
Speaker 2 (13:14):
Yeah, I guess that is, but like proud Boys, No,
that's scary. They posted videos on TikTok and YouTube showing
how to steal the cars, like tutorials youtubes like keep
it Up Yeah Kia Boys tutorials. Other people copied them.
They turned it into this challenge. Some filmed themselves stealing
the cars and joy writing, and then they posted the
videos online.
Speaker 3 (13:34):
Not only did they take the evidence that they made
it publicly avail.
Speaker 2 (13:37):
Yes, we're talking about like, oh, don't write down your
plans for these guys are like watch it in four.
Speaker 3 (13:41):
Kas and they were in like the shasty mass you
can't really see who they are.
Speaker 2 (13:44):
Probably, so there was this huge spike in the thefts,
like I said, Milwaukee, La, Saint Louis Mania, all of them,
like some of these places that the car thefts increased
by like more than one hundred percent, and like I said,
big with the teens, a lot of the thieves were miners.
Law enforcement and community leaders went into like overdrive trying
(14:06):
to respond to this. My neighbor a couple of doors up,
had her Kia stolen three times, what yeah, three times,
so the cops would recover it in like an industrial
area uptown and she'd get the ignition repaired to how
it was before and then we could stolen again.
Speaker 3 (14:21):
So they weren't really wrecking the car enjoy right now.
Speaker 2 (14:23):
No, They're just scooted it around running and got trashed.
But for the most part they were just like pushing
it to Yeah, so there was a fix that the
dealership could do, but there were so many that the
parts were on back order for ages. Oh wow, So
then she got a club. But then one night some
ding dong broke into the car and tried to break
the club off with a rock. What. Yeah, he wasn't successful,
(14:46):
but he did get away. A cop came told him
to freeze, drew his weapon. Yeah, and the guy hopped
into another car and drove away around the cop.
Speaker 3 (14:56):
What was the cop doing standing there.
Speaker 2 (14:58):
With his weapon on it?
Speaker 3 (14:59):
Like, why didn't pull a weapon fingers?
Speaker 2 (15:01):
I think that the guy realized that the cop was
he's flying solo. He didn't have a partner with them.
The CoP's not going to open fire at two in
the morning with the possibility of hitting the houses behind
her in the air. I don't know. I watched the
whole thing from my front window and it was pretty
That was That's why I was telling you this part.
It was a ridiculous crime. It was one of the
(15:22):
most ridiculous things I've ever seen. And yeah, he just
swerved around and the cop put his hands down and
was just like the physical representation of dejections, Like he
just looked like now, he's got to go tell all
his pals. Yeah, so wow. There were class action lawsuits
filed against Hyundai and Kia. In twenty twenty three, the
(15:46):
carmakers offered free software updates to add anti theft features
like the immobilizer a longer alarm sound. They also gave
out steering wheel locks through police departments, so I guess
you could go to the cops and be like, I
need to club and they eventually settled the lawsuits for
around two hundred million dollars. Still going on though earlier
(16:07):
this year. In February of twenty twenty five, members of
Texas's Laredo Police Department Auto Theft Task Force. They detained
four boys ranging in age from thirteen to fifteen. There
was like the string of thefts. Two Kias and three
Hundays were actually stolen, but there were eleven other cases
where these fools tried to steal the cars and weren't successful.
(16:30):
They didn't watch the video all.
Speaker 3 (16:32):
The way through their junior high kids.
Speaker 2 (16:34):
Most of the cars that they hit were already unlocked,
which like, come on, I don't want a victim blame.
But they had the steering columns broken, the ignition switch broken, off.
All four of these boys were involved in all sixteen
of the cases, both the five successful in the eleven.
So I mean they caught counts like criminal attempt so
that's a misdemeanor, but like engaging in organized criminal activity
(16:57):
that's a felony left the state felonies, so they get
you know, all of these adam Yeah.
Speaker 6 (17:05):
Right.
Speaker 2 (17:05):
Criminal conspiracy cases like this can be found all over
the country, plus Australia and Canada, even the cool places
like that. The Canada ones are interesting because Canadian law
requires immobilizers in all new vehicles sold in Canada since
two thousand and seven, so that means that the ones
that were targeted were imported from the US.
Speaker 3 (17:24):
How did they do I guess they just recognized.
Speaker 2 (17:28):
Listen, let's pause for some ads. Brace yourself for savings.
When we come back, we're going to boost some more rides,
but this time was software, not hardware. Saren. I want
(18:01):
to introduce you to two dudes, two hack attackers, two
gray hat hackers who technically broke the law in an
effort to work for the greater good. So the first
guy is Charles Alfred Miller, Charlie Miller.
Speaker 3 (18:14):
He got a handle a hacker handle, No, Charlie.
Speaker 2 (18:18):
He's an American. He got a bachelor's in mass magna
cum loud from Northeast Misery State just now Truman State University.
Got a PhD in math from Notre Dame. He's basically
and that was in two thousand and he got his PhD.
He was like early on the learned to code train
it seems like it. Yeah, So he started his professional
(18:38):
career at the NSA and he worked as a cryptographer
slash codebreaker there for five years.
Speaker 3 (18:44):
That's got to be fun and challenging.
Speaker 2 (18:45):
I guess, well, sometimes when I do my cryptogram puzzles,
I wonder if the NSA is watching me through the
camera on my iPhone, and then I wonder if they'll
see how good I am at these puzzles. And then
my phone will ring. It'll be them asking me to
join the NSA team to be a hacker.
Speaker 3 (19:00):
We put out the puzzles and we look for some
of the best.
Speaker 2 (19:03):
We'll tell me about insurance and benefits and is the
position remote, and then they'll hang up on me because
they're looking for true patriots who aren't focused on their
own comfort.
Speaker 3 (19:12):
Yeah, that's true.
Speaker 2 (19:13):
I wonder about this sometimes, I.
Speaker 3 (19:14):
Bet you do.
Speaker 2 (19:15):
I do so.
Speaker 3 (19:15):
Do you do these, by the way, on your phone? No?
Speaker 2 (19:19):
I do them on paper. I can't have the government
seeing how good I am at cryptograms.
Speaker 3 (19:24):
They would draft you in automatically.
Speaker 2 (19:26):
I need my privacy. When he was in the NSA,
Miller conducted offensive computer security research. Offensive like on the offense,
not like oh god, gross, yeah, but his specific operations confidential,
of course, from my eyes only. He left the NSA
(19:49):
and then he served as a lead analyst at Independent
Security Evaluators.
Speaker 3 (19:53):
Love those times, those companies and names like that, You're like, okay,
what yeah?
Speaker 2 (19:57):
And then he later he worked for like he worked
for Twitter for while contributing to the information security team.
Speaker 3 (20:03):
Like for like the NSA. Background. Who knows he's like
my former age.
Speaker 2 (20:08):
Listen to this. He's a four time winner of the
pone to Own security competition. It's p wn numeral two.
Speaker 6 (20:18):
O w N.
Speaker 3 (20:19):
Do you know what I had to do?
Speaker 5 (20:21):
You know what I had to do?
Speaker 2 (20:22):
I went on Google. I hacked in to the Google
mainframe and I typed in, how do you pronounce p wn?
I was like, I want to say it right.
Speaker 3 (20:33):
I appreciate your.
Speaker 2 (20:34):
Thorough phone to own. Okay, that's known as hacking super Bowl.
So for that, he hacked a MacBook Air in under
two minutes. In two thousand and eight, he was the
first to remotely exploit an iPhone and that's like break
in hacking style, not like exploit it, like publish pictures
(20:55):
of it that should be published via malicious SMS message
in two thousand and.
Speaker 3 (21:01):
Seven, so he sent a text message to the phone
and then gave him.
Speaker 2 (21:04):
Yeah, he was the first to hack an Android device
on its launch day, and he exped He exploited the
vulnerabilities there via web kit.
Speaker 5 (21:13):
What that is?
Speaker 3 (21:15):
Yeah, I know that they use often things like oh,
we'll use your calendar or like this phone is like
you don't think about right.
Speaker 2 (21:24):
That's and that's basically what he does. So he has
published the iOS Hackers Handbook, the Mac Hackers Handbook, Fuzzing
for Software Security Testing and Quality Assurance. Like basically is there.
This guy's a real pan.
Speaker 3 (21:41):
He wrote the books on these things.
Speaker 2 (21:42):
He literally wrote the books. Foreign Policy described him as
quote one of the most technically proficient hackers on Earth.
Speaker 3 (21:52):
Foreign Policy given him.
Speaker 5 (21:53):
The Star Buddy.
Speaker 2 (21:54):
Okay, so then we have Chris.
Speaker 3 (21:56):
Thallasek Okay, so not like the pile.
Speaker 2 (22:00):
It's Vallisek. That's another one.
Speaker 5 (22:02):
He was born in eighty.
Speaker 2 (22:04):
Two in Pennsylvania. He got a BS in computer science
from University of Pittsburgh coding.
Speaker 3 (22:09):
So another early com era guy.
Speaker 2 (22:11):
Yeah. He built his reputation through research into Microsoft Windows.
Heap exploitation.
Speaker 3 (22:18):
Sure sounds such a simple term.
Speaker 2 (22:20):
And I know you know what I'm talking about Windows.
I got a window in my room. Heap exploitation. Hap.
Speaker 4 (22:31):
There.
Speaker 2 (22:32):
Think of a heap as a chunk of memory your
computer uses to keep track of things a program creates
while it's running. Okay, Like when a program goes like,
hey man, I need more memory to store this new
the heap. The heap gives it space. The heap is
not alive. The heap cannot hurt you. The heap absorbs.
(22:52):
The heap enjoys a good cheese steak. The heap vacations
in Daytona beach. All right. So, heap exploitation is when
a hacker takes advantage of mistakes in how memory is
managed in it. So they do that in order to
corrupt data, crash program take control of a computer. Do
you understand what I just said?
Speaker 3 (23:12):
Some of it, like taking control of a computer.
Speaker 2 (23:14):
Man, Do I understand what I just said? Absolutely not.
Speaker 3 (23:17):
I had a friend who used to you be on
your computer, and he would get on your computer from
his computer like at his house, start moving the cursor around. Yeah.
I was like, I hate this, I hate all of this.
Speaker 2 (23:27):
I guys do that and it's like, what do I
have open right now?
Speaker 3 (23:29):
Exactly? And he was like, oh, I got in through
this exploit. And I'm like, I swear to God, I'm
gonna come over to your house and beat you up.
Speaker 2 (23:34):
They're like, you're really good at spider solitary.
Speaker 3 (23:36):
Can you hack my fists? How about that?
Speaker 2 (23:40):
So Valasek he became an expert in both the exploitation
of heaps and the protection of heaps. And remember, the
heap cannot hurt you.
Speaker 3 (23:49):
You know, I don't want to tear It.
Speaker 2 (23:51):
Can hear your thoughts, and it knows your darkest intentions,
but it cannot hurt you.
Speaker 3 (23:55):
Saren, Okay, I have to trust the heap.
Speaker 2 (23:57):
So this guy, he had a two thousand and nine
Black Hat presentation titled Practical Windows XP two thousand and
three Heap Exploitation, and then he did a paper in
twenty ten on Windows low fragmentation heap, good stuff. I
find myself going back to my well worn copies and
just like reading them over and over.
Speaker 3 (24:16):
There low frag heap. I love that.
Speaker 2 (24:18):
Each time I read them, I discover something new.
Speaker 3 (24:20):
I bet you do, a little, Colonel, you'd overlooked before.
Speaker 6 (24:22):
Huh.
Speaker 2 (24:22):
Basically, Vallisek is like a super hacker.
Speaker 3 (24:25):
He sounds like sound chair right.
Speaker 2 (24:28):
He shared Summer Con.
Speaker 3 (24:30):
Huh.
Speaker 2 (24:30):
This is one of the US's longest running hacker conferences,
and he's been their chairman Emeritis since two thousand and three.
Speaker 3 (24:36):
Do you think they have good music at the Summer Con? Oh?
Speaker 2 (24:38):
You know it like hot jams. They hack into all
the music mainframes and the motherboard, Sarah. When you look
online for videos about him so you can get a
sense of how to pronounce his name, you'll find yourself
waist deep in Ted talks, like this guy is like
sixty percent Ted talk. His body is six and in
(24:59):
all the videos he doesn't introduce himself, I imagine because
someone has already done it before.
Speaker 3 (25:03):
The recording starts.
Speaker 6 (25:04):
Right.
Speaker 2 (25:05):
So I watched a lot of clips of him walking
onto a stage like polite applause and one of those
nude colored mics attached to his face, like lifts up
a clicker to introduce the first slide of a PowerPoint.
Speaker 3 (25:16):
And you're hoping he says his name, and he doesn't.
Speaker 2 (25:18):
Yep, And I'm gonna tell you I noped out of
those so fast. I just can't. I love myself too
much to do that to myself.
Speaker 3 (25:25):
Yeah, don't pone yourself like that.
Speaker 2 (25:26):
I will give George Santos sixty bucks to entertain listeners,
but I won't subject myself to ted talks, especially when
they're not even six minutes, especially when they're about computers.
So Valasek, He's on video a lot. He's a recognized
speaker at all these INFOSEC conferences, Black at USA, def Con,
def Comedy.
Speaker 3 (25:47):
Jam, I'm just about ask Warp Tour.
Speaker 2 (25:50):
He's also widely cited in media coverage for like all
these pioneering contributions that he has to automotive cybersecurity research.
Here's a quote. Quote please, when I secure cars, now,
the first thing I look at is things that communicate
with the outside world.
Speaker 3 (26:08):
So he said, I just buy old cars so people
can't do any of this stuff exactly. Pretty soon, I'm
just gonna be riding around on a penny farthing wearing clothing.
Speaker 2 (26:17):
So like cars, you say, Chris and Charlie they pioneered
research together into vehicle cybersecurity. So they first demonstrated that
they got physical access to both a Ford Escape and
at Toyota Prius and were able to control their systems.
So like, once they got in physically, they could get
in through the can bus c an bus, which is
(26:41):
the controller area network bus. Sure, but not like a
real bus, like wheels on the bus go round and round.
Speaker 3 (26:47):
Take the thing that like routes traffic for the computer.
Speaker 2 (26:50):
Yeah, it's an internal communication network that lets all the
systems talk to each other. Do you have any idea
how long it took me to like condense it down
into that sentence, because I would start reading things like
I think I'm having a stroke.
Speaker 3 (27:02):
Look on face gives me a hint.
Speaker 2 (27:04):
Yeah, can bus, which then I'm just like, now I
sound crazy.
Speaker 3 (27:07):
Can bus, the bus, cannabus, canna bus.
Speaker 2 (27:12):
By twenty fifteen automakers, they're just like putting more and
more stuff with internet connectivity and like what they call
infotainment systems. Oh yes, into the car. Yeah, they want
to improve the user convenience, but then it also just
opens it up to attack.
Speaker 3 (27:28):
Plenty of exploits, so many.
Speaker 2 (27:30):
Weak spots for the hackers and all the hackens.
Speaker 3 (27:33):
It's like a smog was just Swiss cheese belly. It's
just all these spots. You just one spot. Now he's
got tough.
Speaker 2 (27:39):
All the Pokey's Fiat Chrysler Automobiles, it was one of
a bunch of manufacturers integrating you Connect, which was a
proprietary infotainment system into the cars. It had like navigation,
a Wi Fi hotspot, remote start, voice command capabilities. I
think that's basically what I got down.
Speaker 3 (28:00):
That's what sounds like.
Speaker 2 (28:02):
Some models also had Sprint cellular connectivity that would allow
remote access and updates.
Speaker 3 (28:08):
So you like play from your phone whatever your yeah
to actually connected with the OX.
Speaker 2 (28:14):
Yeah. Super futuristic and great, but also making the car
super vulnerable. It's not properly secured totally. So Miller and
vallisec right. Yeah.
Speaker 3 (28:25):
I had a quick question, do they make essentially like
a Faraday skin for a car? They got into that level.
Speaker 2 (28:30):
That's a really good idea. Guy's got a lead line carduse,
you know, like when they do the ad wraps on
the car. But it's just like with like a with
a guy making a mean face, like don't you dare
waving his face, buddy.
Speaker 3 (28:43):
The graph the crime dog on the hood of your car.
Speaker 2 (28:47):
So our guys. They made it their goal to find
a remote attack vector that wouldn't require physical access to
the vehicle like they need to before. So over the
course of twenty fourteen and twenty fifteen, they set the
sites on Fiat Chrysler's U Connect system, particularly the twenty
fourteen Jeep Cherokee. So they figured, like, okay, we can
(29:09):
get into you connect through that Sprint cellular connection. So
they reverse engineered the firmware, discovered open ports on the
vehicle's Internet facing IP address, and found a way to
rewrite firmware on the infotainment chip like sarahen, I sound
like I work for geek Squad.
Speaker 3 (29:28):
I know you're over here. I'm like, can you fix
my laptop?
Speaker 2 (29:31):
Right? And like totally, I just step on it. Are done.
Using a showdowan, which is a search engine for Internet
connected devices, Sure whatever, buddy, they identified thousands of vehicles
that could be exposed through their cellular modems and they
found this chain of exploits they I mean, they could
(29:53):
get into all these crazy things critical vehicle systems, and
they were eventually able to bridge the gap between the
infotainment system and the.
Speaker 3 (30:02):
Can bus boom.
Speaker 2 (30:04):
They got in, like I want in on that can.
This means that once they were inside, they can send
commands to like key vehicle functions like the gas, pedal,
air conditioning, and radio. They could put fake images on
a dashboard. They can control the windshield wipers, they could disable.
Speaker 3 (30:22):
The brakes, disable the brakes.
Speaker 2 (30:25):
The steering, misnipulate steering. And they set out to do
a very dangerous and most likely illegal demonstration of this.
Speaker 3 (30:33):
Yeah, I would imagine.
Speaker 2 (30:34):
Zerin close your eyes. I want you to picture it.
It's July of twenty fifteen. You are sitting in a
twenty fourteen jeep Cherokee driving down the highway in Saint Louis.
Speaker 5 (30:51):
There.
Speaker 2 (30:51):
You are cruising along. It's seventy miles an hour. Then
suddenly the air conditioner roars to life, blasting the car
with arctic air. Haven't touched a thing. Immediately after that,
the radio comes on. What had been a silent ride
is now one with booming hip hop at top volume.
The speakers in the back rumble. You turn the volume
(31:12):
knob to silence the stereo system, but nothing happens. The
song is still blaring the knob. She needs nothing. Suddenly,
the windshield wipers come on. You didn't touch those either.
Wiper fluid sprays.
Speaker 5 (31:24):
The windshield while you speed down the highway. You can't
get them to stop.
Speaker 2 (31:28):
Just then, an image appears on the car's digital display.
It's a photo of two guys in matching tracksuits. You
take a deep breath and try to stay calm. The
radio cuts out. That's relief, but then so does the accelerator.
The transmission is dead. You pump on the gas pedal,
but nothing. The jeep quickly loses speed, moving slower and slower.
(31:50):
You'd pull over onto the shoulder, but you can't because
you just got to an overpass. There's no shoulder, and
you're starting to go uphill. The cars behind you slam
on their brakes and lean on the lawrence is a
swerve around you. You look in the rear view mirror
and you see a semi truck approaching. The radio comes.
Speaker 5 (32:06):
Alive again with more hip hop.
Speaker 2 (32:08):
Please please please let me survive this.
Speaker 5 (32:10):
You think you fubble for your phone and you make
a call.
Speaker 2 (32:13):
You aren't calling the highway patrol or the cops, or
state troopers or even Triple A. You are calling Charlie
Miller and Chris Vallasek. See you are Andy Greenberg, award
winning journalist and writer for Wired magazine, and you've agreed
to be their guinea pigs. They set out to prove
just how easy it is to do bad with cars
(32:34):
in this current system. You beg them to stop, to
give you back control of the car. You manage to
roll the jeep to an exit ramp, turn the car
off and then on again, basically rebooting it, and then
you get to an empty lot where your experiment can continue.
Speaker 3 (32:48):
Now, why did they get on the road. Why didn't
he to go to like a Walmart parking lot to
do this?
Speaker 2 (32:53):
No, I got so nervous, and they told him before
he got the like, don't whatever happens, don't panic. Now
here's the thing, So Greenberg he gets the jeep to
safety and they all continue their work. The guys were
at Miller's house ten miles away, so they don't have
eyes on him. From Greenberg's Wired article quote Miller and
(33:17):
Vallisex full arsenal includes functions that at lower speeds fully
kill the engine, abruptly engage the brakes, or disable them altogether.
The most disturbing maneuver came when they cut the jeep's brakes,
leaving me frantically pumping the pedal as the two ton
suv slid uncontrollably into a ditch. The researchers say they're
working on perfecting their steering control. For now, they can
(33:39):
only hijack the wheel when the jeep is in reverse.
Their hack enables surveillance too. They can track a targeted
jeep's GPS coordinates, measure its speed, and even drop pins
on a map to trace its route. Unbelievable, So, of course,
the whole thing was done with Greenberg's consent, sure as
a way to publicize the danger of you connect and
get the Endo street to respond, let's take a break.
(34:02):
When we get back from this ad venture, I'll tell
you just how they responded.
Speaker 3 (34:27):
Zarin, Oh, Elizabeth, we're back.
Speaker 2 (34:30):
We're back in the twenty fourteen cheap.
Speaker 3 (34:31):
I had to shake that one off.
Speaker 2 (34:32):
I know that was a nightmare, as a total daymare.
Speaker 3 (34:35):
I thought it was bad and if someone took over
my computer but being in the car they're taking over
and then like I gotta trust them. Oh yeah, I
don't worry. I'll art it all back.
Speaker 2 (34:42):
Very maximum overdrive. And I don't like it one bit.
Speaker 3 (34:44):
And there's not enough of Meia the West of US
in that for me I feel safe.
Speaker 2 (34:47):
Yeah, there needs a whole lot more so. After that
Wired article, Fiat Chrysler, they took swift action. July twenty fourth,
twenty fifteen, they issued a voluntary safety recall for one
point four million vehicles in the US in order to
fix those software vulnerabilities. And so that was models from
(35:08):
twenty thirteen to twenty fifteen that had eight point four
inch touchscreen. So twenty fourteen, twenty fifteen Jeep, Cherokee, twenty
fifteen Dodge Challenger, which like, I don't want one of
those self possessed rubbing down the road, twenty fifteen, Chrysler
two hundred and others. Chrysler dodged Jeep and Ram lines.
Fiat Chrysler sent out a USB drive by mail to
(35:30):
affected owners with the patch like diy, I guess steal
a Kia drive that around instead the owners They could
also go to a dealership for installation if they weren't hackers,
you know. In addition, Sprint closed the open cellular ports
that the hackers had used, which like, why didn't you
(35:51):
do that originally?
Speaker 3 (35:52):
Yeah? Did they cost a penny to do?
Speaker 2 (35:53):
Now, the National Highway Traffic Safety Administration they opened an
investigation and then they find Fiat Chrysler one hundred and
five million dollars.
Speaker 3 (36:02):
Why did they find them for just being.
Speaker 2 (36:05):
A production They're flying too close to the sun, Like
you thought you were so special, arrogance. Well, it wasn't
just for the Jeep vulnerability, but there were like a
series of recalls that were kind of mishandled leading up
to me. So like, you guys are bungling everything one
hundred and five million, but the Jeep incident was like yeah, yeah,
(36:26):
so the hack that had lasting implications far beyond Fiat Chrysler.
Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut
they introduced the Security and Privacy in Your Car Act,
the Spy.
Speaker 3 (36:41):
Car Act right.
Speaker 2 (36:44):
The bill would require cybersecurity standards for vehicles, isolation of
critical software systems, real time hacking detection systems, and then
transparency on how car companies collect and share driver data.
It's a great bill.
Speaker 3 (36:59):
Sounds like didn't pass, Oh my goodness.
Speaker 2 (37:01):
Of course, not my feeling. I'm thinking the sticking point
was the transparency on how car companies collect and share
driver data, probably because that's like, you know, that's a
commodity and.
Speaker 3 (37:11):
They generally avoid that for either that's our data.
Speaker 2 (37:14):
Yeah, the customer like spending and travel, and then also
like how you connect to like insurance companies.
Speaker 3 (37:20):
Yeah, that they didn't want like a trade secrets, like
we're selling everything.
Speaker 2 (37:24):
Was just like this driver like yeah, they speed all
the time, increase their rates. Oh, they wouldn't know otherwise.
I don't know, that's my guess.
Speaker 3 (37:31):
I was thinking that they were already doing that. They're
killing the insurance company for a price.
Speaker 2 (37:34):
They already do. But I'm just saying like that was
that's I think that, like this is something that car
companies would kill because it's going to cost him money
beyond just like changing the tech.
Speaker 3 (37:45):
It's something valuable to them. Yeah, data that is.
Speaker 2 (37:48):
That's just me guessing.
Speaker 3 (37:49):
I'm speculating to the BUIL didn't.
Speaker 2 (37:52):
Pass, but it like spurred all these discussions about automotive
cybersecurity standards. In twenty sixteen, the Automotive Information Sharing an
Analysis Center, they released their best practices for cybersecurity, and
you know, most of the major manufacturers of automobiles they
picked that up. The gpack made it super clear infotainment
(38:14):
systems have to be segregated out from like the critical
vehicle control stuff. You can't have it all just riding
us together, exactly, And so Miller and Vallisek they later
got hired by Uber's Advanced Technology Center to work on
their self driving car security, and then they both worked
as principal autonomous vehicle security architects at Cruse Automation, which
(38:37):
was GM's self driving cars. The latest and more visible
victim of hackings is, of course Tesla.
Speaker 4 (38:49):
Yeah.
Speaker 2 (38:49):
Well, I should note that Tesla has a bug bounty program.
So if you can hack them and then show them how,
they'll give you cars or money or something. Of the
cyber trucks. It doesn't they can't sell you know, here
have one, you have five? Yeah, and I'm just like,
I hacked you guys. They're like, you no need to
have proof. Take a cyber's your problem now. Some of
(39:13):
that bacon from the diner. The whole thing, though, the
Tesla is like one big computer and the cars are
all about like connectivity and such and like you know,
things like watching YouTube while you pretend to drive while
autopilot's on and you're facetiming your buddy.
Speaker 3 (39:28):
Sure important thing, yeah exactly.
Speaker 2 (39:30):
In twenty sixteen, researchers from Keen Security Lab they found
multiple vulnerabilities in the Tesla model S that allowed remote
control of the car from up to twelve miles away
via the Wi Fi or cellular connection. So that's okay,
one year after this jeep thing, you know, someone's on
like an Atari sixty four driving your Tesla around. So
(39:53):
they found vulnerabilities in the infotainment system once again that
darned can bus access to the browser autopilot braking functions,
so they were able to like open the sun roof,
move the seats, control side mirrors, turn on the turn signal,
and then like slam on the brakes remotely while the
car was.
Speaker 3 (40:13):
In so still operating like the car itself, not just the.
Speaker 2 (40:16):
Features, yeah, but then like oh and the break ps
the brakes. Tesla saw this and then pushed an over
the air software update within ten days of the disclosure,
and then they also improved isolation between the systems like
we you know, infotatement and critical components.
Speaker 3 (40:32):
Separated firewall that stuff.
Speaker 2 (40:34):
Yes, talk, I love that, that's firewall.
Speaker 3 (40:38):
That's good, thank you.
Speaker 2 (40:39):
I just learned that one myself. In twenty twenty, fluoro
Acetate struck.
Speaker 3 (40:45):
That's a hacker.
Speaker 2 (40:46):
It's a well known security research team. So they share
a call sign Richard Zoo and amacamma. They were at
pone to own once again Vancouver hacking. Remember, yeah, the
super Bowl hack exactly, And that's where they exploited a
vulnerability in the Tesla Model threes infotainment system using a
(41:07):
JavaScript jit just in time jure in the WebKit engine.
We're back with webkits. The exploit allowed them to gain
control of the system when the driver visited a specially
crafted web page, so like if you're browsing around, you
have to put the web page into the giant screen
(41:28):
inside the car. And it gave them access to display messages.
They could control infotainment features like I'm going to put
on a different channel, interact with subsystems connected via the can,
but they couldn't directly control the driving, so.
Speaker 3 (41:44):
They can make you watch criminal minds against your will.
Speaker 2 (41:47):
Hundred percent, and so that was like purely infotainment. They
couldn't direct the actual car. But this was part of
a challenge at the competition, not a rogue mission to
embarrass Tesla. So Tesla awarded the hackers a Tesla Model
three and forty thousand dollars in prize money.
Speaker 3 (42:03):
So it was like a sponsored hackophone.
Speaker 2 (42:04):
Sponsored hackaphone. And then they patched that.
Speaker 3 (42:07):
Vulnerability quickly they should.
Speaker 2 (42:08):
You know, be via a software update.
Speaker 3 (42:11):
So this is like their version of beta testing, is like, hey,
we're going to put the car out, then you find
the flaws and we'll fix those exactly.
Speaker 2 (42:17):
Yeah, it's sort of like self check out. Suddenly I
work for the supermarket. Yeah, suddenly you work for Tesla.
So like, hold on, do you have Bluetooth in your
carp Yeah? See I do.
Speaker 3 (42:27):
Yeah, I wasn't kidding about I buy older cars.
Speaker 2 (42:30):
One time I let someone, someone who's a co host
of a murder free true crime podcast, connect his bluetooth
in my car. Yes, and now I know this fellow connected.
If I'm near you and your phone, you connect to
my car. So like you'll be in the parking lot
at headquarters on a phone call. I'm parked near you.
(42:51):
I go to start my car and suddenly your call
is in.
Speaker 3 (42:54):
My bluetoth You're talking to my mother.
Speaker 2 (42:55):
And I've got someone saying hello, Hello, or I'm suddenly
listening to the serious XM Radio Classics episode that you've
got playing on the radio Classic.
Speaker 3 (43:04):
Oh yeah, you like Jack Benny. I hope you do.
Speaker 2 (43:06):
What I'm saying is that I think my car likes
you better, which doesn't seem fair.
Speaker 3 (43:11):
So your your phone doesn't connect to the bluetooth, it.
Speaker 2 (43:14):
Gets kicked off by yours. Like you've basically hacked me.
You're a hacker, now hack Yeah, anyway, This dude, Leonard
Wooters is a security research at ku Leuvin University in Belgium.
June twenty twenty two, he exploited vulnerabilities in Tesla's Bluetooth
low energy keyless entry system. So we've gone through all
(43:37):
these other ways in now we got Bluetooth. So he
had like what's called a relay attack. He could unlock
and start a Tesla both model three and Model y
by relaying signals from the owner's phone or key card.
And he could do this even if it was inside
a nearby building. Obviously not in a fair date box.
So the bl systems there intercepted using cheap off the
(44:01):
shelf hard where like the Oakland car thieves use. And
it's basically the same thing. You get there, you pick
up the signal, you clone it. So he's unlocking doors,
you start in the car driving away. Tesla, though, didn't
consider it a flaw in its system, because the ble
relay attacks are a known risk with passive entry systems.
They're like, it's not just us all through the Oakland Hills.
(44:26):
So he was like, this guy, this hacker recommended that
people turn off passive entry or use in a Tesla
pin to drive like a personal identification number, requiring a
code to be able to drive.
Speaker 3 (44:37):
I need like two factor authentication to get into my car.
Speaker 2 (44:40):
Is such a hassle to get in the car. Nobody
listened to this guy. Everyone's like, whatever, I.
Speaker 3 (44:46):
Will leave websites if I have to get on my iPad.
I'm like, Daily Beast, why are you making me go
to my iPad?
Speaker 2 (44:51):
No, big, nope, how about do.
Speaker 3 (44:53):
I want to read this story to own? They're back
the super Bowl of hacks.
Speaker 2 (44:57):
They went after Tesla again in twenty twenty five. The
Sinactive team, that's Thomas Imbert, Vincent Dehores, David Barrard. They
targeted Tesla's vehicle control system Electronic controller VC secure. It's
a critical module in the Tesla Model three that's responsible
(45:17):
for security functions like immobilization, door locking and then handling
data from the tire pressure monitoring system.
Speaker 3 (45:24):
So they turned the security specialist into the vulnerability. Yes, interesting, And.
Speaker 2 (45:29):
They did that at pone to Own Automotive twenty twenty
five in Tokyo.
Speaker 3 (45:32):
Twenty twenty five.
Speaker 2 (45:34):
This is recent, this is earlier this year. So just
like in the other cases, they used Bluetooth, they got
into the can.
Speaker 3 (45:40):
But got that can bus.
Speaker 2 (45:42):
Get all on the bus. Maybe if they'd had some
heap exploitation going on, we wouldn't be in this situation.
Speaker 3 (45:48):
Yeah, that's what I'm thinking.
Speaker 2 (45:49):
If you can access the ratchet router with the VPN
card and so on, case closed. So now there was
also a time that Tesla itself, not the cars, got ACKed.
Two former Tesla employees who were unnamed in public filings.
They leaked over one hundred gigabytes of internal data to
a German media outlet, and that all came to light
(46:11):
in August of twenty twenty three, but the breach had
occurred earlier that year.
Speaker 3 (46:14):
Did they use a car to hack Tesla?
Speaker 2 (46:16):
They hacked Tesla with a Tesla?
Speaker 3 (46:18):
Wow?
Speaker 2 (46:19):
No, I don't know. Anyway, they got into the Tesla servers.
They leaked autopilot system secrets. Oh, good for them, customer secrets,
customer personally identifiable information. That's bad, employee records that's not good.
And then some of the leaked documents allegedly detailed quote
(46:41):
Tesla crash reports, I'm happier with that internal discussions on
auto pilot related accident. No, the internal discussions about them.
So they're like whatever, They could look like a loser anyway,
you know what I mean, Like I'm guessing. I don't know.
So Tesla immediately took legal action. They four the ex
employees to surrender devices and data, and they notified affected
(47:05):
individuals of the breach. I mean, this isn't like a
traditional software hack, but it exposed highly sensitive vehicle systems
and customer data, major insider cybersecurity threat Sounds like it's
like our cars are now rolling cybersecurity threats, Like we
basically drive around in big computers.
Speaker 3 (47:23):
Yours are. Yeah, I'm over here in a seventy eight
catalyg I know.
Speaker 2 (47:27):
It's You're so lucky. It's not just the physical actions
of the car that's vulnerable. Like we have all this
personal information. Look at me, I'm getting text messages.
Speaker 3 (47:36):
Text with your car.
Speaker 2 (47:37):
I think that's wild to me. Yeah, I think that's
where the Democratic Party keeps getting my information to text
mealy anytime anything happens. So cars they collect GPS, location history,
call logs, contacts. You know, you can load your contacts
from your phone into your car, so your car can
call I guess voice recordings.
Speaker 5 (47:56):
They can log your behavior and give.
Speaker 2 (47:57):
It to insurance companies.
Speaker 3 (47:59):
Wow.
Speaker 2 (48:00):
The biggest thread of this, I think is having your
information sold to marketers and corporations.
Speaker 3 (48:04):
Sure, that too.
Speaker 2 (48:06):
Ripe for criminal tinkering, of course, but it could go
beyond street crime because think about it, like nation state
actors could target infrastructure like fleet vehicles.
Speaker 3 (48:15):
Oh yeah, I're also like the partner of somebody who
works for the government, and then they can just be
in the car talking on their phone making safe and
all of a sudden, other cars.
Speaker 2 (48:22):
Listening to Oh yeah, terrorists could hijack cars for sabotage.
What I'm trying to say is that we need to
go back to an agrarian society and all ride bikes.
Speaker 3 (48:32):
I love that.
Speaker 2 (48:32):
Make it stop, everyone on a bike. I don't want
to do this anymore. That's what I'm trying to say.
And with that, I'm going to go get into my car,
listen to satellite radio, call my mom via bluetooth on
the stereosystem unless you hijacket, and then I'm going to
use my GPS to go do crimes in the woods.
So just take the edge off, Zarin. What's your ridiculous takeaway?
Speaker 3 (48:52):
You know, as I've complained about it often exact to
deal with them. Both of my parents are Luddites, right.
They neither one has an iPhone or any Android. They
both have flip phones. They won't do email. My mother
still has an Aol account, like you know, their total
bloods with the fact that they have computers is like
a major step and unfortunately I think they're right well
(49:15):
kills me right. Yeah, she pays like whatever, fifty dollars
a month to do like four things or whatever. I'm like,
what is wrong with you? What is your ridiculous take away? Elizabeth?
Speaker 2 (49:24):
Where did this takeaway? Is that computers bad that I
need them. We all do, so, Dave, can I please
have a talk back?
Speaker 3 (49:32):
Oh yeah, oh.
Speaker 4 (49:37):
My god, I love get.
Speaker 6 (49:47):
Hi Elizabeth Saron and producer d This is Ali from
South Carolina. I have loved the show for years now
and I just listened to the wig jacking episode and
then about a day later, happy to come across an
image of the painting a Sundae on lagrange jat or
however you pronounce it. Who knows who cares? And as
(50:07):
I'm sure you know, in the bottom corner of that painting,
there is a little monkey on a leash and a
small dog staring out. And all I could think about
from that little monkey and little dog is that they
were scoping out the scene looking for their next heist
because they'd had to move on from.
Speaker 2 (50:27):
Their wig work.
Speaker 6 (50:27):
So maybe they were on hat stealing or just there
to cause general ruckus. I don't know, but I support
them either way. Anyways, Love you guys, love your show.
Thanks so much for all you do, and see you
again next crime.
Speaker 3 (50:42):
I love that.
Speaker 2 (50:43):
This is this is what the power of good art
right that tells you this story And I love this.
I love your your so perceptive picking up all the
little bits and bobs and the sool. That's it for today.
You can find us online at ridiculous Crime dot com.
Speaker 5 (51:02):
This just in.
Speaker 2 (51:03):
The website won the Hollywood Foreign Press Hackproof Award. They
have declared our website hackproof. Nice I know, good job team.
We're also at Ridiculous Crime on both Blue Sky Instagram.
We're on YouTube at Ridiculous Crime Pod. You can email
us at ridiculous Crime at gmail dot com, leave a
talkback on the iHeart app reach out. Ridiculous Crime is
(51:31):
hosted by Elizabeth Dutton and Zaren Burnett, produced and edited
by HackMaster Dave Cousten, starring Analys Rutger. This Judith research
is by aftermarket Penny Farthing Bluetooth installer Marissa Brown. The
theme song is by hacking duo The Bongo Boys aka
Thomas Lee and Travis Dutton. Post wardrobe is provided by
Botany five hundred guest here and makeup by Sparkleshot and
(51:54):
Mister Audrey. Executive producers are Exhausted Tesla Legal Team, Ben Bowen.
Speaker 4 (52:00):
That's Old Brad, Ridicous Crime, Say it one more Timequeous Crime.
Speaker 1 (52:12):
Ridiculous Crime is a production of iHeartRadio four more podcasts
from my heart Radio. Visit the iHeartRadio app, Apple Podcasts,
or wherever you listen to your favorite shows.
Ridiculous Crime. It's a production of iHeartRadio.
Speaker 2 (00:03):
Zaren Burnette. We meet again, Elizabeth Dunton. How you doing good?
So good to see you.
Speaker 3 (00:10):
Interns told me you're going to be early, and I
was like, well, I'm going to be late.
Speaker 2 (00:15):
You're looking sharp today in your little stress mariner's shirt.
Speaker 3 (00:19):
I'm like a French mariner over here.
Speaker 2 (00:21):
I love it. It's cute. I'm gonna get you a
can of sardine. Make your day quick question. Sure you
know what's ridiculous?
Speaker 3 (00:29):
I do.
Speaker 4 (00:30):
So.
Speaker 3 (00:31):
Hearkening back to when I was telling you about the
Buddhist monks, I mentioned about Stevie Wonder going around at
the Shaolin temple and it's like, oh, he must have
been enjoying listening to the temple. If you ever heard
the theory that Stevie Wonder actually can see, I have right,
there's a lot of celebrities have talked about it.
Speaker 2 (00:45):
Yeah.
Speaker 3 (00:46):
So I have one here that I think is just
absolutely not proof positive.
Speaker 2 (00:49):
But there's some interesting video proof.
Speaker 3 (00:51):
It's interesting. Yeah. So Elton John has this evidence that
Stevie Wonder may be able to see. That I thought
was very convincing because the two of them happened to
be Colorado at the same time, and they, you know,
kind of bumped into each other. That's not the evidence
they were Basically they did a snowmobile tour. But I'll
let out and John tell the story. Quote musicians passing
through Denver or Boulder would drop by to visit. Stevie
(01:13):
Wonder turned up one day and took out a snowmobile,
insisting on driving it himself. Now, to preempt your question, no,
I have no idea how Stevie Wonder successfully piloted a
snowmobile through the rocky mountains of Colorado without killing himself
or indeed anyone else in the process. But he did.
Speaker 2 (01:30):
And it's not like it's a Stevie's house, No, he just.
Speaker 3 (01:33):
Like he doesn't know this track. He is not like, oh,
I've got this worked out. He took. Yeah, he went
out there and drove a snowmobile. Like, I don't think
I could do that that well and not run the
risk of bumping into something apparently flawless Stevie Rascal. So
I'm just saying, is there's an interesting one can.
Speaker 2 (01:51):
Be like you can be like technically blind.
Speaker 3 (01:55):
Right, you know, I guess varying degrees of Yeah, there's.
Speaker 2 (01:58):
Different levels of blind, so it might not be completely
you know.
Speaker 3 (02:02):
Yeah, so much like UFOs and UAPs. I'm keeping an
open mind about Stevie wonder whether or not.
Speaker 2 (02:09):
Wow, there you go, very ridiculous, right, that is ridiculous.
Speaker 3 (02:13):
John always got the.
Speaker 2 (02:14):
Tea, always always. Do you want to know what else
is ridiculous?
Speaker 3 (02:19):
Please?
Speaker 2 (02:19):
Hacking a car? Bro This is Ridiculous Crime, A podcast
(02:44):
about absurd and outrageous capers. Heis and cons It's always
ninety nine percent murder free and one hundred percent ridiculous.
Speaker 3 (02:53):
I know you done heard that.
Speaker 2 (02:54):
I done heard it so many times. Hi, Elizabeth, Hey,
my name is Werner Brandis my voice? Is my passport?
Verify me?
Speaker 3 (03:03):
Excuse me?
Speaker 2 (03:04):
Do you know what that's from?
Speaker 3 (03:05):
No, that's right, Zaren.
Speaker 2 (03:07):
You're correct. It's one of my all time favorite movies. Sneakers.
Oh Hi, my name is Werner Brandis my voice? Is
my passport? Verify me?
Speaker 3 (03:18):
Is it like a security check?
Speaker 2 (03:19):
Yeah? So if you haven't seen have you seen Sneakers?
Speaker 3 (03:22):
Yeah? But way back in the day, watch it again.
Speaker 2 (03:24):
Because I love it so much. Yeah, it's like a
voice cod werner brandeis He's like a He's a tech guy,
uh an executive at this tech company, and so it's
a voice recognition, and so they needed to make a
recording of his voice to sneak in without him the
protagonists in this film, and anyway, they so they record him,
(03:49):
but they get like a honey trap. This woman has
to go and like get him to say these words
so they can piece it together on a blind date.
And so she's like, oh, you know what word, I love?
Passport And he's like, passport. So when it gets played back,
my voice is my passport. Anyway, I love that movie.
It's the story of some former and like side gig
(04:11):
hackers who do what's called penetration testing for tech security
at companies. White hat hackers. They use their powers for good,
although I believe they'd be gray hat hackers in some sense.
Speaker 3 (04:23):
What's the distinction there?
Speaker 2 (04:24):
A gray hat hacker is someone who engages in hacking
activities without permission, but their intentions are not always malicious,
and they may include reporting vulnerabilities you know, that they
find in these targeted organizations or even like to the public.
Speaker 3 (04:39):
So if they break into to the Department of Defense
and then leave a note I found exactly and I
can tell you how I did.
Speaker 2 (04:44):
Precisely, and they can exploit vulnerabilities for like personal gain
or demonstrate a point, you know, either way. In Sneakers,
the team which is led by Robert Redford, they go
up against Redford's old altruist college hacking buddy turned power
hungry tech villain, and there's some great hack in along
the way.
Speaker 3 (05:02):
They hack it up, side it up. Oh, he's so good.
Speaker 2 (05:06):
In that, Yeah, dan Ackroyd, that's right, hacking, hacking, so
much hacking, River Phoenix Hacking. I was thinking about that movie,
as I do sometimes when, and it got me thinking
about white hat hackers, those who used to hack illegally
for profit and or power, and then they go straight
(05:27):
and they help the authorities bust back the Yeah. I
like that idea. One of the most annoying characters on television,
Penelope on Criminal Minds, was a bad hacker. Yeah, and
then she was recruited by the FBI to hack the
world in pursuit of horrible violent criminals. And then they
also needed her to like teeter around the office in
(05:48):
clown costumes, Yeah, spouting out like stale slang while holding
something from the Archie McFee cap her. Oh I can't.
Like she's just running around with a rubber chicken pen
with a feather puff at the end.
Speaker 3 (05:58):
What a rubber chicken?
Speaker 2 (06:00):
Doesn't that sound like something she'd hash.
Speaker 3 (06:02):
That's some real clan behavior.
Speaker 2 (06:03):
Yeah it is. Anyway, I was poking around with the hackers,
basically hacking my way through Google's lousy search model, and
I found something. I caught a case there. I caught
a couple of cases. I think you're gonna like them. Please,
I should warn you that, just like the last time
I told you about hacking.
Speaker 3 (06:20):
Crime, you got hacked.
Speaker 2 (06:23):
No, I'm going to use a lot of technical language.
Much of it is going to go over your pretty
little head. Probably don't be intimidated, like some of us
are just more tech savvy and smarter.
Speaker 3 (06:34):
No, it's very to true.
Speaker 2 (06:35):
So I'm going to use terms like hacking and mainframe
and motherboard.
Speaker 3 (06:41):
Are these terms like DJ's used like a motherboard? I'm
on my motherboard?
Speaker 2 (06:44):
The ones and two, database and network? Have you heard
those before?
Speaker 3 (06:47):
No? None of the all new to me keyboard keyboard?
Oh like oh yeah, like with the with the piano
correct correct USB drive?
Speaker 2 (06:55):
Nope, Like I said, I don't want you to be intimidated.
The truth is that I has but a tenuous grasp
on all of those concepts and the items myself. So
we're on this digital journey together.
Speaker 3 (07:07):
You do know, I have a bunch of friends who
are like hardcore, and then they talk to me about
stuff and I'm like, I use yellow legal pads. I
don't know what you're talking about.
Speaker 2 (07:14):
No, I'm just like, you know, I'm like, why isn't
everything opening? Oh, I'm not connected to the internet. Cars,
I'm not talking about the Pixar movies there and back up,
I was like, you're going to I'm talking about the
things we drive down the street. Cars are full of
(07:35):
micro chips totally. And wasn't that part of the supply
chain issue during the early days of COVID, Remember there
was like the chip shortage for new cars and that's
like the cost of new cars.
Speaker 3 (07:45):
And then cars they have all the screens.
Speaker 2 (07:48):
Now they got like a forty inch television screen smack
in the middle of the dash.
Speaker 3 (07:53):
Video games.
Speaker 2 (07:54):
Yeah, you can't text and drive. That's good, but you
can have a small TV like in your lap drive.
Speaker 3 (08:00):
You're making.
Speaker 2 (08:03):
In some cars that'll remain nameless. It's on those screens.
We have to do stuff like adjust the AC or
like put on the turn signal.
Speaker 3 (08:11):
I've heard about this, Yes, that's the wild one.
Speaker 5 (08:12):
To screen.
Speaker 2 (08:14):
You have to tell the car not to run over kids.
Run over fewer kids, you know, like we don't. We
don't have buttons anymore. I love buttons there, I like.
Speaker 3 (08:24):
I even like knobs.
Speaker 2 (08:26):
The best car I ever owned was in nineteen eighty
nine Ford Bronco. Yes, you're not a chip in sight.
Speaker 3 (08:32):
No, I don't think so.
Speaker 2 (08:33):
You could fix it with like a ball, peen hammer,
a butter knife and some electrical tape. Could It was perfect.
So now now I have this Subaru, right, I love it.
Speaker 3 (08:43):
Yes, I've heard you talk about.
Speaker 2 (08:44):
It has all sorts of not just chips and electronics,
but like online stuff. Oh really, I can lock and
unlock it with an app.
Speaker 3 (08:52):
Do you use any of this? You know?
Speaker 2 (08:54):
If I if I am already gone to bed and
I can't remember if I lock the car. Sometimes I just.
Speaker 3 (08:58):
Check lock it.
Speaker 2 (08:59):
I could start it remotely if I wanted from an app.
You can look on the app and see where it is.
It's like, oh it's in my driveway still, But like
if someone stole it, I can see where it was
and turn off the engine on them.
Speaker 3 (09:11):
That's kind of fine like that, and then did would
they crash the car if you?
Speaker 2 (09:15):
Yeah, Well, what do I care? I'm not in it?
Speaker 3 (09:18):
Curious kind of like a good idea until you realize
what you've readen No.
Speaker 2 (09:22):
I think it just boo powers down, no help, Okay,
I stole the wrong flashing lights come on and let's drive.
Speaker 3 (09:28):
Other drivers know exactly.
Speaker 2 (09:31):
It texts me when there's an.
Speaker 3 (09:32):
Issue, used like a snarky tone.
Speaker 2 (09:35):
I ran out of wiper fluid, and it kept reaching
out to me via text like a democratic fundraiser, totally
to let me know, like, hey, don't forget about me.
Speaker 3 (09:43):
But is it like the duo lingo. It's kind of snarky,
like have you forgotten that?
Speaker 2 (09:46):
It's very sincere and I just text back, wow, needy,
just keep going keyless entry peep peep. There was a
time recently here in Oakland where ladies were getting carjacked,
like up and down this very busy street near me,
and it seems to have calmed down, but it was
happening almost regularly for a while, like summer carjackings. Others
(10:07):
like guys would just run up, break the passenger window
and steal a purse on the seat.
Speaker 3 (10:11):
Us like a spark plug break the window.
Speaker 2 (10:13):
Yeah, and so for the carjacking. That's why I keep
my keys in my pocket when I'm driving instead of
like in my bag or like the cup holder, because
if I have my keys on me and they forced
me out, they aren't going to get very far because
you has to be close to the car to run, Sarah,
and you have to stay on the ball, keep your
head on a swivel. I don't think Subaru foresters are
(10:33):
like the hot Cardiff steal, but you never know.
Speaker 6 (10:38):
So.
Speaker 2 (10:38):
And that's another peril of the keiless entry fob is
that people can buy devices that clone keys to use.
Speaker 3 (10:45):
For stealing the RFD.
Speaker 2 (10:47):
Yeah, they walk by houses at night with a thing
and they can, you know, the hackens and they pick
up a signal from the keyfob and then they can
use that to start the car out.
Speaker 3 (10:56):
They're buddy holding up like a wire and they're like
trying to get I would have thought it was a.
Speaker 2 (11:01):
Total urban legend, but I've seen home like break camera
stuff of it, and it happened not a couple of times,
not too far from me. So you know what I do.
I put my keys in a Faraday box by the door.
Speaker 3 (11:14):
I love it.
Speaker 2 (11:15):
I probably overreacting, but whatever, it's a cute box.
Speaker 3 (11:17):
I'm anyway, Yes, plants on it. You can override a
garden seed box.
Speaker 2 (11:22):
Yes, no, it's very it's tasteful. It's brown and leathery.
There anyway. You can override the key with sentry. Other ways.
One involves a USB stick how so, but not in
the way you think, Zaren, I'm thinking nothing. It's physical hacking.
(11:43):
I'm sure you've heard of the Kia challenge.
Speaker 3 (11:45):
Oh yes, okay, yes, this was a hacking.
Speaker 2 (11:49):
I know, I totally did. It's a viral trend on TikTok.
In twenty twenty two is when it started. So people, okay, teens,
They learned how to steal certain Kia.
Speaker 5 (11:58):
And Hyundai vehicle using only a.
Speaker 2 (12:01):
USB cable and it started as this form of car theft,
but it quickly became a social media challenge, and like
vehicle thefts just surged across the US.
Speaker 3 (12:12):
They just joy ride these cars, they don't write.
Speaker 2 (12:15):
So they targeted Kias and Hyundais made between twenty ten
and twenty twenty one.
Speaker 3 (12:19):
So that's a.
Speaker 2 (12:20):
Pretty broad stretch. That's because they had traditional metal keys
not pushed to start, and the cars also didn't have immobilizers,
so those are like basic anti theft devices that keep
the engine from starting without the correct key. And apparently
the car alarm wouldn't go off if you broke the
back window.
Speaker 3 (12:39):
Oh okay to know.
Speaker 2 (12:43):
Yeah, what all that means is that it was possible
to get into the car without the alarm going off,
remove the steering column cover, use a USB cable or
anything shaped like it to turn the ignition switch, and
then start the car and drive away.
Speaker 3 (12:56):
Oh you didn't have to like drop it down and
pull the wires out.
Speaker 2 (12:58):
Oh no key. No hacking tools required. A group calling
themselves the Kia Boys posted videos anytime you put boys
in it, it's just you just took the wind out
of yourself. You know what I mean?
Speaker 3 (13:12):
Kia Boys.
Speaker 2 (13:14):
Yeah, I guess that is, but like proud Boys, No,
that's scary. They posted videos on TikTok and YouTube showing
how to steal the cars, like tutorials youtubes like keep
it Up Yeah Kia Boys tutorials. Other people copied them.
They turned it into this challenge. Some filmed themselves stealing
the cars and joy writing, and then they posted the
videos online.
Speaker 3 (13:34):
Not only did they take the evidence that they made
it publicly avail.
Speaker 2 (13:37):
Yes, we're talking about like, oh, don't write down your
plans for these guys are like watch it in four.
Speaker 3 (13:41):
Kas and they were in like the shasty mass you
can't really see who they are.
Speaker 2 (13:44):
Probably, so there was this huge spike in the thefts,
like I said, Milwaukee, La, Saint Louis Mania, all of them,
like some of these places that the car thefts increased
by like more than one hundred percent, and like I said,
big with the teens, a lot of the thieves were miners.
Law enforcement and community leaders went into like overdrive trying
(14:06):
to respond to this. My neighbor a couple of doors up,
had her Kia stolen three times, what yeah, three times,
so the cops would recover it in like an industrial
area uptown and she'd get the ignition repaired to how
it was before and then we could stolen again.
Speaker 3 (14:21):
So they weren't really wrecking the car enjoy right now.
Speaker 2 (14:23):
No, They're just scooted it around running and got trashed.
But for the most part they were just like pushing
it to Yeah, so there was a fix that the
dealership could do, but there were so many that the
parts were on back order for ages. Oh wow, So
then she got a club. But then one night some
ding dong broke into the car and tried to break
the club off with a rock. What. Yeah, he wasn't successful,
(14:46):
but he did get away. A cop came told him
to freeze, drew his weapon. Yeah, and the guy hopped
into another car and drove away around the cop.
Speaker 3 (14:56):
What was the cop doing standing there.
Speaker 2 (14:58):
With his weapon on it?
Speaker 3 (14:59):
Like, why didn't pull a weapon fingers?
Speaker 2 (15:01):
I think that the guy realized that the cop was
he's flying solo. He didn't have a partner with them.
The CoP's not going to open fire at two in
the morning with the possibility of hitting the houses behind
her in the air. I don't know. I watched the
whole thing from my front window and it was pretty
That was That's why I was telling you this part.
It was a ridiculous crime. It was one of the
(15:22):
most ridiculous things I've ever seen. And yeah, he just
swerved around and the cop put his hands down and
was just like the physical representation of dejections, Like he
just looked like now, he's got to go tell all
his pals. Yeah, so wow. There were class action lawsuits
filed against Hyundai and Kia. In twenty twenty three, the
(15:46):
carmakers offered free software updates to add anti theft features
like the immobilizer a longer alarm sound. They also gave
out steering wheel locks through police departments, so I guess
you could go to the cops and be like, I
need to club and they eventually settled the lawsuits for
around two hundred million dollars. Still going on though earlier
(16:07):
this year. In February of twenty twenty five, members of
Texas's Laredo Police Department Auto Theft Task Force. They detained
four boys ranging in age from thirteen to fifteen. There
was like the string of thefts. Two Kias and three
Hundays were actually stolen, but there were eleven other cases
where these fools tried to steal the cars and weren't successful.
(16:30):
They didn't watch the video all.
Speaker 3 (16:32):
The way through their junior high kids.
Speaker 2 (16:34):
Most of the cars that they hit were already unlocked,
which like, come on, I don't want a victim blame.
But they had the steering columns broken, the ignition switch broken, off.
All four of these boys were involved in all sixteen
of the cases, both the five successful in the eleven.
So I mean they caught counts like criminal attempt so
that's a misdemeanor, but like engaging in organized criminal activity
(16:57):
that's a felony left the state felonies, so they get
you know, all of these adam Yeah.
Speaker 6 (17:05):
Right.
Speaker 2 (17:05):
Criminal conspiracy cases like this can be found all over
the country, plus Australia and Canada, even the cool places
like that. The Canada ones are interesting because Canadian law
requires immobilizers in all new vehicles sold in Canada since
two thousand and seven, so that means that the ones
that were targeted were imported from the US.
Speaker 3 (17:24):
How did they do I guess they just recognized.
Speaker 2 (17:28):
Listen, let's pause for some ads. Brace yourself for savings.
When we come back, we're going to boost some more rides,
but this time was software, not hardware. Saren. I want
(18:01):
to introduce you to two dudes, two hack attackers, two
gray hat hackers who technically broke the law in an
effort to work for the greater good. So the first
guy is Charles Alfred Miller, Charlie Miller.
Speaker 3 (18:14):
He got a handle a hacker handle, No, Charlie.
Speaker 2 (18:18):
He's an American. He got a bachelor's in mass magna
cum loud from Northeast Misery State just now Truman State University.
Got a PhD in math from Notre Dame. He's basically
and that was in two thousand and he got his PhD.
He was like early on the learned to code train
it seems like it. Yeah, So he started his professional
(18:38):
career at the NSA and he worked as a cryptographer
slash codebreaker there for five years.
Speaker 3 (18:44):
That's got to be fun and challenging.
Speaker 2 (18:45):
I guess, well, sometimes when I do my cryptogram puzzles,
I wonder if the NSA is watching me through the
camera on my iPhone, and then I wonder if they'll
see how good I am at these puzzles. And then
my phone will ring. It'll be them asking me to
join the NSA team to be a hacker.
Speaker 3 (19:00):
We put out the puzzles and we look for some
of the best.
Speaker 2 (19:03):
We'll tell me about insurance and benefits and is the
position remote, and then they'll hang up on me because
they're looking for true patriots who aren't focused on their
own comfort.
Speaker 3 (19:12):
Yeah, that's true.
Speaker 2 (19:13):
I wonder about this sometimes, I.
Speaker 3 (19:14):
Bet you do.
Speaker 2 (19:15):
I do so.
Speaker 3 (19:15):
Do you do these, by the way, on your phone? No?
Speaker 2 (19:19):
I do them on paper. I can't have the government
seeing how good I am at cryptograms.
Speaker 3 (19:24):
They would draft you in automatically.
Speaker 2 (19:26):
I need my privacy. When he was in the NSA,
Miller conducted offensive computer security research. Offensive like on the offense,
not like oh god, gross, yeah, but his specific operations confidential,
of course, from my eyes only. He left the NSA
(19:49):
and then he served as a lead analyst at Independent
Security Evaluators.
Speaker 3 (19:53):
Love those times, those companies and names like that, You're like, okay,
what yeah?
Speaker 2 (19:57):
And then he later he worked for like he worked
for Twitter for while contributing to the information security team.
Speaker 3 (20:03):
Like for like the NSA. Background. Who knows he's like
my former age.
Speaker 2 (20:08):
Listen to this. He's a four time winner of the
pone to Own security competition. It's p wn numeral two.
Speaker 6 (20:18):
O w N.
Speaker 3 (20:19):
Do you know what I had to do?
Speaker 5 (20:21):
You know what I had to do?
Speaker 2 (20:22):
I went on Google. I hacked in to the Google
mainframe and I typed in, how do you pronounce p wn?
I was like, I want to say it right.
Speaker 3 (20:33):
I appreciate your.
Speaker 2 (20:34):
Thorough phone to own. Okay, that's known as hacking super Bowl.
So for that, he hacked a MacBook Air in under
two minutes. In two thousand and eight, he was the
first to remotely exploit an iPhone and that's like break
in hacking style, not like exploit it, like publish pictures
(20:55):
of it that should be published via malicious SMS message
in two thousand and.
Speaker 3 (21:01):
Seven, so he sent a text message to the phone
and then gave him.
Speaker 2 (21:04):
Yeah, he was the first to hack an Android device
on its launch day, and he exped He exploited the
vulnerabilities there via web kit.
Speaker 5 (21:13):
What that is?
Speaker 3 (21:15):
Yeah, I know that they use often things like oh,
we'll use your calendar or like this phone is like
you don't think about right.
Speaker 2 (21:24):
That's and that's basically what he does. So he has
published the iOS Hackers Handbook, the Mac Hackers Handbook, Fuzzing
for Software Security Testing and Quality Assurance. Like basically is there.
This guy's a real pan.
Speaker 3 (21:41):
He wrote the books on these things.
Speaker 2 (21:42):
He literally wrote the books. Foreign Policy described him as
quote one of the most technically proficient hackers on Earth.
Speaker 3 (21:52):
Foreign Policy given him.
Speaker 5 (21:53):
The Star Buddy.
Speaker 2 (21:54):
Okay, so then we have Chris.
Speaker 3 (21:56):
Thallasek Okay, so not like the pile.
Speaker 2 (22:00):
It's Vallisek. That's another one.
Speaker 5 (22:02):
He was born in eighty.
Speaker 2 (22:04):
Two in Pennsylvania. He got a BS in computer science
from University of Pittsburgh coding.
Speaker 3 (22:09):
So another early com era guy.
Speaker 2 (22:11):
Yeah. He built his reputation through research into Microsoft Windows.
Heap exploitation.
Speaker 3 (22:18):
Sure sounds such a simple term.
Speaker 2 (22:20):
And I know you know what I'm talking about Windows.
I got a window in my room. Heap exploitation. Hap.
Speaker 4 (22:31):
There.
Speaker 2 (22:32):
Think of a heap as a chunk of memory your
computer uses to keep track of things a program creates
while it's running. Okay, Like when a program goes like,
hey man, I need more memory to store this new
the heap. The heap gives it space. The heap is
not alive. The heap cannot hurt you. The heap absorbs.
(22:52):
The heap enjoys a good cheese steak. The heap vacations
in Daytona beach. All right. So, heap exploitation is when
a hacker takes advantage of mistakes in how memory is
managed in it. So they do that in order to
corrupt data, crash program take control of a computer. Do
you understand what I just said?
Speaker 3 (23:12):
Some of it, like taking control of a computer.
Speaker 2 (23:14):
Man, Do I understand what I just said? Absolutely not.
Speaker 3 (23:17):
I had a friend who used to you be on
your computer, and he would get on your computer from
his computer like at his house, start moving the cursor around. Yeah.
I was like, I hate this, I hate all of this.
Speaker 2 (23:27):
I guys do that and it's like, what do I
have open right now?
Speaker 3 (23:29):
Exactly? And he was like, oh, I got in through
this exploit. And I'm like, I swear to God, I'm
gonna come over to your house and beat you up.
Speaker 2 (23:34):
They're like, you're really good at spider solitary.
Speaker 3 (23:36):
Can you hack my fists? How about that?
Speaker 2 (23:40):
So Valasek he became an expert in both the exploitation
of heaps and the protection of heaps. And remember, the
heap cannot hurt you.
Speaker 3 (23:49):
You know, I don't want to tear It.
Speaker 2 (23:51):
Can hear your thoughts, and it knows your darkest intentions,
but it cannot hurt you.
Speaker 3 (23:55):
Saren, Okay, I have to trust the heap.
Speaker 2 (23:57):
So this guy, he had a two thousand and nine
Black Hat presentation titled Practical Windows XP two thousand and
three Heap Exploitation, and then he did a paper in
twenty ten on Windows low fragmentation heap, good stuff. I
find myself going back to my well worn copies and
just like reading them over and over.
Speaker 3 (24:16):
There low frag heap. I love that.
Speaker 2 (24:18):
Each time I read them, I discover something new.
Speaker 3 (24:20):
I bet you do, a little, Colonel, you'd overlooked before.
Speaker 6 (24:22):
Huh.
Speaker 2 (24:22):
Basically, Vallisek is like a super hacker.
Speaker 3 (24:25):
He sounds like sound chair right.
Speaker 2 (24:28):
He shared Summer Con.
Speaker 3 (24:30):
Huh.
Speaker 2 (24:30):
This is one of the US's longest running hacker conferences,
and he's been their chairman Emeritis since two thousand and three.
Speaker 3 (24:36):
Do you think they have good music at the Summer Con? Oh?
Speaker 2 (24:38):
You know it like hot jams. They hack into all
the music mainframes and the motherboard, Sarah. When you look
online for videos about him so you can get a
sense of how to pronounce his name, you'll find yourself
waist deep in Ted talks, like this guy is like
sixty percent Ted talk. His body is six and in
(24:59):
all the videos he doesn't introduce himself, I imagine because
someone has already done it before.
Speaker 3 (25:03):
The recording starts.
Speaker 6 (25:04):
Right.
Speaker 2 (25:05):
So I watched a lot of clips of him walking
onto a stage like polite applause and one of those
nude colored mics attached to his face, like lifts up
a clicker to introduce the first slide of a PowerPoint.
Speaker 3 (25:16):
And you're hoping he says his name, and he doesn't.
Speaker 2 (25:18):
Yep, And I'm gonna tell you I noped out of
those so fast. I just can't. I love myself too
much to do that to myself.
Speaker 3 (25:25):
Yeah, don't pone yourself like that.
Speaker 2 (25:26):
I will give George Santos sixty bucks to entertain listeners,
but I won't subject myself to ted talks, especially when
they're not even six minutes, especially when they're about computers.
So Valasek, He's on video a lot. He's a recognized
speaker at all these INFOSEC conferences, Black at USA, def Con,
def Comedy.
Speaker 3 (25:47):
Jam, I'm just about ask Warp Tour.
Speaker 2 (25:50):
He's also widely cited in media coverage for like all
these pioneering contributions that he has to automotive cybersecurity research.
Here's a quote. Quote please, when I secure cars, now,
the first thing I look at is things that communicate
with the outside world.
Speaker 3 (26:08):
So he said, I just buy old cars so people
can't do any of this stuff exactly. Pretty soon, I'm
just gonna be riding around on a penny farthing wearing clothing.
Speaker 2 (26:17):
So like cars, you say, Chris and Charlie they pioneered
research together into vehicle cybersecurity. So they first demonstrated that
they got physical access to both a Ford Escape and
at Toyota Prius and were able to control their systems.
So like, once they got in physically, they could get
in through the can bus c an bus, which is
(26:41):
the controller area network bus. Sure, but not like a
real bus, like wheels on the bus go round and round.
Speaker 3 (26:47):
Take the thing that like routes traffic for the computer.
Speaker 2 (26:50):
Yeah, it's an internal communication network that lets all the
systems talk to each other. Do you have any idea
how long it took me to like condense it down
into that sentence, because I would start reading things like
I think I'm having a stroke.
Speaker 3 (27:02):
Look on face gives me a hint.
Speaker 2 (27:04):
Yeah, can bus, which then I'm just like, now I
sound crazy.
Speaker 3 (27:07):
Can bus, the bus, cannabus, canna bus.
Speaker 2 (27:12):
By twenty fifteen automakers, they're just like putting more and
more stuff with internet connectivity and like what they call
infotainment systems. Oh yes, into the car. Yeah, they want
to improve the user convenience, but then it also just
opens it up to attack.
Speaker 3 (27:28):
Plenty of exploits, so many.
Speaker 2 (27:30):
Weak spots for the hackers and all the hackens.
Speaker 3 (27:33):
It's like a smog was just Swiss cheese belly. It's
just all these spots. You just one spot. Now he's
got tough.
Speaker 2 (27:39):
All the Pokey's Fiat Chrysler Automobiles, it was one of
a bunch of manufacturers integrating you Connect, which was a
proprietary infotainment system into the cars. It had like navigation,
a Wi Fi hotspot, remote start, voice command capabilities. I
think that's basically what I got down.
Speaker 3 (28:00):
That's what sounds like.
Speaker 2 (28:02):
Some models also had Sprint cellular connectivity that would allow
remote access and updates.
Speaker 3 (28:08):
So you like play from your phone whatever your yeah
to actually connected with the OX.
Speaker 2 (28:14):
Yeah. Super futuristic and great, but also making the car
super vulnerable. It's not properly secured totally. So Miller and
vallisec right. Yeah.
Speaker 3 (28:25):
I had a quick question, do they make essentially like
a Faraday skin for a car? They got into that level.
Speaker 2 (28:30):
That's a really good idea. Guy's got a lead line carduse,
you know, like when they do the ad wraps on
the car. But it's just like with like a with
a guy making a mean face, like don't you dare
waving his face, buddy.
Speaker 3 (28:43):
The graph the crime dog on the hood of your car.
Speaker 2 (28:47):
So our guys. They made it their goal to find
a remote attack vector that wouldn't require physical access to
the vehicle like they need to before. So over the
course of twenty fourteen and twenty fifteen, they set the
sites on Fiat Chrysler's U Connect system, particularly the twenty
fourteen Jeep Cherokee. So they figured, like, okay, we can
(29:09):
get into you connect through that Sprint cellular connection. So
they reverse engineered the firmware, discovered open ports on the
vehicle's Internet facing IP address, and found a way to
rewrite firmware on the infotainment chip like sarahen, I sound
like I work for geek Squad.
Speaker 3 (29:28):
I know you're over here. I'm like, can you fix
my laptop?
Speaker 2 (29:31):
Right? And like totally, I just step on it. Are done.
Using a showdowan, which is a search engine for Internet
connected devices, Sure whatever, buddy, they identified thousands of vehicles
that could be exposed through their cellular modems and they
found this chain of exploits they I mean, they could
(29:53):
get into all these crazy things critical vehicle systems, and
they were eventually able to bridge the gap between the
infotainment system and the.
Speaker 3 (30:02):
Can bus boom.
Speaker 2 (30:04):
They got in, like I want in on that can.
This means that once they were inside, they can send
commands to like key vehicle functions like the gas, pedal,
air conditioning, and radio. They could put fake images on
a dashboard. They can control the windshield wipers, they could disable.
Speaker 3 (30:22):
The brakes, disable the brakes.
Speaker 2 (30:25):
The steering, misnipulate steering. And they set out to do
a very dangerous and most likely illegal demonstration of this.
Speaker 3 (30:33):
Yeah, I would imagine.
Speaker 2 (30:34):
Zerin close your eyes. I want you to picture it.
It's July of twenty fifteen. You are sitting in a
twenty fourteen jeep Cherokee driving down the highway in Saint Louis.
Speaker 5 (30:51):
There.
Speaker 2 (30:51):
You are cruising along. It's seventy miles an hour. Then
suddenly the air conditioner roars to life, blasting the car
with arctic air. Haven't touched a thing. Immediately after that,
the radio comes on. What had been a silent ride
is now one with booming hip hop at top volume.
The speakers in the back rumble. You turn the volume
(31:12):
knob to silence the stereo system, but nothing happens. The
song is still blaring the knob. She needs nothing. Suddenly,
the windshield wipers come on. You didn't touch those either.
Wiper fluid sprays.
Speaker 5 (31:24):
The windshield while you speed down the highway. You can't
get them to stop.
Speaker 2 (31:28):
Just then, an image appears on the car's digital display.
It's a photo of two guys in matching tracksuits. You
take a deep breath and try to stay calm. The
radio cuts out. That's relief, but then so does the accelerator.
The transmission is dead. You pump on the gas pedal,
but nothing. The jeep quickly loses speed, moving slower and slower.
(31:50):
You'd pull over onto the shoulder, but you can't because
you just got to an overpass. There's no shoulder, and
you're starting to go uphill. The cars behind you slam
on their brakes and lean on the lawrence is a
swerve around you. You look in the rear view mirror
and you see a semi truck approaching. The radio comes.
Speaker 5 (32:06):
Alive again with more hip hop.
Speaker 2 (32:08):
Please please please let me survive this.
Speaker 5 (32:10):
You think you fubble for your phone and you make
a call.
Speaker 2 (32:13):
You aren't calling the highway patrol or the cops, or
state troopers or even Triple A. You are calling Charlie
Miller and Chris Vallasek. See you are Andy Greenberg, award
winning journalist and writer for Wired magazine, and you've agreed
to be their guinea pigs. They set out to prove
just how easy it is to do bad with cars
(32:34):
in this current system. You beg them to stop, to
give you back control of the car. You manage to
roll the jeep to an exit ramp, turn the car
off and then on again, basically rebooting it, and then
you get to an empty lot where your experiment can continue.
Speaker 3 (32:48):
Now, why did they get on the road. Why didn't
he to go to like a Walmart parking lot to
do this?
Speaker 2 (32:53):
No, I got so nervous, and they told him before
he got the like, don't whatever happens, don't panic. Now
here's the thing, So Greenberg he gets the jeep to
safety and they all continue their work. The guys were
at Miller's house ten miles away, so they don't have
eyes on him. From Greenberg's Wired article quote Miller and
(33:17):
Vallisex full arsenal includes functions that at lower speeds fully
kill the engine, abruptly engage the brakes, or disable them altogether.
The most disturbing maneuver came when they cut the jeep's brakes,
leaving me frantically pumping the pedal as the two ton
suv slid uncontrollably into a ditch. The researchers say they're
working on perfecting their steering control. For now, they can
(33:39):
only hijack the wheel when the jeep is in reverse.
Their hack enables surveillance too. They can track a targeted
jeep's GPS coordinates, measure its speed, and even drop pins
on a map to trace its route. Unbelievable, So, of course,
the whole thing was done with Greenberg's consent, sure as
a way to publicize the danger of you connect and
get the Endo street to respond, let's take a break.
(34:02):
When we get back from this ad venture, I'll tell
you just how they responded.
Speaker 3 (34:27):
Zarin, Oh, Elizabeth, we're back.
Speaker 2 (34:30):
We're back in the twenty fourteen cheap.
Speaker 3 (34:31):
I had to shake that one off.
Speaker 2 (34:32):
I know that was a nightmare, as a total daymare.
Speaker 3 (34:35):
I thought it was bad and if someone took over
my computer but being in the car they're taking over
and then like I gotta trust them. Oh yeah, I
don't worry. I'll art it all back.
Speaker 2 (34:42):
Very maximum overdrive. And I don't like it one bit.
Speaker 3 (34:44):
And there's not enough of Meia the West of US
in that for me I feel safe.
Speaker 2 (34:47):
Yeah, there needs a whole lot more so. After that
Wired article, Fiat Chrysler, they took swift action. July twenty fourth,
twenty fifteen, they issued a voluntary safety recall for one
point four million vehicles in the US in order to
fix those software vulnerabilities. And so that was models from
(35:08):
twenty thirteen to twenty fifteen that had eight point four
inch touchscreen. So twenty fourteen, twenty fifteen Jeep, Cherokee, twenty
fifteen Dodge Challenger, which like, I don't want one of
those self possessed rubbing down the road, twenty fifteen, Chrysler
two hundred and others. Chrysler dodged Jeep and Ram lines.
Fiat Chrysler sent out a USB drive by mail to
(35:30):
affected owners with the patch like diy, I guess steal
a Kia drive that around instead the owners They could
also go to a dealership for installation if they weren't hackers,
you know. In addition, Sprint closed the open cellular ports
that the hackers had used, which like, why didn't you
(35:51):
do that originally?
Speaker 3 (35:52):
Yeah? Did they cost a penny to do?
Speaker 2 (35:53):
Now, the National Highway Traffic Safety Administration they opened an
investigation and then they find Fiat Chrysler one hundred and
five million dollars.
Speaker 3 (36:02):
Why did they find them for just being.
Speaker 2 (36:05):
A production They're flying too close to the sun, Like
you thought you were so special, arrogance. Well, it wasn't
just for the Jeep vulnerability, but there were like a
series of recalls that were kind of mishandled leading up
to me. So like, you guys are bungling everything one
hundred and five million, but the Jeep incident was like yeah, yeah,
(36:26):
so the hack that had lasting implications far beyond Fiat Chrysler.
Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut
they introduced the Security and Privacy in Your Car Act,
the Spy.
Speaker 3 (36:41):
Car Act right.
Speaker 2 (36:44):
The bill would require cybersecurity standards for vehicles, isolation of
critical software systems, real time hacking detection systems, and then
transparency on how car companies collect and share driver data.
It's a great bill.
Speaker 3 (36:59):
Sounds like didn't pass, Oh my goodness.
Speaker 2 (37:01):
Of course, not my feeling. I'm thinking the sticking point
was the transparency on how car companies collect and share
driver data, probably because that's like, you know, that's a
commodity and.
Speaker 3 (37:11):
They generally avoid that for either that's our data.
Speaker 2 (37:14):
Yeah, the customer like spending and travel, and then also
like how you connect to like insurance companies.
Speaker 3 (37:20):
Yeah, that they didn't want like a trade secrets, like
we're selling everything.
Speaker 2 (37:24):
Was just like this driver like yeah, they speed all
the time, increase their rates. Oh, they wouldn't know otherwise.
I don't know, that's my guess.
Speaker 3 (37:31):
I was thinking that they were already doing that. They're
killing the insurance company for a price.
Speaker 2 (37:34):
They already do. But I'm just saying like that was
that's I think that, like this is something that car
companies would kill because it's going to cost him money
beyond just like changing the tech.
Speaker 3 (37:45):
It's something valuable to them. Yeah, data that is.
Speaker 2 (37:48):
That's just me guessing.
Speaker 3 (37:49):
I'm speculating to the BUIL didn't.
Speaker 2 (37:52):
Pass, but it like spurred all these discussions about automotive
cybersecurity standards. In twenty sixteen, the Automotive Information Sharing an
Analysis Center, they released their best practices for cybersecurity, and
you know, most of the major manufacturers of automobiles they
picked that up. The gpack made it super clear infotainment
(38:14):
systems have to be segregated out from like the critical
vehicle control stuff. You can't have it all just riding
us together, exactly, And so Miller and Vallisek they later
got hired by Uber's Advanced Technology Center to work on
their self driving car security, and then they both worked
as principal autonomous vehicle security architects at Cruse Automation, which
(38:37):
was GM's self driving cars. The latest and more visible
victim of hackings is, of course Tesla.
Speaker 4 (38:49):
Yeah.
Speaker 2 (38:49):
Well, I should note that Tesla has a bug bounty program.
So if you can hack them and then show them how,
they'll give you cars or money or something. Of the
cyber trucks. It doesn't they can't sell you know, here
have one, you have five? Yeah, and I'm just like,
I hacked you guys. They're like, you no need to
have proof. Take a cyber's your problem now. Some of
(39:13):
that bacon from the diner. The whole thing, though, the
Tesla is like one big computer and the cars are
all about like connectivity and such and like you know,
things like watching YouTube while you pretend to drive while
autopilot's on and you're facetiming your buddy.
Speaker 3 (39:28):
Sure important thing, yeah exactly.
Speaker 2 (39:30):
In twenty sixteen, researchers from Keen Security Lab they found
multiple vulnerabilities in the Tesla model S that allowed remote
control of the car from up to twelve miles away
via the Wi Fi or cellular connection. So that's okay,
one year after this jeep thing, you know, someone's on
like an Atari sixty four driving your Tesla around. So
(39:53):
they found vulnerabilities in the infotainment system once again that
darned can bus access to the browser autopilot braking functions,
so they were able to like open the sun roof,
move the seats, control side mirrors, turn on the turn signal,
and then like slam on the brakes remotely while the
car was.
Speaker 3 (40:13):
In so still operating like the car itself, not just the.
Speaker 2 (40:16):
Features, yeah, but then like oh and the break ps
the brakes. Tesla saw this and then pushed an over
the air software update within ten days of the disclosure,
and then they also improved isolation between the systems like
we you know, infotatement and critical components.
Speaker 3 (40:32):
Separated firewall that stuff.
Speaker 2 (40:34):
Yes, talk, I love that, that's firewall.
Speaker 3 (40:38):
That's good, thank you.
Speaker 2 (40:39):
I just learned that one myself. In twenty twenty, fluoro
Acetate struck.
Speaker 3 (40:45):
That's a hacker.
Speaker 2 (40:46):
It's a well known security research team. So they share
a call sign Richard Zoo and amacamma. They were at
pone to own once again Vancouver hacking. Remember, yeah, the
super Bowl hack exactly, And that's where they exploited a
vulnerability in the Tesla Model threes infotainment system using a
(41:07):
JavaScript jit just in time jure in the WebKit engine.
We're back with webkits. The exploit allowed them to gain
control of the system when the driver visited a specially
crafted web page, so like if you're browsing around, you
have to put the web page into the giant screen
(41:28):
inside the car. And it gave them access to display messages.
They could control infotainment features like I'm going to put
on a different channel, interact with subsystems connected via the can,
but they couldn't directly control the driving, so.
Speaker 3 (41:44):
They can make you watch criminal minds against your will.
Speaker 2 (41:47):
Hundred percent, and so that was like purely infotainment. They
couldn't direct the actual car. But this was part of
a challenge at the competition, not a rogue mission to
embarrass Tesla. So Tesla awarded the hackers a Tesla Model
three and forty thousand dollars in prize money.
Speaker 3 (42:03):
So it was like a sponsored hackophone.
Speaker 2 (42:04):
Sponsored hackaphone. And then they patched that.
Speaker 3 (42:07):
Vulnerability quickly they should.
Speaker 2 (42:08):
You know, be via a software update.
Speaker 3 (42:11):
So this is like their version of beta testing, is like, hey,
we're going to put the car out, then you find
the flaws and we'll fix those exactly.
Speaker 2 (42:17):
Yeah, it's sort of like self check out. Suddenly I
work for the supermarket. Yeah, suddenly you work for Tesla.
So like, hold on, do you have Bluetooth in your
carp Yeah? See I do.
Speaker 3 (42:27):
Yeah, I wasn't kidding about I buy older cars.
Speaker 2 (42:30):
One time I let someone, someone who's a co host
of a murder free true crime podcast, connect his bluetooth
in my car. Yes, and now I know this fellow connected.
If I'm near you and your phone, you connect to
my car. So like you'll be in the parking lot
at headquarters on a phone call. I'm parked near you.
(42:51):
I go to start my car and suddenly your call
is in.
Speaker 3 (42:54):
My bluetoth You're talking to my mother.
Speaker 2 (42:55):
And I've got someone saying hello, Hello, or I'm suddenly
listening to the serious XM Radio Classics episode that you've
got playing on the radio Classic.
Speaker 3 (43:04):
Oh yeah, you like Jack Benny. I hope you do.
Speaker 2 (43:06):
What I'm saying is that I think my car likes
you better, which doesn't seem fair.
Speaker 3 (43:11):
So your your phone doesn't connect to the bluetooth, it.
Speaker 2 (43:14):
Gets kicked off by yours. Like you've basically hacked me.
You're a hacker, now hack Yeah, anyway, This dude, Leonard
Wooters is a security research at ku Leuvin University in Belgium.
June twenty twenty two, he exploited vulnerabilities in Tesla's Bluetooth
low energy keyless entry system. So we've gone through all
(43:37):
these other ways in now we got Bluetooth. So he
had like what's called a relay attack. He could unlock
and start a Tesla both model three and Model y
by relaying signals from the owner's phone or key card.
And he could do this even if it was inside
a nearby building. Obviously not in a fair date box.
So the bl systems there intercepted using cheap off the
(44:01):
shelf hard where like the Oakland car thieves use. And
it's basically the same thing. You get there, you pick
up the signal, you clone it. So he's unlocking doors,
you start in the car driving away. Tesla, though, didn't
consider it a flaw in its system, because the ble
relay attacks are a known risk with passive entry systems.
They're like, it's not just us all through the Oakland Hills.
(44:26):
So he was like, this guy, this hacker recommended that
people turn off passive entry or use in a Tesla
pin to drive like a personal identification number, requiring a
code to be able to drive.
Speaker 3 (44:37):
I need like two factor authentication to get into my car.
Speaker 2 (44:40):
Is such a hassle to get in the car. Nobody
listened to this guy. Everyone's like, whatever, I.
Speaker 3 (44:46):
Will leave websites if I have to get on my iPad.
I'm like, Daily Beast, why are you making me go
to my iPad?
Speaker 2 (44:51):
No, big, nope, how about do.
Speaker 3 (44:53):
I want to read this story to own? They're back
the super Bowl of hacks.
Speaker 2 (44:57):
They went after Tesla again in twenty twenty five. The
Sinactive team, that's Thomas Imbert, Vincent Dehores, David Barrard. They
targeted Tesla's vehicle control system Electronic controller VC secure. It's
a critical module in the Tesla Model three that's responsible
(45:17):
for security functions like immobilization, door locking and then handling
data from the tire pressure monitoring system.
Speaker 3 (45:24):
So they turned the security specialist into the vulnerability. Yes, interesting, And.
Speaker 2 (45:29):
They did that at pone to Own Automotive twenty twenty
five in Tokyo.
Speaker 3 (45:32):
Twenty twenty five.
Speaker 2 (45:34):
This is recent, this is earlier this year. So just
like in the other cases, they used Bluetooth, they got
into the can.
Speaker 3 (45:40):
But got that can bus.
Speaker 2 (45:42):
Get all on the bus. Maybe if they'd had some
heap exploitation going on, we wouldn't be in this situation.
Speaker 3 (45:48):
Yeah, that's what I'm thinking.
Speaker 2 (45:49):
If you can access the ratchet router with the VPN
card and so on, case closed. So now there was
also a time that Tesla itself, not the cars, got ACKed.
Two former Tesla employees who were unnamed in public filings.
They leaked over one hundred gigabytes of internal data to
a German media outlet, and that all came to light
(46:11):
in August of twenty twenty three, but the breach had
occurred earlier that year.
Speaker 3 (46:14):
Did they use a car to hack Tesla?
Speaker 2 (46:16):
They hacked Tesla with a Tesla?
Speaker 3 (46:18):
Wow?
Speaker 2 (46:19):
No, I don't know. Anyway, they got into the Tesla servers.
They leaked autopilot system secrets. Oh, good for them, customer secrets,
customer personally identifiable information. That's bad, employee records that's not good.
And then some of the leaked documents allegedly detailed quote
(46:41):
Tesla crash reports, I'm happier with that internal discussions on
auto pilot related accident. No, the internal discussions about them.
So they're like whatever, They could look like a loser anyway,
you know what I mean, Like I'm guessing. I don't know.
So Tesla immediately took legal action. They four the ex
employees to surrender devices and data, and they notified affected
(47:05):
individuals of the breach. I mean, this isn't like a
traditional software hack, but it exposed highly sensitive vehicle systems
and customer data, major insider cybersecurity threat Sounds like it's
like our cars are now rolling cybersecurity threats, Like we
basically drive around in big computers.
Speaker 3 (47:23):
Yours are. Yeah, I'm over here in a seventy eight
catalyg I know.
Speaker 2 (47:27):
It's You're so lucky. It's not just the physical actions
of the car that's vulnerable. Like we have all this
personal information. Look at me, I'm getting text messages.
Speaker 3 (47:36):
Text with your car.
Speaker 2 (47:37):
I think that's wild to me. Yeah, I think that's
where the Democratic Party keeps getting my information to text
mealy anytime anything happens. So cars they collect GPS, location history,
call logs, contacts. You know, you can load your contacts
from your phone into your car, so your car can
call I guess voice recordings.
Speaker 5 (47:56):
They can log your behavior and give.
Speaker 2 (47:57):
It to insurance companies.
Speaker 3 (47:59):
Wow.
Speaker 2 (48:00):
The biggest thread of this, I think is having your
information sold to marketers and corporations.
Speaker 3 (48:04):
Sure, that too.
Speaker 2 (48:06):
Ripe for criminal tinkering, of course, but it could go
beyond street crime because think about it, like nation state
actors could target infrastructure like fleet vehicles.
Speaker 3 (48:15):
Oh yeah, I're also like the partner of somebody who
works for the government, and then they can just be
in the car talking on their phone making safe and
all of a sudden, other cars.
Speaker 2 (48:22):
Listening to Oh yeah, terrorists could hijack cars for sabotage.
What I'm trying to say is that we need to
go back to an agrarian society and all ride bikes.
Speaker 3 (48:32):
I love that.
Speaker 2 (48:32):
Make it stop, everyone on a bike. I don't want
to do this anymore. That's what I'm trying to say.
And with that, I'm going to go get into my car,
listen to satellite radio, call my mom via bluetooth on
the stereosystem unless you hijacket, and then I'm going to
use my GPS to go do crimes in the woods.
So just take the edge off, Zarin. What's your ridiculous takeaway?
Speaker 3 (48:52):
You know, as I've complained about it often exact to
deal with them. Both of my parents are Luddites, right.
They neither one has an iPhone or any Android. They
both have flip phones. They won't do email. My mother
still has an Aol account, like you know, their total
bloods with the fact that they have computers is like
a major step and unfortunately I think they're right well
(49:15):
kills me right. Yeah, she pays like whatever, fifty dollars
a month to do like four things or whatever. I'm like,
what is wrong with you? What is your ridiculous take away? Elizabeth?
Speaker 2 (49:24):
Where did this takeaway? Is that computers bad that I
need them. We all do, so, Dave, can I please
have a talk back?
Speaker 3 (49:32):
Oh yeah, oh.
Speaker 4 (49:37):
My god, I love get.
Speaker 6 (49:47):
Hi Elizabeth Saron and producer d This is Ali from
South Carolina. I have loved the show for years now
and I just listened to the wig jacking episode and
then about a day later, happy to come across an
image of the painting a Sundae on lagrange jat or
however you pronounce it. Who knows who cares? And as
(50:07):
I'm sure you know, in the bottom corner of that painting,
there is a little monkey on a leash and a
small dog staring out. And all I could think about
from that little monkey and little dog is that they
were scoping out the scene looking for their next heist
because they'd had to move on from.
Speaker 2 (50:27):
Their wig work.
Speaker 6 (50:27):
So maybe they were on hat stealing or just there
to cause general ruckus. I don't know, but I support
them either way. Anyways, Love you guys, love your show.
Thanks so much for all you do, and see you
again next crime.
Speaker 3 (50:42):
I love that.
Speaker 2 (50:43):
This is this is what the power of good art
right that tells you this story And I love this.
I love your your so perceptive picking up all the
little bits and bobs and the sool. That's it for today.
You can find us online at ridiculous Crime dot com.
Speaker 5 (51:02):
This just in.
Speaker 2 (51:03):
The website won the Hollywood Foreign Press Hackproof Award. They
have declared our website hackproof. Nice I know, good job team.
We're also at Ridiculous Crime on both Blue Sky Instagram.
We're on YouTube at Ridiculous Crime Pod. You can email
us at ridiculous Crime at gmail dot com, leave a
talkback on the iHeart app reach out. Ridiculous Crime is
(51:31):
hosted by Elizabeth Dutton and Zaren Burnett, produced and edited
by HackMaster Dave Cousten, starring Analys Rutger. This Judith research
is by aftermarket Penny Farthing Bluetooth installer Marissa Brown. The
theme song is by hacking duo The Bongo Boys aka
Thomas Lee and Travis Dutton. Post wardrobe is provided by
Botany five hundred guest here and makeup by Sparkleshot and
(51:54):
Mister Audrey. Executive producers are Exhausted Tesla Legal Team, Ben Bowen.
Speaker 4 (52:00):
That's Old Brad, Ridicous Crime, Say it one more Timequeous Crime.
Speaker 1 (52:12):
Ridiculous Crime is a production of iHeartRadio four more podcasts
from my heart Radio. Visit the iHeartRadio app, Apple Podcasts,
or wherever you listen to your favorite shows.
Hosts And Creators
Zaron Burnett
Elizabeth Dutton
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.