Randahl Fink

3 months ago

Randahl Fink
3 months ago

The most thought proving article I have read this week:

A Norwegian bus company wants to know if their buses could be abused by China in the case of war.

So they drive two buses deep into a limestone mine to isolate them from the internet and forensically investigate how they work.

In the mine, investigators discover a Chinese kill switch which could destroy all Chinese buses.

In Denmark, that is 57 percent of the bus fleet.

Source (Danish):

zetland.dk/historie/svNwC3c5-a…

Dybt i et norsk fjeld blev en kinesisk bybus splittet ad. En status på vores frygt

En kinesisk bus blev nøje analyseret for mystiske signaler.

^{Kaare Sørensen (Zetland)}

reshared this

in reply to Randahl Fink

Raimund Eder

in reply to Randahl Fink 3 months ago

@eingfoan frightening

@EINGFOAN

in reply to Randahl Fink

Manfred

in reply to Randahl Fink 3 months ago

Sensitive content

in reply to Manfred

MarjorieR

in reply to Manfred 3 months ago

@titanmanfred John Deere tractors aren't cheap, to buy or to repair.
I wonder where the Chinese got the idea of software/IP lock in from?

pluralistic.net/2022/08/15/dee…

Pluralistic: 15 Aug 2022 – Pluralistic: Daily links from Cory Doctorow

^{pluralistic.net}

@Manfred

in reply to MarjorieR

MarjorieR

in reply to MarjorieR 3 months ago

@titanmanfred just to amplifiy this point. Nearly all internet connected devices have a kill switch.

Teslas have a kill switch
Your ISP supplied router has a kill switch
Your phone has a kill switch
Your Windows computer has a kill switch
Your programmable bed has a kill switch
Your robot vacuum has a kill switch
Your MS Mail account and your Bank account has a kill switch (ask ICC judges)
Your data in the US owned cloud (even if hosted in Europe) has a kill switch
F35 planes, NATO donated to Ukraine, have a kill switch.
Your Polish locomotive has a kill switch (activated if you try and use an independent repair shop).
All these have been mentioned in the news and in the Fediverse recently.

Most of these are controlled by US or Chinese companies. Particularly with Trump in charge and alll the tech Billionaires subbing him are you sure that the American ones are less lilkely to be used against you by the USAian companies than the Chinese companies to disable your kit and maybe your life?a

@Manfred

This entry was edited (3 months ago)

in reply to MarjorieR

Manfred

in reply to MarjorieR 3 months ago

Sensitive content

@MarjorieR

in reply to Manfred

Ed Bridges

in reply to Manfred 3 months ago

The media in this post is not displayed to visitors. To view it, please go to the original post.

@titanmanfred @marjolica Attaboy. 😉

@MarjorieR @Manfred

in reply to Ed Bridges

⁂ Fish Id Wardrobe

in reply to Ed Bridges 3 months ago

@DrEdBridges @titanmanfred @marjolica you should probably save that one for when linux isn't just mentioned in passing and also relevant to the discussion.

@MarjorieR @Ed Bridges @Manfred

in reply to Randahl Fink

Osma Suominen

in reply to Randahl Fink 3 months ago

US made John Deere tractors also have a kill switch and it has been used to disable some of them (in this case tractors stolen by Russian troops) remotely:

orchardandvine.net/news/john-d…

edition.cnn.com/2022/05/01/eur…

(EDIT: this was also mentioned briefly in the Danish article linked above)

John Deere ‘Kill Switch’ Renders Stolen Tractors Useless

John Deere has struck a blow against the Russian Army, in its war of aggression in Ukraine.

^{orchardandvine.net}

This entry was edited (3 months ago)

in reply to Randahl Fink

jesterchen42

in reply to Randahl Fink 3 months ago

To be honest: I'd love a broad scale analysis of this. Few days ago it as a vacuum cleaner, now buses...

Test this in all things. From mobile phones to cars (don't care if Chinese, US or German), smart beds (well... actually leave these ones out. Who buys a bed that needs internet?!), switches, routers, water pumps, ....

I bet they'll find stuff in too many places.

in reply to jesterchen42

Randahl Fink

in reply to jesterchen42 3 months ago

@jesterchen I would like all hospital equipment to be tested.

@jesterchen42

in reply to Randahl Fink

jesterchen42

in reply to Randahl Fink 3 months ago

And everything for critical infrastructure (water supply etc). The rest are details.

in reply to Randahl Fink

Pēteris Krišjānis

in reply to Randahl Fink 3 months ago

there is a little thing called a specification when you buy something. You need to be absolutely sure you have full control over your technology you own.
Some people might find open hardware and open source guys annoying but this what they talk about.

m0xEE likes this.

in reply to Randahl Fink

Arthur van der Harg

in reply to Randahl Fink 3 months ago

Not just China doing this. I remember arstechnica.com/tech-policy/20…

It is generally not a good idea to give others control over apparatuses that you own.

Trains were designed to break down after third-party repairs, hackers find

The train manufacturer accused the hackers of slander.

^{Ashley Belanger (Ars Technica)}

in reply to Arthur van der Harg

Randahl Fink

in reply to Arthur van der Harg 3 months ago

@ArtHarg wild. Thanks for that link.

@Arthur van der Harg

in reply to Randahl Fink

Nicolas Fournier

in reply to Randahl Fink 3 months ago

@ArtHarg

you have plenty of this, everywhere
one of my favorite is farmers using hackers to be able to self-repair their tractors...

copperhilltech.com/blog/farmer…

Farmers Are Hacking Their Tractors Because of a Right to Repair Ban

For decades, American farmers have been at the mercy of agricultural equipment manufacturers, who have locked down their tractors with proprietary software, restricting repair options and forcing owners to seek expensive, manufacturer-approved servic…

^Copperhill

@Arthur van der Harg

in reply to Randahl Fink

Thierry Van Kerm

in reply to Randahl Fink 3 months ago

What! 🤨 How would the switch destroy the bus? What's the trick?

in reply to Thierry Van Kerm

Randahl Fink

in reply to Thierry Van Kerm 3 months ago

@thierry_van_kerm for instance, systems that download software updates, could potentially download a software update which deliberately contains errors.

@Thierry Van Kerm

in reply to Randahl Fink

Thierry Van Kerm

in reply to Randahl Fink 3 months ago

Is this really surprising?
And, btw, don't you think the US (or Russia) don't do the same?

Time for Europeans to grow up, to stand up and get their balls unleashed from whoever hold them tight! 🙂

in reply to Randahl Fink

The Penguin of Evil

in reply to Randahl Fink 3 months ago

@thierry_van_kerm which is also a risk even if the supplier is honest. It's how the Russians destroyed a whole load of satellite kit just before Ukraine kicked off. Compromise the vendor downloads and ship firmware that physically burns the flash memory. At that point it's probably a PCB swap to restore for most users. A PCB that won't be stocked in bulk, probably uses components no longer manufactured and cannot trivially be mass manufactured again.

@Thierry Van Kerm

in reply to Randahl Fink

Christian Klüber-Demir 🏈

in reply to Randahl Fink 3 months ago

Here's another article about this in German:

derstandard.at/story/300000029…

Chinesische Busse in Oslo könnten von China aus gesteuert werden – sie fahren auch in Amstetten

Die Verkehrsbetriebe der norwegischen Hauptstadt testeten im Sommer neu angekaufte Fahrzeuge. Auch in Dänemark und in Niederösterreich fahren die Busse

^{DER STANDARD}

in reply to Randahl Fink

Bernard

in reply to Randahl Fink 3 months ago

with reference to some comments below, the USA is far worse on this topic. They call it intelectual property rights. Which makes you hand over all the sensor data of the John Deer plough, seeder or harvester to the USA mothership. Which is then sold to hedge funds to hedge against the price of the harvest you as a farmer have invested in and worked hard for. So your farm data is used by biljonairs to increase their wealth at the expense of the farmers doctorow.medium.com/about-thos…

Medium

^Medium

in reply to Randahl Fink

panu

in reply to Randahl Fink 3 months ago

The existence of a kill switch is one thing, but what's more fundamental here in the case of a bus is why on earth it has to be connected to the public internet in the first place?

It just doesn't make sense.

in reply to Randahl Fink

umberto aisone

in reply to Randahl Fink 3 months ago

The media in this post is not displayed to visitors. To view it, please go to the original post.

Peraphs not..

@randahl

We must ask ourself where this suspious comes from? I've get you a clue in the interview linked below.

@Randahl Fink

This entry was edited (3 months ago)

in reply to Randahl Fink

slotos

in reply to Randahl Fink 3 months ago

Reminds me of Polish train manufacturer bricking their trains located close to independent repair shops.

So far, the only people suffering for this decision are the people that helped unbrick the trains in question.

hackaday.com/2023/12/14/polish…

This is not a China phenomenon but a greed one. Not to say that Chinese government doesn’t enjoy the results, just that I doubt they had to actively instruct anyone to include these kill switches.

Polish Train Manufacturer Threatens Hackers Who Unbricked Their Trains

A week ago we covered the story of a Polish train manufacturer who was caught using software to brick their products after they had been repaired by in independent railway workshop. Now 404 Media h…

^Hackaday

in reply to slotos

Børge

in reply to slotos 3 months ago

@slotos Demanding that publicly bought hardware needs to have free software is a huge part of the solution to this massive problem.

@slotos

in reply to Børge

Randahl Fink

in reply to Børge 3 months ago

@forteller indeed!@slotos

@Børge @slotos

in reply to Randahl Fink

waldi

in reply to Randahl Fink 3 months ago

Now I wonder which car built in the last five years is not connected to the internet and can receive commands from it.

in reply to Randahl Fink

NoBorg

in reply to Randahl Fink 3 months ago

European option:

"The extensive network of IVECO BUS and IVECO service points guarantees support wherever a vehicle is operating worldwide. The manufacturer employs more than 5,000 people and has five factories, located in Annonay and Rorthais in France, in Vysoké Myto in the Czech Republic, and in Brescia and Foggia, in Italy."
ivecobus.com/france/La-Marque

La Marque - En route vers le changement | IVECO BUS |

IVECO BUS, acteur clé du transport public. Découvrez notre entreprise, nos équipes, et comment nous menons le changement.

^{www.ivecobus.com}

in reply to Randahl Fink

NoBorg

in reply to Randahl Fink 3 months ago

Sad story, Alstom Aptis was manufacturing good electrical buses in Alsace, France, but due to low demand, they cease activities in 2021.
European Union countries should give priority to EU products so that OUR companies don't close and to prevent sad surprises.

fr.wikipedia.org/wiki/Alstom_A…

Alstom Aptis — Wikipédia

^{Contributeurs aux projets Wikimedia (Fondation Wikimedia, Inc.)}

in reply to Randahl Fink

Graeme 🏴󠁧󠁢󠁳󠁣󠁴󠁿

in reply to Randahl Fink 3 months ago

Or if you "own" an F35 and the Orange Leader of Trumpistan decides it won't fly where you want it to go. Or fires it's missiles for you...

in reply to Graeme 🏴󠁧󠁢󠁳󠁣󠁴󠁿

Slyence

in reply to Graeme 🏴󠁧󠁢󠁳󠁣󠁴󠁿 3 months ago

@pa27 thats a bunch of bullshit

Here’s what can happen:
You can get cut off from software updates
You can get cut off from American made parts

But guess what - America needs the parts made in evey f35 partner nation to keep their jets flying too

The program forces everyone to play nice

@Graeme 🏴󠁧󠁢󠁳󠁣󠁴󠁿

in reply to Slyence

Randahl Fink

in reply to Slyence 3 months ago

@Slyence that is a good point.

@Slyence

in reply to Randahl Fink

TrimTab 🇺🇦

in reply to Randahl Fink 3 months ago

Kill switches are fantastic folks. The question is only about who controls the switch.

-- When the owner of the asset can control the kill, it is a boon for privacy, anti theft, and pro security.

-- When an adversary controls it, it is coercive, malicious, dangerous and predatory.

in reply to Randahl Fink

Anders Lund

in reply to Randahl Fink 3 months ago

If google or apple can update software in my phone while I sleep I *have been hacked* 😛

in reply to Randahl Fink

Kerplunk

in reply to Randahl Fink 3 months ago

A Norwegian bus company wants to know if their buses could be abused by China in the case of war.
in the mine, investigators discover a Chinese kill switch which could destroy all Chinese buses.

BOLLOX

Thank you for replicating the ridiculous accusations. A sim card and update box was found.
That system is used in thousands of buses, trains, cars, tesla for example can be switched off from usa as can john deer tractors.

in reply to Randahl Fink

65dBnoise

in reply to Randahl Fink 3 months ago

Isn't this a well known practice? Isn't Tesla doing the same with OTA sw updates, performance monitoring et.c. of the vehicles they manufacture?

But, I guess, we are all conditioned to see #US #technofascism as more acceptable, for some reason.

#us #technofascism

Cassandrich reshared this.

in reply to 65dBnoise

Randahl Fink

in reply to 65dBnoise 3 months ago

I do not consider that acceptable at all. That is why I would never buy a Tesla.

This entry was edited (3 months ago)

in reply to 65dBnoise

Paco Hope

in reply to 65dBnoise 3 months ago

I think @65dBnoise has a point. I’m pretty sure the same sort of feature is built into nearly every “smart” lightbulb and “smart TV.” The issue is not the nationality of the software developer. It’s the whole notion of being dependent on some cloud service, generally.

If the authors think war is the only reason the company would use that kill switch (or even the most likely reason) try repairing a bus with unapproved parts or trying to make unauthorised modifications to the software running on the bus. Or maybe just try not paying the bill.
@randahl

@Randahl Fink @65dBnoise

in reply to Paco Hope

Mike Spooner

in reply to Paco Hope 3 months ago

@paco @65dBnoise or even, just expressing a preference for a different political viewpoint...

@Paco Hope @65dBnoise

in reply to Mike Spooner

Paco Hope

in reply to Mike Spooner 3 months ago

@shelldozer C’mon. Be realistic. If the Danish rep in the UN condemns the treatment of Uighurs in China, the Chinese bus manufacturer is not going to retaliate by bricking a bunch of buses in Denmark. The diplomatic fallout would be extreme.

The point is well taken that once it’s possible to brick these buses at all, it is possible to do that for a trivial reason. And what they discovered is that it is possible. But that doesn’t make it likely that they would do this for a trivial reason.

Sadly, I can’t figure out how to pass that article through a translator so I haven’t read it. When I hand it to google translate on my phone, Danish still comes out.
@65dBnoise @randahl

@Randahl Fink @65dBnoise @Mike Spooner

in reply to Paco Hope

Randahl Fink

in reply to Paco Hope 3 months ago

@paco just copy the text and paste it into translate.google.com.

@shelldozer @65dBnoise

@Paco Hope @65dBnoise @Mike Spooner

in reply to Randahl Fink

Paco Hope

in reply to Randahl Fink 3 months ago

Thanks. I know how to do that. I’m just waiting until I am at a desktop. It’s a pain in the ass on a phone. @shelldozer @65dBnoise

@65dBnoise @Mike Spooner

in reply to Randahl Fink

Tak!

in reply to Randahl Fink 3 months ago

The most thought-provoking thing about this article is that it highlights the absolutely wild level of sinophobia in scandinavia.

My wife's Volvo has remote firmware update functionality, is that a Swedish killswitch? Every one of the tens of thousands of Teslas in Denmark has remote update functionality, is that an American killswitch? Modern BMWs have remote update functionality, are those German killswitches?

I personally hate the techbroization of modern cars, and I believe that every one of these features should be regulated out of existence, but

it's amazing how this kind of stuff is accepted and normal in every part of our lives until a company based in China does it, and suddenly it's "😱 THE CHINESE GOVERNMENT HAS KILLSWITCHES IN OUR BUSSES 😱"

🙄

This entry was edited (3 months ago)

in reply to Tak!

Randahl Fink

in reply to Tak! 3 months ago

@Tak Not wanting remote kill switches in products has nothing to do with sinophobia. I am against ALL remote kill switches from ANY country that my country could potentially go to war with.

After Donald Trump has threatened to invade Greenland, I find it deeply problematic that Danish politicians continue to use American iPhones. That does not make me anti-American. It just makes me conscious of the very real security risks Donald Trump represents.

@Tak!

in reply to Randahl Fink

Perrin42

in reply to Randahl Fink 3 months ago

I think the point is that every device that supports OTA updates has this sort of "remote kill switch". If Apple or Google wanted to disable your phone remotely, they could push out an update that did that. Same with Volvo, Tesla, Rivian, Chrysler, HP, Roomba, Sony... If it can be updated remotely, it can be disabled remotely.

This entry was edited (3 months ago)

in reply to Randahl Fink

an interesting bean

in reply to Randahl Fink 3 months ago

@Tak the article doesn’t claim to have found a “remote kill switch” but rather posits that OTA updates could be used as such. Which is almost certainly true. But did the Norwegian government want a different arrangement? did they ask for the opportunity to audit OTAs and sign them for distribution to their fleet? Because big municipal buyers could almost certainly work with these companies to get these things. It’s just not a priority for most government purchasers to add complexity and would be an ongoing expense in IT infrastructure

@Tak!

in reply to Randahl Fink

Marcel

in reply to Randahl Fink 3 months ago

@Tak Apart from the security risks, it started, I think, with greed - greed by companies who say: you may think you own that device, but no, we control it, we tell you how to use it. It's as simple as software as a service so instead of buying Word or Excel once, you have to pay for it every year. And it's how HP can decide to brick your printer if you put in any brand of ink except theirs. How software companies can force you to buy a new phone just to use basic functionality.

@Tak!

in reply to Randahl Fink

Walter Tross

in reply to Randahl Fink 3 months ago

"Destroy" here means "make unusable via an OTA software update". Not any better than "destroy", of course.

This entry was edited (3 months ago)

in reply to Randahl Fink

Mr. Lance E Sloan (IRL) 👤

in reply to Randahl Fink 3 months ago

In other good news: Now it's known how to disable buses in China.

in reply to Randahl Fink

Cassandrich

in reply to Randahl Fink 3 months ago

So remove the radio modules from them. They should never have been there to begin with. Vehicles do not need "OTA updates".

in reply to Randahl Fink

Ben Aveling

in reply to Randahl Fink 3 months ago

Not the first time “rogue devices, including cellular radios, were discovered in Chinese-made power inverters“ m.economictimes.com/news/inter… @randahl

Chinese 'kill switches' found in equipment at US solar firms trigger national security fears. What are the

Engineers have discovered 'kill switches' embedded in Chinese-manufactured parts on American solar farms, raising fears Beijing could manipulate supplies or 'physically destroy' grids across the US, UK and Europe.

^{ET Online (Economic Times)}

@Randahl Fink

in reply to Randahl Fink

Andy Rabagliati

in reply to Randahl Fink 3 months ago

I read the article - they did not find an actual kill switch. They found that it could be updated remotely, to install a kill switch - not quite the same thing

in reply to Randahl Fink

KasTas

in reply to Randahl Fink 3 months ago

well, translation does not sound that scary and specific:

> " The Chinese electric bus contains a computer that, among other things, controls the bus's battery and engine, so the bus can most efficiently drive around Oslo. And this computer is – via a small sim card – on the Internet, so it can send information and sometimes retrieve an update back. For yes, a bus can be updated in exactly the same way as your phone."

TL;DR: remote tracking and updates which can be used maliciously

in reply to Randahl Fink

Daniel Molkentin

in reply to Randahl Fink 3 months ago

Sorry, unless we suddenly start to take non-elective OTA updates without safeguards such as independently reviewed, reproducible source code builds as the theoretical but very possible general threat that they are, I fail to see how this is special. Even more so because @briankrebs boosted it.

Vendor-forced OTA updates are an accepted practice. Attack the practice, not the practitioner.

@BrianKrebs

in reply to Daniel Molkentin

BrianKrebs

in reply to Daniel Molkentin 3 months ago

@danimo I see your point. OTOH, this doesn't seem like one of those single-cause problems. Both things can be true and needful.

@Daniel Molkentin

in reply to BrianKrebs

Daniel Molkentin

in reply to BrianKrebs 3 months ago

@briankrebs point taken, but the article is baity to the point of being false. They did not find a backdoor, unless all auto-OTA devices are considered backdoored (which is an assumption most of us professionals work under, but not the articles' general public audience). With a headline like this, I would expect an actual remotely triggerable reverse shell tbh.

@BrianKrebs

in reply to Daniel Molkentin

shironeko

in reply to Daniel Molkentin 3 months ago

yeah it's just blatant xenophobia

in reply to shironeko

BrianKrebs

in reply to shironeko 3 months ago

@shironeko @danimo i wonder if you think the US govt's pending ban on TP-Link devices is also xenophobia vs. an unacceptable threat?

@Daniel Molkentin @shironeko

in reply to BrianKrebs

shironeko

in reply to BrianKrebs 3 months ago

of course it is, are TP-Link routers that much worse than all the other routers on the market? If the goal is security, setup a standard test for it.

in reply to shironeko

BrianKrebs

in reply to shironeko 3 months ago

@shironeko @danimo I think the honest answer to your question is the entire industry is a race to the bottom, and comparing the relative security of devices does not offer a very wide range. That said, not all router makers, e.g., ship devices w/ years-old Linux vulnerabilities, or make major updates but use the same revision numbers etc. Or have a history of including undocumented user accounts, etc. Not saying TP-Link is guilty of all that, but the truth is most consumer-grade devices are best wiped and equipped w/ open source firmware. It's a horrible market all around.

@Daniel Molkentin @shironeko

in reply to Daniel Molkentin

Randahl Fink

in reply to Daniel Molkentin 3 months ago

@danimo I think you are missing a crucial point: Over-the-air updates is a general practices, yes, but there is a vast difference between getting over-the-air updates from allies, and getting over-the-air updates from a country which supports Russia's invasion of Europe.
@briankrebs

@BrianKrebs @Daniel Molkentin

in reply to Randahl Fink

Daniel Molkentin

in reply to Randahl Fink 3 months ago

Honestly, with the Cloud Act and similar laws in place and tech companies obediently submitting to the Trump Administration, I don't really trust any product from the US, and I am saying this with a lot of US tech on my desk. I don't see why I should trust US products any more than I trust Chinese ones.

If it would serve his purpose, Trump would jump in Putins' lap in a heart beat and abadon Kyjiw. Right now, he's just heartbroken about his imaginary best buddy.

@briankrebs

@BrianKrebs

This entry was edited (3 months ago)

in reply to Randahl Fink

onterof

in reply to Randahl Fink 3 months ago

I wonder how long it'll take to uncover something similar with trains built by CRRC.

Unknown parent

Randahl Fink

Unknown parent 3 months ago

@falcennial "Who would have thought buying products from evil super villains could be a problem?"

@millennial fulcrum

in reply to Randahl Fink

shironeko

in reply to Randahl Fink 3 months ago

china china china, tbh probably all modern cars have this.

in reply to shironeko

Randahl Fink

in reply to shironeko 3 months ago

@shironeko very true. But that is not the point. From a security perspective, it is more likely that NATO could end up in a military conflict with China which could lead to kill switches being engaged, than for example NATO ending up in a war with Germany, and Volkswagen disables all cars in NATO countries.

@shironeko

in reply to Randahl Fink

shironeko

in reply to Randahl Fink 3 months ago

if you have a backdoor, anyone can use it

in reply to shironeko

Randahl Fink

in reply to shironeko 3 months ago

@shironeko if that was true, all iPhones would have been bricked by hackers already.

@shironeko

in reply to Randahl Fink

shironeko

in reply to Randahl Fink 3 months ago

do you really think state backed hackers cannot possibly do it?

in reply to shironeko

Randahl Fink

in reply to shironeko 3 months ago

@shironeko if it was possible, do you really believe there would not be a single news story about this happening?

@shironeko

Unknown parent

Randahl Fink

Unknown parent 3 months ago

@samloonie let's not give Trump any ideas.

@Sam Oldman 🐀

in reply to Randahl Fink

Viðrir

in reply to Randahl Fink 3 months ago

To be fair: All Tesla's, and probably many other EV's on the market today have this same functionality.

It's not a "kill switch" directly, it's that the busses support OTA with full admin-rights directly from the manufacturer without user envolvement that could theoretically be used as a kill switch.

Now, if you read further on the "Lion Cage" project, that is scary shit.

Unknown parent

Randahl Fink

Unknown parent 3 months ago

@falcennial "Those imperial TIE Fighters are so well priced. Let's strike a deal with Darth Vader!"

@millennial fulcrum

in reply to Randahl Fink

klegdixal

in reply to Randahl Fink 3 months ago

ifixit.com/News/112008/polish-…

Polish Train Maker Is Suing the Hackers Who Exposed Its Anti-Repair Tricks

Newag, maker of Polish trains, is suing ethical hackers who exposed its anti-repair software, threatening independent repair and consumer rights.

^{Charlie Sorrel (iFixit)}

in reply to klegdixal

Randahl Fink

in reply to klegdixal 3 months ago

@klegdixal insane! Thank you for that update.

@klegdixal

in reply to Randahl Fink

klegdixal

in reply to Randahl Fink 3 months ago

yup. That SLAPP is indeed insane.

Dunno if this was brought up, this time a Chinese smart vacuum.
cybernews.com/security/enginee…

in reply to Randahl Fink

Kevin C 🎬

in reply to Randahl Fink 3 months ago

Version of the story from The Guardian.

Danish authorities in rush to close security loophole in Chinese electric buses theguardian.com/world/2025/nov…

Danish authorities in rush to close security loophole in Chinese electric buses

Investigation launched after discovery that Chinese supplier had remote access to vehicles’ control systems

^{Miranda Bryant (The Guardian)}

in reply to Kevin C 🎬

Randahl Fink

in reply to Kevin C 🎬 3 months ago

@kcarr2015 It is so funny for us Danes to see the politicians panicking now.

For years, Danish security experts warned about this, but most politician arrogantly rejected this as paranoia.

There was a tv-show were a politician from Venstre arrogantly said: "It is okay to fear wars and such, but one cannot fear a computer".

@Kevin C 🎬

in reply to Randahl Fink

John Mierau

in reply to Randahl Fink 3 months ago

huawei suspected of kill switch in routers
dji drones suspected of kill switch
e-cars suspected of kill switch
vacuums suspected of mapping

WHEN DO NATIONS START DEMANDING OS SOVEREIGNTY?

(not expensive or complicated: it's called open source software and linux)

PS: the expensive and complicated part?
EDUCATING VOTERS TO VOTE FOR IT

in reply to Randahl Fink

randomized

in reply to Randahl Fink 3 months ago

wait until they learn who owns their IT systems

in reply to Randahl Fink

scotty86 🇺🇦🕊️

in reply to Randahl Fink 3 months ago

They didn’t find a kill switch. What they found was a built-in SIM card - something that's legally required in some countries and present in most modern vehicles - and the ability to perform OTA updates, which is also standard today. And yes, any modern connected vehicle can technically be disabled through a software update if the manufacturer chooses to do so.

in reply to Randahl Fink

Robin Barton

in reply to Randahl Fink 3 months ago

That is disturbing. It is not going to help sales

in reply to Randahl Fink

⁂ Fish Id Wardrobe

in reply to Randahl Fink 3 months ago

do busses really need to be connected to the internet?

however attractive that seems, the possibility (actuality, in this case) of remote interference makes it too costly.

same for everything else, too. does my fridge need to be? my tv?

in reply to Randahl Fink

Queen 1066

in reply to Randahl Fink 3 months ago

After what #israel did with mobile phones i’m surprised they are only looking at buses.

#israel

in reply to Randahl Fink

Peter Bindels

in reply to Randahl Fink 3 months ago

Can they do the same thing with the other bus types they have? I don't see why a Chinese government having the ability to disrupt bus traffic is different from any other foreign government having the ability to disrupt bus traffic.

in reply to Randahl Fink

Jack Poller

in reply to Randahl Fink 3 months ago

I just wrote a similar article about Israel banning Chinese cars from the military...

securityboulevard.com/2025/11/…

Why Israel Just Banned 700 Chinese Cars from Its Military—And What It Means for Security - Security Boulevard

In early November, the Israeli Defense Forces made a decision that sent ripples through defense and cybersecurity circles worldwide: withdraw every In early November, the Israeli Defense Forces made a decision that sent ripples through defense and cy…

^{Jack Poller (Security Boulevard)}

in reply to Randahl Fink

SarcastiCat

in reply to Randahl Fink 3 months ago

They should check the 43% of their busses that aren't from China, too

in reply to Randahl Fink

Elon Muksis 🇺🇦 🇵🇸 🇪🇺

in reply to Randahl Fink 3 months ago

I bet f-35 has a kill switch. When USA attacks Greenland and you turn the ignition key, only the dashboard warning light comes on.

in reply to Randahl Fink

Pete

in reply to Randahl Fink 3 months ago

And this is why I would never, ever own a Chinese vehicle and am migrating away from all electronics made in China.

in reply to Randahl Fink

Beelbeebub

in reply to Randahl Fink 3 months ago

Ok I read the translated article and it seems that what they found was the computer that controls the battery and inverter had a sim card in to to allow for firmware updates.

In theory the firmware could be updated to kill the bus but I couldn't see any mention of a function in the existing firmware kill the bus.

This "update firmware to kill" vulnerablity is present in any hardware that can be updated.

Sometimes it happens inadvertently when apple/Google brick a load of phones.

in reply to Randahl Fink

Yop32

in reply to Randahl Fink 3 months ago

And that is why being electronically independent make sense. Unfortunately not is not always possible but these tests are easy to perform by forensics. That being said, include a clause in the contract specifying remote kill switches, investigate the product you are buying and return them if you find something related.

If you are a country this should be mandatory

in reply to Randahl Fink

ScottMGS

in reply to Randahl Fink 3 months ago

One wonders if *any* modem vehicle is free of such controls. Multiple systems could each have one controlled by someone else. Who holds the kill switches?

in reply to ScottMGS

Randahl Fink

in reply to ScottMGS 3 months ago

@ScottMGS we clearly need a law, that EU vehicles must offer the option to ONLY update when requested by owners to do so.

@ScottMGS

in reply to Randahl Fink

Marcel

in reply to Randahl Fink 3 months ago

@ScottMGS As 'alarmist' as the post sounds, there is reason to worry, of course - remote updates/command can be abused, and it actually does happen. I also recall the inverters used in many solar installations at one point could be accessed and shut down remotely, by the manufacturer. That definitely is a vulnerability. Shutting down all renewable power is an increasing security risk.
tomshardware.com/tech-industry…

@ScottMGS

in reply to Randahl Fink

rozie

in reply to Randahl Fink 3 months ago

Article says that investigators found no spying functions and no kill switch.

They "discovered" auto update function. Described scenario is of course possible (for every device with auto update function), but this is not a kill switch.

But I guess any reason is good for anti-Chineese FUD?

in reply to Randahl Fink

Jo

in reply to Randahl Fink 3 months ago

That sounds like madness, but I'm not surprised. After planned obsolescence, this is the logical next step in control.

in reply to Randahl Fink

Joey Provolone

in reply to Randahl Fink 3 months ago

can we just have normal buses?

in reply to Joey Provolone

Carlos Solís

in reply to Joey Provolone 3 months ago

@Joey Provolone @Randahl Fink I fear that it's not possible anymore - most if not all car manufacturers are now required to include certain hardware to abide car safety laws, so fully analog vehicles like the ones from the 80's or so have been gradually phased out.

@Randahl Fink @Joey Provolone

in reply to Carlos Solís

Joey Provolone

in reply to Carlos Solís 3 months ago

@csolisr
yeah, i mean even look at appliances. its hard to find a non-smart or basic fridge without smart apps or screens built into them.

@Carlos Solís

in reply to Randahl Fink

Juan Per¢ent,🇲🇽 🍉,🇻🇪

in reply to Randahl Fink 3 months ago

railway-technology.com/news/th…
Polish on Polish Train kill switches. Maybe this is more of anabuse of IP issue than a security/defense issue.

The story of the great Polish train hack

Polish rolling stock company Newag has alleged its train systems were illegally hacked, making four of its trains unsafe.

^{Patrick Rhys Atack (Railway Technology)}

in reply to Randahl Fink

Kris

in reply to Randahl Fink 3 months ago

So they are not different from Teslas.

Or from any other device that can get OTA updates, which allows the maker of the device to install any change any time?

in reply to Randahl Fink

dragonfrog

in reply to Randahl Fink 3 months ago

saying they "found a kill switch" is a bit alarmist IMO.

They found that over the air firmware updates are supported. Yes the manufacturer could in principle ship broken firmware, but there's no indication they built functionality specifically to disable the buses - unlike, say, European and North American car manufacturers, which build in features specifically designed for dealerships to disable a car if the buyer misses payments, sold *as a feature* to dealerships.

in reply to Randahl Fink

H4Heights 🇪🇺🇵🇸🇺🇦🇨🇦

in reply to Randahl Fink 3 months ago

Linked to being able to install updates over the GSM air I believe.

in reply to Randahl Fink

Nicole Parsons

in reply to Randahl Fink 3 months ago

These kill switches are likely embedded in every chip-enabled product.

It's a national security problem. Spyware, control, & sabotage all in one.

But it's also part of a fossil fuel disinformation campaign to undermine renewable energy.

It's for accelerated planned obsolescence in household appliances, phones, computers, routers, vehicles, satellites, home heating, public lighting, electric grids, and solar & wind electricity generation.

reuters.com/sustainability/cli…

in reply to Nicole Parsons

Nicole Parsons

in reply to Nicole Parsons 3 months ago

However, when the Right were nattering on about Huawei, remember Accusations are Confessions

wired.com/story/intel-earnings…

theguardian.com/technology/202…

cbc.ca/news/business/us-lutnic…

investors.com/news/trump-stock…

m.economictimes.com/news/inter…

Now that Trump owns 10% of Intel, will Intel chips also get kill switches?

Reminder, both China & the USA have a long history of taking hostages, regime change, & expansionist wars
bbc.com/news/world-us-canada-5…

en.wikipedia.org/wiki/Extradit…

nytimes.com/2019/02/27/world/c…

Canadian legal dispute

^{Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)}

in reply to Randahl Fink

Bruce Acton 🇨🇦🇨🇦🇨🇦

in reply to Randahl Fink 3 months ago

wow how many other products have imbedded kill switches? The hot rumour in #Canada is the #US has put a kill switch into the #F35 that we have purchased from them.

#us #Canada #f35

in reply to Randahl Fink

Winfried Angele 🇺🇦🇪🇺

in reply to Randahl Fink 3 months ago

@jpmens hmm. Everyone knows the bus has a SIM card — just like literally every car these days. Over‑the‑air updates are standard (what do they think the SIM is for?). So why on earth would anyone drive into a mine for that? I mean, it’s probably even spelled out in the bus manual

@JP Mens

in reply to Winfried Angele 🇺🇦🇪🇺

Blaise

in reply to Winfried Angele 🇺🇦🇪🇺 3 months ago

@Winfried Angele 🇺🇦🇪🇺 @JP Mens @Randahl Fink They weren't looking for the SIM card, they were looking for *any* external communications. Every electronic device has the potential to carry a transceiver, whether for good or evil. They were going to a place guaranteed to have no other RF transmissions at all so that they could know that anything they detected came from the bus.

Afterward, having found nothing else, they examined the potential attack vectors exposed by the SIM card.

@Randahl Fink @JP Mens @Winfried Angele 🇺🇦🇪🇺

Elias Probst likes this.

in reply to Blaise

Winfried Angele 🇺🇦🇪🇺

in reply to Blaise 3 months ago

@blaise @jpmens then the toot was misleading imo. They found nothing! This OTA "killswitch" was already known. So there is no news at all. At least no bad news.

@JP Mens @Blaise

in reply to Randahl Fink

Hotspur🏳️‍🌈🇺🇦

in reply to Randahl Fink 3 months ago

This clicks with my support for the right-to-repair movement here in the US and elsewhere...consumers should be able to repair their purchases, replace batteries, etc. themselves or by a third party, rather than being forced to go back to the dealer or simply discard it and buy a new product.

And related to that....the ability to turn off updates or sever connections should they see fit.

in reply to Randahl Fink

Rev. Robodummy

in reply to Randahl Fink 3 months ago

surprisingly not surprised

in reply to Randahl Fink

tekhedd

in reply to Randahl Fink 3 months ago

Everything else aside, Librewolf's translation including the phrase "a so-called spectrum analyzer". ROFL "spectrum analyzer" as if!

in reply to Randahl Fink

Outfrost

in reply to Randahl Fink 3 months ago

Why don't they mention the manufacturer of the specific vehicle tested, by name?

in reply to Randahl Fink

Rich Stein (he/him)

in reply to Randahl Fink 3 months ago

Two articles in English:
- cybernews.com/security/norway-…

- aa.com.tr/en/europe/oslo-tests…

Oslo tests reveal Chinese electric buses can be switched off remotely

Public transport operator Ruter says manufacturer access allows buses to be stopped from China, prompting Norway to review cybersecurity risks in public transport - Anadolu Ajansı

^{www.aa.com.tr}

in reply to Randahl Fink

Number6

in reply to Randahl Fink 3 months ago

Doesn't the SIM card have to connect to a specific, paid-for network? So who is paying for the network?

If there's a way to get a working SIM card without paying, I'm very interested.

I suppose the next step is that the Chinese will require the SIM card to be in place to operate. Which means the bus will stop if you drive through a 0-bar location. And the drive won't be able to call for help because her phone will also have no connection.

in reply to Randahl Fink

Jimmy

in reply to Randahl Fink 3 months ago

Time to jailbreak your bus.

in reply to Randahl Fink

Klimperei - Petchanatz

in reply to Randahl Fink 3 months ago

probably fake, it seems

in reply to Klimperei - Petchanatz

Randahl Fink

in reply to Klimperei - Petchanatz 3 months ago

@Klimperei I verify what I post.

@Klimperei - Petchanatz

in reply to Randahl Fink

Thierry 🅰️🕒

in reply to Randahl Fink 3 months ago

Now imagine the thousands of personal electric vehicules, with their camera, on board computer and network connection: how far are they from possibly remote controlled drones ?

in reply to Thierry 🅰️🕒

Randahl Fink

in reply to Thierry 🅰️🕒 3 months ago

@thierrya they are one software update from that.

@Thierry 🅰️🕒

in reply to Randahl Fink

JohnnieMac

in reply to Randahl Fink 3 months ago

Is there really any difference between a remote ‘kill switch’ and a Trojan virus?

in reply to Randahl Fink

Luigi Muffingione

in reply to Randahl Fink 3 months ago

per the article, there is no more of a kill switch than in any other electronic product that accepts updates over the internet. It is also not “Chinese” except that manufacturer is in China. In fact, the article even starts off with an example of a hypothetical US military ordering Apple to brick all Danish phones, an example which is different in no functional way than the bus scenario.

in reply to Randahl Fink

Thomas =:-)

in reply to Randahl Fink 3 months ago

@DieWespe maybe you should have read the article? They did not find a Kill Switch. They found the ability for OTA updates.

@Olaf ‽

in reply to Randahl Fink

Robert Berger

in reply to Randahl Fink 3 months ago

U.S. kill switches, Chinese kill switches, Russian killers (called "soldiers") are much scarier than the complete Cold War that our parents and our generation witnessed. Coupled with the rise of neo-Nazis around the world, this makes me think that the world is preparing for the next big war.🤔

in reply to Randahl Fink

Hunspirillen already

in reply to Randahl Fink 3 months ago

Another Snowden moment. Meaning, another time that "ordinary people" realises something that tech people have known forever but was told "no, you're just being paranoid" 🫣

in reply to Randahl Fink

Deutscher Bahnkunden-Verband

in reply to Randahl Fink 3 months ago

Und alle träumn weiter und hoffen darauf, dass es so schlimm ja nicht kommen wird ...

in reply to Randahl Fink

Bob LeFridge

in reply to Randahl Fink 3 months ago

This seems like an important story. Unfortunately the Zetland site doesn't allow Google Translate.

@randahl

@Randahl Fink

in reply to Randahl Fink

emaksovalec

in reply to Randahl Fink 3 months ago

so they found out its like any other device with OTA updates. That an update can brick it. I remember reading that VW requires their ID car to be on flat ground for OTA update because of possibilty of bricking.

in reply to Randahl Fink

Glyn

in reply to Randahl Fink 3 months ago

@bobdvb
It is misleading though.
Not a kill switch a software update mechanism.
That doesn’t get clicks though does it

@Bob Hannent

in reply to Randahl Fink

Aho

in reply to Randahl Fink 3 months ago

In Sweden they downplay the risks and say they are in discussion of what or what the manufacturer is allowed to do, like if they get in a contract, the Chinese wouldn't allow the ccp to control the busses...

in reply to Randahl Fink

Christian Schwägerl

in reply to Randahl Fink 3 months ago

Why isn’t it possible to discover a kill switch in broad daylight?

in reply to Christian Schwägerl

Jan Wildeboer 😷

in reply to Christian Schwägerl 3 months ago

It could be noticed by the manufacturer when in broad daylight (see the polish train story), which could trigger countermeasures. Blocking all possibilities for connections creates a reproducible environment. Quite standard stuff. You could also use a big enough faraday cage. @randahl

@Randahl Fink

This entry was edited (3 months ago)

in reply to Jan Wildeboer 😷

Christian Schwägerl

in reply to Jan Wildeboer 😷 3 months ago

@jwildeboer thx

@Jan Wildeboer 😷

in reply to Jan Wildeboer 😷

Randahl Fink

in reply to Jan Wildeboer 😷 3 months ago

@jwildeboer but then you would have to believe that your Faraday cage worked.

When you drive into a mountain, no one questions that your experiment really blocks all communication.

I think that could be the reason for using the mountain.

@christianschwaegerl

@Jan Wildeboer 😷 @Christian Schwägerl

in reply to Randahl Fink

Christian Schwägerl

in reply to Randahl Fink 3 months ago

@jwildeboer Makes sense

@Jan Wildeboer 😷

in reply to Randahl Fink

Justbeep

in reply to Randahl Fink 3 months ago

* Chinese power inverters, batteries and solar panels with undeclared radio receivers
* Chinese cars and busses
* Mobile phone monocultures
* Web cams
* Door locks
* ...

#iot - idiots on technology

#iot

⇧

Randahl Fink 3 months ago • •

Randahl Fink
3 months ago