Nothing New Under the Sun: The Threat of Hacking Software in Internet-Connected Vehicles

“What has been is what will be, and what has been done is what will be done, and there is nothing new under the sun.” Is there a thing of which it is said, “See, this is new”? It has been already, in the ages before us.” (Ecclesiastes 1:8-10. Revised Standard Version).

The recent ban imposed by the federal government on the use of Chinese-developed software in internet-connected vehicles continues a long-standing trend of U.S. and global intelligence agencies exploiting technological vulnerabilities for what they call national security purposes. The measure's objective is to prevent intelligence agencies' potential ability to track the movements of U.S. citizens or exploit vehicle electronics as entry points into vital infrastructure systems, such as the U.S. electric grid. While this policy responds to contemporary threats, it mirrors historical clandestine operations employed by intelligence agencies worldwide, such as secret exploitation of encryption devices during the Cold War and similar operations.

The Threat: Connected Cars, Vulnerabilities, Exploits, and the Market Surrounding It

The proliferation of connected and autonomous vehicles has introduced new cybersecurity vulnerabilities. These vehicles collect vast amounts of data on drivers, connect to personal devices, and communicate with infrastructure systems and manufacturers. The technology has the potential to introduce additional vulnerabilities and threats, particularly if adversaries target software integrated into these vehicles that could be exploded (hacked into).

What is an exploit, and how does it work? 

An exploit is a program or code designed to exploit a security flaw or vulnerability in an application or computer system. Exploits often require an attacker to initiate a sequence of suspicious operations to set up an attack. Typically, most vulnerabilities arise from software or system architecture bugs. Attackers craft their code to take advantage of these vulnerabilities and introduce various forms of malware into the system. (Cisco) 

On the other hand, It's amazing that the public is largely unaware of an industry that specializes in selling exploits to anyone. These exploits are frequently sold to government organizations or private security contractors for surveillance or intelligence gathering. The sellers' identity is kept secret, and the public is kept in the dark about “what hackers call “zero days,” the coding flaws.” (For more information, see: Packetlabs, Google Threat Analysis Group).

Some potential reasons from historical precedents in this context include:

1. Companies and organizations involved in the exploit trade operate under non-disclosure agreements or maintain confidentiality to protect their clients and business interests. This secrecy contributes to the lack of public knowledge.

2. Government agencies and private entities have a strong interest in concealing the existence and operations of the exploitation industry to maintain secrecy and prevent any potential public alarm regarding surveillance, privacy, and security concerns. Additionally, if this industry were exposed, intelligence organizations would lose a valuable tool for conducting attacks and espionage.

Historical Precedents

Understanding contemporary cybersecurity policies, such as Chinese-developed software in internet-connected vehicles, requires examining historical precedents where intelligence agencies have leveraged technological tools to gain strategic advantages. The most “effective” exploits are unknown to everyone but the people who developed them. These are the most dangerous exploits, as they occur when a software or system architecture contains a critical security vulnerability of which the vendor and the public are unaware.

The vulnerability becomes known when a hacker is detected exploiting the vulnerability, hence the term zero-day exploit. Once such an exploit occurs, systems running the exploit software are vulnerable to a cyberattack.  Either the vendor will eventually release a patch to correct the vulnerability or security software detects and blocks the exploit and resultant malware (ibid).

Let’s examine some examples:

SIGINT Enabling Project, which 'actively engaged the U.S. and foreign IT industries to covertly influence or overtly leverage their commercial products’ designs' to make them 'exploitable.” “The second — and more alarming way — is by ensuring that international standards for encryption allow the intelligence agencies some (undescribed) pathway allowing decryption of traffic.”

During the Cold War, the U.S. Central Intelligence Agency (CIA) and West Germany's Bundesnachrichtendienst (BND) secretly owned a Swiss company called Crypto AG. Throughout the 21st century, the firm generated substantial profits through equipment sales to over 120 countries worldwide. Among its clientele were Iran, various military juntas in Latin America, nuclear rivals India and Pakistan, and even the Vatican. Unknown to these countries, the devices were rigged to allow the CIA and BND to decrypt their communications easily.

This clandestine operation initially codenamed “Thesaurus” and later “Rubicon,” provided the U.S. and Germany with invaluable intelligence. Among the surveilled were military regimes involved in Operation Condor—a coordinated effort by South American dictatorships in the 1970s to suppress and eliminate opposition through assassination and terrorism.

Through Crypto AG's compromised devices, the CIA was able to have access to sensitive communications during significant historical events, such as the 1973 Chilean coup, and the 1976 Argentine coup, monitored Iran's mullahs during the 1979 hostage crisis, and various acts of state-sponsored. The exploitation of these encryption machines represents a historical example of how intelligence agencies leverage technological vulnerabilities for strategic advantage.

Current Examples

In the wake of the Salt Typhoon, a group of hackers, allegedly hailing from China, breached the security protocols of several internet companies based in the United States. Their objective was to infiltrate the systems of cable and broadband service providers, with the intent to either gain access to sensitive data or unleash a malicious cyber assault.

The exploitation of technological susceptibility for intelligence collection extends beyond nations like the United States, Germany, Russia, and China. Other nations have employed similar tactics to advance their national security interests. For instance, reports have indicated that Israeli intelligence agencies have developed sophisticated capabilities in cyber and electronic intelligence, often leveraging technological advancements to conduct espionage operations.

While details typically remain classified, it is widely acknowledged that Israel has exploited vulnerabilities in communication networks to intercept and monitor messages, including those transmitted via pagers and other communication devices. By intercepting pager messages, intelligence agencies can access real-time data without the need for physical infiltration or more complex cyber operations (Richard Forno Principal Lecturer in Computer Science and Electrical Engineering, University of Maryland, Baltimore County).

These operations share similarities with Thesaurus and Rubicon in their use of trusted communication technologies as vectors for intelligence gathering. By intercepting and decrypting communications, Israeli intelligence can gain insights into the plans and activities of adversaries, enhancing their ability to preempt threats and inform strategic decision-making.

Motivations Behind Exploiting Technological Vulnerabilities

Intelligence agencies worldwide develop and deploy such strategies, driven by several motivations:

1. National Security: Gaining access to adversaries' communications allows for preemptive actions against potential threats. By intercepting and decoding messages, agencies can thwart espionage, terrorism, and military aggression.

2. Strategic Advantage: Access to confidential communications provides insights into other nations' political intentions, economic plans, and military capabilities. This information can shape foreign policy and diplomatic strategies.

3. Counterintelligence: Understanding the methods and operations of adversaries helps in defending against their espionage efforts. It also aids in protecting a nation's sensitive information.

4. Global Influence: Possessing superior intelligence capabilities allows nations to exert influence over international affairs, negotiations, and alliances.

In the case of operations involving pager communications, intelligence agencies can obtain timely information on potential threats, policy decisions, and strategic movements. Exploiting vulnerabilities in communication networks allows for covert intelligence gathering with minimal risk of exposure compared to more invasive methods.

The Evidence Suggests that There is Nothing New Under the Sun.

These historical and contemporary examples underscore the strategic importance intelligence agencies place on controlling and exploiting technological vulnerabilities. By securing access to communication systems, whether through compromised encryption devices or intercepted pager messages, nations can gain invaluable intelligence that informs national security strategies and geopolitical maneuvers.

The federal government ban on Chinese software in connected cars is consistent with these historical practices by proactively addressing potential cyber vulnerabilities that could be exploited by foreign adversaries. Just as the CIA and BND sought to control encryption technologies to monitor and influence global events, the current policy aims to prevent Chinese intelligence from accessing and manipulating critical infrastructure through vehicle electronics.

Furthermore, these examples highlight the ethical and legal dilemmas inherent in such strategies. While national security is central, the covert exploitation of technology can erode international trust, violate sovereignty, and raise significant privacy concerns. The Crypto AG affair and Israeli pager operations serve as cautionary tales about the long-term implications of prioritizing intelligence gathering over transparent and ethical practices.

Conclusion

In light of ongoing cyber threats, the federal government's prohibition on Chinese software in connected cars highlights the enduring challenges nations encounter in securing technology. The underlying motivations for this policy stem from a historical context, where intelligence agencies have leveraged technological vulnerabilities to gain national security and strategic advantages, often without public awareness, even at the expense of compromising their security.

The examples of the Crypto AG affair and the reported Israeli operations involving pager communications highlight how intelligence agencies continue to leverage technological vulnerabilities to advance their objectives. These cases emphasize the need for vigilance and ethical considerations in intelligence operations.

As the world becomes more interconnected, the ethical implications of such strategies become increasingly significant. Transparency, international cooperation, and the establishment of global norms for cybersecurity are essential in navigating the complex landscape of modern technology and espionage.

Balancing national security with respect for international trust and human rights remains a delicate but crucial endeavor. The lessons from past and present operations underscore the importance of addressing cybersecurity vulnerabilities, implementing robust defense mechanisms, and fostering global collaboration to prevent the misuse of technology and protect global security.

References

Ibor, A. E. (2018). Zero-day exploits and national readiness for cyber-warfare. Nigerian Journal of Technology, 36(4), 1174. https://doi.org/10.4314/njt.v36i4.26.

Al-Matouq, H., Mahmood, S., Alshayeb, M., & Niazi, M. (2020). A maturity model for secure software design: a multivocal study. IEEE Access, 8, 215758-215776. https://doi.org/10.1109/access.2020.3040220.

National Security Archive. “CIA and BND's Secret Ownership of Crypto AG and Its Implications on Operation Condor.” February 11, 2020.

Perlroth, Nicole. This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing, 2021.

Sanger, David E., and Ngo, Madeleine. “The Biden Administration Announces Ban on Chinese Software in Connected Cars.” The New York Times, Sept. 23, 2024.

National Security Archive. “CIA and BND's Secret Ownership of Crypto AG and Its Implications on Operation Condor.” February 11, 2020.

Zhang, S., Caragea, D., & Ou, X. (2011). An empirical study on using the national vulnerability database to predict software vulnerabilities. Lecture Notes in Computer Science, 217-231. https://doi.org/10.1007/978-3-642-23088-2_15.

Final Remarks

A group of friends from “Organizational DNA Labs” (a private group) compiled references and notes from various of our thesis, authors, and academics for the article and analysis. We also utilized AI platforms such as Claude, Gemini, Copilot, Open-Source ChatGPT, and Grammarly as a research assistant to conserve time and to check for the structural logical coherence of expressions. The reason for using various platforms is to verify information from multiple sources and validate it through academic databases and equity firm analysts with whom we have collaborated. The references and notes in this work provide a comprehensive list of the sources utilized. I, as the editor, have taken great care to ensure all sources are appropriately cited, and the authors are duly acknowledged for their contributions. The content is based primarily on our analysis and synthesis of the sources. The compilation, summaries, and inferences are the product of using both our time with the motivation to expand my knowledge and share it. While we have drawn from quality sources to inform our perspective, the conclusion reflects our views and understanding of the topics covered as they continue to develop through constant learning and review of the literature in this business field.