Move fast and brake things

From recorded future news and PRX, This is click here.

Peter Rothschild is a retired radiologist. And back when he was a resident, he worked in emergency rooms. Day after day as patients came in, far too often their emergencies seemed to stem from one thing. There's way too many accidents, uh, you know, car accidents. Which started him thinking about what kind of car he'd buy one day. And he had one criteria. Safety. When I was uh working in the emergency rooms in medical school and residency, it became very clear that I wanted a safe car.

And as he looked around back in the 1980s, there was one brand that seemed obsessed with safety. Built into every vault. Passenger compartment. A steel cage, a brand that sold peace of mind. I figure, wow, that's going to be the safest car. So I've only bought Volks. Peter didn't just drive Volvos, he became a kind of evangelist for the car.

Everyone. I knew uh pretty much uh I talked in the driving of Volvo. People used to come by my house and say, are you a Volvo dealer or something? You've got five of them sitting in your drive. Twenty-five Volvos later, he bought an XC90 hybrid, the Insurance Institute for Highway Safety's top pick. And that's when the trouble began. The entertainment system went on the fritz.

I was going, wait, wait, wait. I've been driving Vovos with entertainment systems for, you know, fifteen years and never saw that before. The touch screen froze. And then when the rear camera went out, I was going, wait, wait. Th this is crazy. What is wrong with this car? So he went back to the dealership. No big deal, they said. It's just a software problem. We'll fix you right up and it'll be as good as new. And they just gave him the latest update.

Simple. A few hours later, Peter went to visit a friend. He lived up a steep mountain road in Northern California. A friend of mine who lives basically on top of a mountain in Carmel has a beautiful house, amazing. Uh and everything was fine going up to his house. down the mountainside, which is a one-lane road without much of a guardrail, that's when the trouble started.

It was all caught on Peter's dash cam video. At first, it looked like a postcard of Northern California. Monterey Pines, a wisp of fog, the Pacific Ocean glinting in the distance. This road was cut into this mountain. It's a very windy road. Then suddenly the picture jolts and the car lurches. It's as if the Volvo had a mind of its own, taking curves at speed, and Peter couldn't stop it. And this Volvo's extremely heavy.

Car, it's a hybrid car, it's got a big you know battery in it, and I kept trying the brakes and trying the brakes. I was so focused on keeping this car on the road. And what's going through your head? How do I stay alive? I mean you didn't know what

was on the other side of the curve, right? It could have been a school bus filled with kids. And I realized, you know, that this this car's not going to stop unless I stop it myself. And as Peter struggled to keep the car on the road, times seemed to stretch. And in that strange suspended moment, his mind flashed back to the dealership.

And that's where the story turns. Because what happened next says a lot about how quickly the line between car and computer has disappeared. I'm Dina Temple Rust, and this is Click Here. We tell true stories about the people making and breaking our digital world. We used to think of cars as metal and rubber, pistons, carburetors, and crash test dummies. But these days, they're just as much ones and zeros as they are nuts and bolts.

And as legacy car makers race to behave like tech companies, shipping fixes over the air instead of through a mechanic, the stakes have changed. It isn't just about new bells and whistles. It's about code and bugs and sometimes even break failure. And I still scratch my head. How can a company with a reputation like Volvo Come out with a software update that basically could That's after the break. Stay with us. Support for ClickHear comes from ServalAI.

Did you know that your IT team wastes half their day on repetitive tickets? The more your business grows, the more these requests pile up. Password resets, access requests, onboarding, all pulling IT away from meaningful work. With Serval AI, you're guaranteed to cut half of help desk tickets by week four of your free pilot. It's easy to see why this may. It saves time and money and lets IT teams focus on actual problems.

And while legacy players are scrambling to adapt in the age of artificial intelligence, Serval was built for AI agents from the ground up. Your IT team describes what they need in plain English and Serval generates production ready automations instantly. Serval powers the fastest growing companies in the world, like Perplexity, Mercer, Vercata, and Clay. Get your team out of the help desk and back to the work they enjoy. Book your free pilot at serval.com slash click.

That's S E R V A L dot com slash click here. Support for ClickHe comes from Quince. Are you working on your capsule wardrobe? Quince has you covered. Quince is all about elevated, effortless essentials that are designed for layering and mixing. They've got all the essentials you need to build a timeless wardrobe that will last season after season.

Quince uses the highest quality materials. The stitching, fit, and fabric speak for themselves, with versatile silhouettes and thoughtful details. You'll find low key luxury for every occasion. Lux cotton cashmere blends perfect for changing seasons, premium denim made with stretch for all day comfort. These are the pieces you'll reach for over and over. And for me, as a conscientious consumer, what stands out most is that Quince works directly with safe ethical factories.

Not only does that make me feel good about what I wear from Quince, it means they have cut out the middleman, so I'm not paying for a brand markup just for high quality clothing. My new cashmere quarter zip sweater is my favorite sweater. I'm reaching for it all the time. Super soft, great fit, I love it. Refresh your wardrobe with Quince. Don't wait. Go to quince dot com slash click here for free shipping on your order and three hundred and sixty five day return.

Now available in Canada too. That's qince.com/slash clickhear to get free shipping and 365-day returns. Quince.com slash clickhear. From recorded future news, this is click here. When you think of software update, you probably picture your phone or your laptop, maybe a spinning progress bar and a restart. You don't usually picture a two-ton SUV on a steep mountain road.

But as car companies rebrand themselves as mobility tech firms, they've adopted a very Silicon Valley ethos. Move fast, break things, and fix later. Only when your product weighs 5,000 pounds carrying humans inside, that strategy can have real consequences. Something Peter was viscerally aware of as he barreled down that mountain road, trying frantically to figure out how to stop this car.

I was always taught that if you use your emergency brake, you can lock up your tires and spin out and totally lose control of your car. So I didn't want that to happen. Then he had a flash of inspiration. You know, what do big trucks do when they come down a hill and they lose their brakes? Well, they go off on the side, uh, on these ramps, they go uphill. And so I figured well

Let me just make one of those. He swerved hard into the dirt and rocks. The momentum carried it over the rocks and back onto the road, believe it or not. And then and then it stopped. I look down the side, the other side of the mountain and I just go, Oh my God. I I couldn't believe I was still alive. According to the dash cam, it only lasted about twenty seconds, but to Peter, it felt like forever. When he got home, he started looking for answers. Why did his brakes just go out?

He searched online and discovered he wasn't alone. I'm facing some problems with the software updates. Well this is a new one here. The camera's just completely not working. Come on, Volvo. It barely slows down when you let off the gas. Why? As far as he could tell, this wasn't a mechanical failure, but it did happen just hours after a software update. Could a simple patch have somehow disabled the brakes? I wanted this to be looked into immediately because it was so

Incredibly scary, uh, what happened to me. I mean, I've never been that scared in my entire life, and I do a lot of driving. So the next day after the accident, I sent the video to Volvo and I sent it to NETSA. NHTSA, the National Highway Traffic Safety Administration, opened an investigation. So did Volvo. A few weeks later, the company confirmed what Peter had already suspected. The culprit was software version 3.514, the same update that was supposed to fix his rearview camera.

And if you scan through the update notes, one line stands out. The foot brake should feel less stiff right after starting the car. Apparently, that line of code told the brakes to ease pressure after about 90 seconds of coasting downhill in something Volvo calls B-mode. It's a setting that lets the car slow itself by using the electric motor's resistance. Instead of the regular brake.

It's like, okay, when you tested the software, did you not do that? Did they not drive it down a hill for over a hundred seconds? How much was this software before it was released, this bug thick software for a minor issue, even tested? The big issue for me is I tested their software for them. I was like a beta test.

We asked Volvo about this, and the company told us this was a rare error, that it follows robust testing and verification procedures. We asked if they'd walk us through those procedures step by step, and they declined. Calling the process quote a key competitive differentiator in proprietary.

We did find someone who's been on the inside to help us make sense of it though. That's Florian Rode. Yep, that's his real last name. He's a German system engineer, and he oversaw Tesla's software releases for about five years. Now, he helps automakers modernize their fleets. And he says software is a big part of that. Updating a car using code is a big money saver for automakers. A quiet revolution under the hood. You know, you have hardware products, they age.

Right, and over time they break. Software doesn't break over time. It's also just a lot easier to send out software updates than require drivers to come into the shop and physically replace parts. But there is a lot happening under the hood, nonetheless. This is how Florian explains the process. You have a bring up period, then you have a verification and validation period, and then at the very end you have what is called an acceptance test.

And after this is done, you uh actually have a piece of software that can be sent onto a piece of hardware to perform a certain functionality. So, first bring-up period, then verification, validation, and then finally acceptance. And during verification and validation, when the code is written, that's when it's tested for bug. The digital equivalent of crash testing. And it's only after that stage that the code gets sent out to update the car.

He says they're usually contained because of how most auto software systems are designed. The safety systems and entertainment systems are supposed to live in separate worlds. What's on your entertainment screen shouldn't be talking to what's on your brake pedal, for good reason. Florian compares it to Wi Fi at a hospital. There's often a network for guests and one for hospital equipment. That way, if the guest Wi Fi goes out, the heart monitor doesn't crash too.

And if that monitor has a Wi Fi connection as an example, right? It loses Wi Fi, but it should not lose the vital monitoring. So that has to be decoupled. That's the idea anyway. But even the best testing can't predict every real-world combination. How a human might drive, how a mountain might slope, or how long someone might coast downhill before tapping the brake. Those kinds of corner cases are hard to predict.

Afterwards, you know, hindsight is twenty twenty. It's very obvious. You look at the numbers and it's like after one minute forty eight seconds or whatever it is, this and this happens. But you're looking at millions of lines of code, so to to find a specific corner case is sometimes not as easy as it sounds.

Once a glitch is spotted, a fix is written and alerts are sent out to drivers, who then have a couple of options. They could bring it into their dealer, who plugs the car into a computer system. The computer pings The controller, let's say your radio, and says, Hey, I have new software for you. Go into software update mode. Or drivers can get these updates without doing anything at all. It happens automatically.

Each year automakers push out thousands of updates, as OTAs, over the air repairs. The same way your phone gets a new iOS update. What you usually do in OTAs you're running them in so called waves. You don't do the crowd strike approach where you do a big bang rollout and everything fails.

So you run a smaller group, you monitor, then you run the next larger group, you monitor. CrowdStrike. It's a cybersecurity company that sent out one bad update and accidentally crashed millions of computers all over the world all at once. It was a cautionary tale.

So what happened to Peter's Volvo? Florian doesn't have access to Volvo's software, so he can't say for sure. But he suspects it wasn't just one rogue line of code, but something more fundamental, a design flaw. That let one system reach another it shouldn't have. Like that hospital example, but without the siloed Wi-Fi.

Volvo, for its part, told us the problem came from one of its suppliers, but didn't say which one. And the company made clear they addressed the issue as soon as they found out about it. According to NITSA and Volvo, roughly 11,000 cars downloaded the same Vaulty update. So almost as soon as they realized what happened, Volvo issued a recall. The fix, ironically, was another software up. So basically it was a bug fix to fix a bug fix.

You that's something you really don't want to hear from a car dealer. Volvo said it had received three reports of related accidents, with no injuries. and that they'd stop delivering it to effective vehicles right away. And within a week they'd rolled out a path. But as of late October, 150 drivers still haven't installed it. Which means under the right conditions, say a long coast downhill of about 90 seconds, their brakes could potentially fail too.

Unfortunately, in a world in which car companies become tech companies, software glitches like that aren't the only thing to worry about. What happens if the computer controlling the car gets hacked? I do some research and I find out that, hey, Two dudes were able to kill the engine on this thing without ever laying a hand on it. After the break, what happens when the code that controls your brakes isn't broken? It's breached. Stay with us.

Support for ClickHear comes from Factor. Don't beat yourself up for not eating better. Eliminate the reasons you don't. If you're too busy to meal plan, let Factor deliver a healthy diet right to your door. No grocery shopping, cooking, or cleanup. Just heat for two minutes and eat. Factor is designed by dietitians and ready made by chefs, always fresh, never frozen.

Their meals are what you would make if you had the time. Lean proteins, healthy fats, colorful vegetables, and whole food ingredients. No refined sugars, artificial sweeteners, or refined seed oil. Personally, I love the ginger teriyaki burger. The sauce is awesome and so easy, even for super busy people. But you can choose from a hundred rotating meals every week in categories like Calorie Smart, Mediterranean, and a new muscle pro collection for strength and recovery.

Head to factor meals.com slash clickhear fifty off and use your code CLICHERE50Off to get 50% off your first factor box, plus free breakfast for a year. Offer only valid for new Factor customers with code and qualifying auto renewing subscription purchase. Make healthier eating easy with Factor. Museums are more than places we visit on a field trip.

Across the country, museums protect our shared history, care for wildlife and collections, strengthen local economies, support job training, and spark curiosity in people of all ages. Right now, you can help make sure museums stay strong for future generations. Museum Advocacy Day is a national moment when people contact Congress to ask for continued support for museums and the federal agencies that fund them. Learn how to take action at amus.org.

And tell your representatives that museums matter to education, to communities, to the economy, and to our democracy. If you made something smarter than you, would it listen when you told it to do something? The people most worried about AI killing everyone are the same people racing to build it at OpenAI, Google Deep Mind, and Anthropic. The Last Invention is an eight-part series that will help you make heads or tails out of what is actually happening right now.

Don't worry, it's not preachy. It just covers the history of these breakthroughs and why smart people can reach very different conclusions about what it means for the rest of us. Listen wherever you get your podcasts. The fact that your car can now upgrade itself remotely, whether it's to add features or fix bugs, is in one sense really comforting. One less trip to the mechanic. But that same connection that makes updates possible is also what makes cars hackable.

There is a lot of damage that can be done through reverse engineering the the software in these vehicles, finding vulnerabilities. Um and then you know developing exploits. Kamel Gali is a professional car hacker. A white hat hacker, that is. He lives in Japan, where he tests cars for flaws before criminals can find them. We'll essentially analyze the system and report any vulnerabilities that we find and give the customer uh recommendations on how

be remediated. Ever since cars started getting screens, sensors, and GPS, cybersecurity researchers have been warning that every new feature adds a new doorway. The wake-up call came in twenty fifteen. A couple of researchers remotely took control of a Jeep Cherokee and then filmed it. Do it, kill the engine. So we're killing the engine right now. What do you say? He's not gonna be able to hear us with that radio. So like

They were able to kill the engine on this thing without ever laying a hand on it. That was really the turning point history when they forced the whole world to like, hey. Let's pay attention to this. This could have happened to someone. The scariest thing about it is that while hackers took a year looking for vulnerabilities, ultimately it wasn't some complex hack. They'd simply guess the car's Wi-Fi password. That's all it took to turn someone's Jeep into a remote control car.

These days, at the DEF CON Hacking Conference in Las Vegas, there's an entire car hacking village where researchers can legally try to break into real vehicles to make them safe. We've got a lot of wonderful things going on here. As you can see, we've got a Rivian vehicle here that you can actually hack into. We also have a semi-truck here if you're interested in learning how to hack a semi-ruck. Most modern cars contain millions of lines of code.

And according to one car hacker we talked to, there's a bug every 30 logs. That's what keeps penetration testers like Camel busy, hunting for worst-case scenarios. What if all the ambulances or police cars in a city got ransomware and just couldn't drive unless you paid 200 Bitcoin? Well now you have a problem. That hasn't happened yet.

And Camel says there's a reason. After that G-Pack, automakers began taking security seriously. Today, every update they send carries a cryptographic signature, a kind of digital seal of authenticity. So when your car is told to update, it first verifies, is this an update from the car manufacturer, or could this be a hacker?

That means that you use a private key to actually sign an update so that if the update is tampered or if there's an error in transmission, that it won't send a faulty version of that update to the target vehicles. To make sure that you know random people aren't able to modify the the software. In the US, NHTA issued updated cybersecurity best practices for cars, but it was just guidance. It's non-binding.

In other words, automakers are encouraged, but not required, to meet specific cybersecurity mandates in the US. And the US is a bit of an outlier. Other countries are requiring much more robust changes. There are laws now that are saying, hey, automakers, you have to invest time and money into making this happen. In Europe and Japan, for example.

In America, not yet, but we might get there someday. Japan's National Institute of Information and Communications Technology helps automakers proactively detect threats. In the European Union, the UN Regulation 155 requires a cybersecurity management system for vehicles and mandates incident notification rules. Under the EU Cyber Resilience Act, Manufacturers must tell owners and regulators when a hack happens, essentially 72 hours after they know.

Michael Brooks with the Center for Auto Safety hopes the US catches up. It is completely 100% up to the manufacturers to ensure the sac cybersecurity of their vehicles. And right now I would say they're not doing it because security is an added expense for them that, you know. potential buyers, ultimately that's not something you're looking for in a car.

He says there are no federal standards for testing car software. Nothing like the crash test certifications we see for seatbelts. In aviation, Michael says, the feds vet plane designs before they're built. But cars are basically self certified. Manufacturers build them, check a safety box, and start selling. So the people who are supposed to be protected, the drivers, end up being the testers. And Michael argues that needs to change.

Now that we're entering uh this new software era, I think there should be a renewed call for that type of thing to occur in America. And Peter Rothschild, the former Volvo evangelist, couldn't agree more. The Insurance Institute for Highway Safety needs to start evaluating the software of these cars. Software controls the And you cannot say this car is safe without evaluating the software. The Institute told us many of its tests already involved software. Around things like that.

auto braking and lane assist, but that Combing through millions of lines of code, testing every possible corner case, just isn't realistic. Still, Peter's story is a warning. The old measure of safety, the steel cages and crumple zones, no longer tell the whole story. Story. Cars today are computers with wheels. They update themselves while you sleep and sometimes fail while you drive.

We spent a century crash testing metal. Maybe the next safety test should be for code. Because when car companies start acting like tech companies, sometimes the bugs aren't just in the system, they're on the road. This is click here.

If you're looking for a daily guide to cybersecurity news and policy, sign up for the Cyber Daily from recorded future news. It serves up the day's most interesting and important cyber stories from our sister publication The Record and then aggregates all of the big cyber stories you might have missed from news outlets around the world.

Just go to therecord.media and click on Cyber Daily to get all you need to know about the world of cybersecurity right in your inbox. Here are some of the top stories in the world of tech this week. It's Tuesday, November eleventh. Meta is under fire again. This time not for what people say on its platforms, but for what they sell.

According to newly leaked documents, as much as ten percent of Meta's revenue last year, which is roughly sixteen billion dollars, came from advertising scams and banned goods. I mean fifteen billion Uh exposures to paid scam attempts every day, just on Meta's platforms. It's a lot. The lot includes fake investment schemes, counterfeit medicine, even illegal casinos, all appearing as sponsored posts.

Meta reportedly bans advertisers only when it's ninety-five percent certain that they're scammers. If it's less than certain it simply charges them more for the privilege of advertising. Reuters reports that meta executives have discussed cutting down on scam revenue, but they're worried that to do so too quickly will hurt their bottom line.

Meanwhile, in Europe, a reminder that even the rule makers of privacy aren't immune to being tracked. Journalists posing as ad tech workers bought access to the location data of hundreds of EU applications. The datasets they bought included. six thousand GPS points tied to more than So, I think that's a good thing

track commutes, favorite restaurants, even home addresses of Parliament staff. All that in spite of the continent's super strict GDPR privacy law, which is supposed to require consent for data collection. It turns out plenty of mobile apps still gather and sell user data without clearly So the European Commission called the findings worrying, and yes, they've issued another set of guidelines. The Congressional Budget Office confirmed Thursday that it was compromised by a hack.

The breach may have exposed emails between the CBO and congressional offices, the kind of insider preacher. policy analysis that foreign intelligence agencies crave. The CBO is where economic forecasts are born and where lawmakers quietly figure out how much their ideas might cost. China, for its part, denies any role in the break-in.

And finally, the holidays have arrived early, and so has the backlash. Coca-Cola released a new AI-generated Christmas ad, a minute-long swirl of animated nostalgia that some viewers have called unsettling. The ad features Coca-Cola trucks rolling through a snowy town and a menagerie of polar bears, squirrels, and sloths that look to be Of completely different algorithm. According to the Wall Street Journal, the final cut used 70,000 AI-generated clips and more than a hundred human editors.

Koch says this new ad took less time and money than their usual holiday offerings. Viewers say it cost the drink known as the real thing something else. Authenticity. Click Here is a production of recorded future news and PRX. Today's episode was written and produced by Dina Templeraston, Megan Dietrich, Sean Powers, Erica Gaida, and me, Zach Hirsch. I was the lead producer on this episode. The story was edited by Karen Duffin.

Checked by Darren Ankrum. It contains original music by Ben Levingston with additional music from Blue Dot Sessions. Our staff writer is Lucas Riley, and our illustrator is Megan Goff. Jesse Niswanger and Jake Cook are our sound designers and engineers. Join us Friday for Click Here's Mic Drop, when Kamel Gali explores the dark side of connected cars. People want new features. It's a never ending battle between you know.

Support for this program comes from Recorded Future. In cybersecurity, the biggest risk isn't what can be seen, it's what gets missed. Recorded Future analyzes billions of signals to help organizations stay Recorded future Know what matters, act first. Looking for more of the cybersecurity and intelligence coverage you get on Click Here? Then check out our sister publication, The Record, from Recorded Future News.

You'll get breaking cyber news from reporters in New York, Washington, London, and Kiev, among others. And you'll see for yourself why it attracts hundreds of thousands of page views every month. Just go to the record.