How the Unelected Globalists Pretend to be Helping Us
While actually making life harder and more expensive
We keep hearing about how unelected globalist groups like the United Nations (UN) and their Economic Commission for Europe (ECE) whose impact seems to extend a long way outside Europe, the World Health Organisation (WHO), World Economic Forum (WEF) and others believe that the regulations, recommendations and control they seek to impose over us from their shiny expensive ivory towers is intended to increase safety and improve our lives. But yet again this week I quite literally tripped over another example of how these claims are at best, window dressing, and at worst, complete and utter lies.
How modern connected Headlights can get your car stolen
Some of you this week may have seen at least one of the multiple headlines (for example: here, here and here) describing a new car theft method that uses the wiring loom connector at the back of your new car’s headlights as a portal to access and hack into the car’s computer network. You won’t have seen it in the mainstream media however, as they seem to have had a complete blackout on the story. It has only been reported in the tech and vehicle news channels, and even then, mostly in the secondary channels that are not affiliated with mainstream media sites.
It seems that in as little as two minutes, youth intent on stealing your car can rip open the corner of the plastic bumper on your car, access the wiring connector behind the headlight, and use some wires hanging out of a modified bluetooth speaker to unlock, start and steal your ride.
“But…” you might ask. “How can this be? Surely my headlight just… well… makes light?”
While from the outside this may seem to be true, in trying to ‘help us’ and ‘reduce the ability for car thieves to sell on the parts they strip from stolen cars’, car manufacturers have added computer chips to almost every minor component of modern motor vehicles, with software checks that continuously poll each item across the car’s CANBUS network to make sure it reports as belonging to ‘your’ car. This all sounds great until you realise that all it has created is a mainstream (and cottage) industry in selling compute devices like AUTEL’s MaxiSys that the backyard and driveway mechanic can use to code these parts, and forums and youtube channels that show you how to ‘hack’ the software settings within the car’s computer to accept or ignore these ‘forgeign parts’.
I had seen the articles but it wasn’t until some idiot and his mates tried, and failed, to do it to my own car (we’ll come back to this later) that I started to investigate the issue more and ask questions.
I pose four questions:
Has chipping and coding all these minor parts made them function better?
No. The headlights, fuel pumps and other components work the same way they used to. They are just more complex now. And while some would argue it allows for better monitoring of functionality of the overall vehicle - that complexity really does little more than create more avenues and opportunities for failure…. and increase the cost for the legitimate consumer.
Has chipping and coding all these minor parts made them harder to steal, sell or reuse?
No. Because there are a range of tools and services (and even an app I have on my iPhone) that will simply and easily reprogram a part and make it appear to belong in your car. People purchasing used parts online have no more knowledge now as to whether the part came from a wreckers yard or was stripped from a stolen car than they ever had. Therefore, the primary intention that motor vehicle manufacturers and regulators claimed for chipping and coding these parts was an abject failure. Or possibly a smoke screen for something else… revenue raising perhaps?
Has chipping and coding all these minor parts made the overall vehicle more secure?
No. And as we are seeing, the fact that your stereo headunit and even the headlight at the very periphery of your car is connected to the core network alongside the computers that control the door locks and engine immobiliser means that as these parts have been chipped and added to the car’s network, they have actually drammatically reduced overall vehicle integrity and security.
Isn’t there regulation that is supposed to require vehicle manufacturers to separate and secure the car’s most important functions from these secondary systems?
Yes. The key premise of implementing the UN ECE WP.29 Cyber Security Management System for Motor Vehicles in 2021 was that manufacturers would do two things. First, ensuring that components like the headlights, entertainment units, 4G internet router (for maps and navigation) and other potentialy more risk-prone non-critical systems were kept separate to the network that runs the security, engine management, braking and collission avoidance tech. And second, ensuring that each component as it is designed, built, coded and comes along the supply chain is kept secure, and that when integrated into the finished product security is tested and issues like this are identified before they can affect the consumer.
At least this is what we were told UN ECE WP.29 would do.
The UN ECE WP.29 Agreement for Harmonising Vehicle Regulations
In 2021 the UN ECE World Forum for Harmonisation of Vehicle Regulations Working Party 29 (UN ECE WP.29) released their new regulations for Cyber Security and Cyber Security Management Systems (CSMS) Regulation for motor vehicles. I had feelings of incredulity at the time for how the UN ECE WP.29 group drafted their new regulation, and how they saw it working in the real world. While I worked with a small group that included researchers and experts in law, software development, solution architecture, computational statistics and risk to write a paper analysing and describing the new regulation that was being forcibly imposed over UN member states, but I couldn’t shake the feeling that UN ECE WP.29 was just another piece of regulation for regulation’s sake. That it was a toothless old lion intended to draw onlookers and revenue rather than actually solve any existential problem.
“There… Look… We did something. Problem solved…. next?”
Before we get too heavily entrenched in technical weeds, and given that for the most part I and the other Substack authors I often cross-post with have been discussing matters of health and health data - you may be wondering what our ‘cred’ is in looking either at law and regulation, or even motor vehicle software and safety.
Professor Fenton has authored several peer reviewed papers and books on software engineering, security, analysis and safety assessment (here, here and here). And for my part I have graduate and postgraduate law degrees with a focus in both Cyber Regulation and Health Law, and more than a decade’s experience as a solution architect laying down the framework and policies under which new software and hardware solutions for critical infrastructure in local governance and national health information technology would be developed and implemented. As a group we have also been involved in designing and conducting tests of semi-autonomous vehicle systems as part of our wider research remit (here).
I recorded a video in 2021 explaining the UN ECE’s CSMS, but the key thing to remember is that this new regulation was seen ostensibly at the time as a knee-jerk reaction to the research of Charlie Miller and Chris Valasek, the threat of vehicle hacking that has never really seemed to materialise, and the mainstreaming of their research ideas in the movie: The Fate of the Furious.
In brief:
Member states are required to establish an office that will oversee certification of new vehicle types and models. Once a member state has certified a vehicle type or model, other member states are required to do little more than accept that vehicle type or model’s certification and allow it for sale.
Annual vehicle fitness checks (roadworthiness inspections) are also to include new checks of the software environment in the vehicle to ensure all software updates and patches have been applied - being as this will be little more than a ‘version numbers check’ it means that manufacturers could mirror issues seen in the smartphone universe where they rush out releases that negatively affect the stability of the product (or battery life), but we would be required to install that patch in order for the vehicle to pass our fitness check and continue to be legally allowed for use on the road.
As part of the certification process manufacturers must show that they have investigated their entire supply chain for potential cyber security issues - which is an odd one because it basically makes BMW, Mercedes and every other manufacturer responsible for ensuring that every supplier from the venerable Bosch all the way down to some Chinese tech factory that makes a switch or button has implemented a cyber security policy, proceedures and reporting processes. Further, the manufacturer is responsible for testing the built vehicle type or model for known security issues (so they can argue that if they didn’t know it was an issue, they didn’t have to test for it). They are required to advise all markets of the security issue if found, and to provide a resolution in short order. If the manufacturer happens to identify a new issue that is presently unknown (i.e. that hasn’t been reported yet in the wild), the regulation creates a loophole wherein the manufacturer could sit on the knowledge of this new weakness until they have a solution, and then only apprise the world of the issue as they rollout the fix. This would leave vehicles in the market vulnerable to the issue until such time as either the manufacturer is willing to own up to its existence, or, like this headlight issue, until it becomes so notorious that it can no longer be denied.
What does this regulation really do?
Has this regulation forced manufacturers to resolve the issue that Charlie Miller and Chris Valasek identified wherein the stereo entertainment headunit of the car can be used to gain access to the entire vehicle’s systems?
No. In fact one need only look at the latest Mercedes and BMW vehicles to see that the entertainment system has become an even more integral component of the core network of the car - capable of controlling many critical components and even over the air software updating of the engine management and collission avoidance systems. There are now even more apps like Bimmercode, Bootmod3 and Carly that allow you to reprogram, reset and change manufacturer settings within your car - and most of them have some ability to integrate with both the OBD2 port and the stereo headunit.
Are fewer cars being stolen since WP.29 came into effect?
Again, No. Headlines last month proclaimed that there had been a 29% increase in car thefts since the implementation of WP.29 in 2021. While the article sets out by claiming older cars are preferred by theives for smash and grab type thefts, the top 10 list of cars being stolen in the UK includes several current model Land Rover, BMW and Mercedes vehicles. Similarly, during 2022 police uncovered and closed more than 32 illegal ‘chop shops’ where these newer vehicles are being parted and the parts re-coded or wiped and made ready for the resale market.
Therefore the only key impact of this regulation has been cost. The additional effort for manufacturers and the costs in each member state for the creation of an authority to monitor vehicles for UN ECE WP.29 would, it was estimated at the time, add between £2,000 and £5,000 to the cost of a new car and increase fitness/roadworthy check costs to owners by 50% or more.
Coming Full Circle
In coming back full circle I return to my own experience.
While I was parked nose out in the carpark of a small group of shops in a large UK city, and while I was not more than 30 feet from the vehicle in the front of one of those shops, two youth in a 20 year old black Ford Mondeo pulled up across the front of my car. They appeared to be sitting in the car talking, which drew little attention from me or anyone else. Then, a small white Citroen Berlingo (or similar) van pulled up between them and the shopfronts, blocking our view of both my car and the two chaps in the black car. What I did notice was that the driver of the black car got out, and could be seen talking to the driver of the white van through the van’s passenger side window. I suspect he was actually acting as a spotter.
At this point the passenger from the black car must have jumped out and gone to the driver’s side bumper of my late model sedan. He attempted to pull the bumper from the car starting at the corner clips… only at this point he must have realised something was different.
You see, the vehicle I drive looks for all the world from the outside like the standard 2020-2022 model… but under the surface several key aspects are different. It was built in 2020 to be what the car industry calls a ‘test mule’ for the autonomous remote driving features of the just-released new model. Under the skin of the front and back plastic bumpers are completely different bumper structures - with attachments for and the presence of additional sensor and camera modules. In order to install the standard 2020-2022 model headlights they had had to install pressed aluminium cages to slide the headlights into place (on a typical car your headlight module is held in by three easy bolts that the car thief can unscrew in seconds). My headlights are attached at the rear, held in place by four bolts that can only be accessed under the plastic cowlings in the engine bay. But our idiot thief didn’t even get that far. While many cars with Level 2 Lane Change Assist and blindspot detection will have a single small radar module inside the plastic bumper in each of the four corners, a second larger radar module had been installed to both corners of my front bumper. This module is a stainless steel box about 5 inches square and is bolted onto the steel frame of the inner bumper bar. As our idiot car thief pulled the plastic bumper out he came up against this larger secondary side radar module… in its large stainless steel box, and realised he was never getting past it to the headlight’s wiring loom. Not that, as I mentioned above, it would have helped him anyhow. He gave up, left my bumper unclipped and in seconds both the black Mondeo and the white van had vanished.
Leaving this interesting device resting on the windscreen against the driver’s side wiper blade:
Inside it has both the JBL speaker circuit board, and some extra components wired into the battery circuit. Using two little grey wires it can apparently be connected to the main data wires that run throughout your car - creating a floodping of messages that saturate the network and just like when you are trying to hear your friend talk at the pub, making it hard for the car’s network to understand and verify what is really being said.
From reading online it seems that as the network becomes totally overwhelmed, this magical little device sends a door unlock signal. The car’s network can’t get a word in edgewise to run the normal keyfob validations, so it ‘assumes’ the request is legit and opens the doors. Next, it sends an initiation signal to the Engine Control Module to start the car. And again, being as the computer network is so saturated with traffic it cannot run the usual verifications, the car just fires up.
This device simply takes the old computer Denial of Service (and Distributed Denial of Service) attack and runs it, at scale, on the car’s CANBUS network. If it wasn’t for the fact that WP.29 was supposed to have ensured that all these networks were firewalled and separated, you could love the ingenuity of it.
You might be forgiven for asking at this point what WP.29 could possibly have done for a vehicle that was manufactured about 14 months before the regulation was bought into force. I thought that too. Leaving aside that manufacturers have known this regulation was coming since 2018, any car coming out today is supposed to either be compliant, or to have an exemption (due to having been designed before WP.29 came into effect). The new replacement model for my car (that can be ordered with the remote autonomous driving functionality) has just begun hitting showrooms, so I went to my local dealership and sat with one of the technicians as we tested this particular hack on that car.
Guess what? It worked. We started that brand new car with only 7 miles on the odometer in under 3 mins simply by touching the two grey wires from the little JBL speaker to the correct pins on the back of the headlight connector. When we looked at the manufacturing diagrams for the new model’s CANBUS network we found that the entire car had a single contiguous network that while on paper the manufacturer presents as being subdivided into ‘zones’, was, on our testing, anything but. Using the ODB2 port and a scanner we were able to access and manipulate settings in any part of the vehicle’s network - and indeed in more than 130 different compute modules.
Has WP.29 changed motor vehicle cyber security?
No
Do car thieves know this?
Hell yes.
Are you paying for his Unelected Globalist-led fake safety and security?
Every. Damn. Day.
It’s embedded into how the WHO will take control of our countries after a pandemic. How they all propose we deal with the ever-impending but never happening climate doom. And even how they plan to feed us in future.
They will control it all. They will tell you it is safe, secure and effective. And you will pay for it. Possibly even with your life.
"in trying to ‘help us’ and ‘reduce the ability for car thieves to sell on the parts they strip from stolen cars’, car manufacturers have added computer chips to almost every minor component of modern motor vehicles, with software checks that continuously poll each item across the car’s CANBUS network to make sure it reports as belongin to ‘your’ car."
That's obviously bullshit.
That "feature" is NOT to "help" us, it's to lock us into a regime of needing to buy overpriced replacement parts, and spend extra getting dealers to program them. It has nothing whatsoever to do with preventing theft. It's about killing DIY auto repairs and small independent repair shops.
"the primary intention that motor vehicle manufacturers and regulators claimed for chipping and coding these parts was an abject failure. Or possibly a smoke screen for something else… revenue raising perhaps?"
Yes, revenue-raising, of course. What few ever do is to follow the money timeline far enough. Auto manufacturers employ some of the most sophisticated analytics available, and have done for many decades.
Of particular interest to them is regulatory capture, and no wonder. If they do not adapt to.... say, changing emissions standards, for instance, they will fail compliance and be prevented from shipping product. One need only review the Volkswagen diesel emissions scandal to obtain a rudimentary grasp of how this works and what is at stake.
They are smart people that are better at reading the "tea leaves" of governmental shifts far more accurately than anyone gives them credit for, and their planning timeline spans decades.
Research and development is costly, and those costs must be amortized. As always, it is the consumer that shoulders those costs.
Anyone who thinks that consumer demand drove the addition of a "one touch down" window feature, isn't paying attention. This feature is a prime example, because there is no weight (emissions) or material (sourcing cost reduction) advantage to replacing a twelve volt wire from switch to window motor with a low-voltage signal and a DDM (Driver Door Module.)
The endpoint is autonomous vehicle deployment as prevention of private ownership, a whole-of-government approach deployed in conjunction with housing development to accommodate regulatory agendas. The replacement of simple and effective automotive subsystems is not driven by consumer demand for more features, except peripherally as a matter of competition between brands, driven by salesmanship that always leverages the weaknesses exposed by behavioral science and simple observation of the power of consumer envy.
The primary financial winner of this game is the tech sector and the biggest loser is the consumer.
The automotive manufacturers have only two choices; adapt to the evolving regulatory environment or die.
Of COURSE it's all about the money; always only and ever. There is no moral determinant to this, it's an economic necessity and economic necessities are also part of how we are fed and sheltered.