Some parts of the UK press have been reporting recently on the “discovery” of “hidden Chinese tracking devices” in a UK Government car (the original inews report is behind a paywall).
The reports quote a “serving member of the British intelligence community” as telling the i newspaper: “It [the tracking SIM] gives the ability to survey government over a period of months and years, constantly filing movements, constantly building up a rich picture of activity. You can do it slowly and methodically over a very, very long time. That’s the vulnerability.”
Furthermore, the report goes on to say that “a former GCHQ analyst told the paper that it was unlikely that this was a targeted operation focussing on a single politician but rather represented a broad data mining approach by the Chinese Communist Party.”
(Sensible comment from a GCHQ staffer.)
The (ex) staffer apparently continued “It’s more about quantity rather than anything specific. The aim is to put trackers in as many cars as possible and then pinpoint in on sights (sic) of interest. If you’re stepping back a bit and saying what cars do park outside GCHQ or somewhere like Porton Down then you have the pool of information there if you ever need it.”
The reporting continues to say:
A former senior intelligence officer also claimed that the threat of Chinese technology is potentially huge, noting:
Can the Chinese track our politicians if they want to? Yes. Can the Russians track our politicians if they want to? Yes. Can they listen to what they’re up to in the cars? If they’re tracking them, and they want to do that, of course they can.
To which I say, “no shit, sherlock”.
Let’s put this into perspective. The UK and US intelligence services have been talking publicly about hostile Chinese surveillance of Western Society (including active electronic spying attacks on UK companies and individuals) for years. In November 2007. Jonathan Evans, the then Director General of the Security Service said in an address to the Society of Editors:
This year, yet again, there have been high levels of covert activity by foreign intelligence organisations in our country. Since the end of the Cold War we have seen no decrease in the numbers of undeclared Russian intelligence officers in the UK – at the Russian Embassy and associated organisations conducting covert activity in this country.
So despite the Cold War ending nearly two decades ago, my Service is still expending resources to defend the UK against unreconstructed attempts by Russia, China and others, to spy on us. A number of countries continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects, and trying to obtain political and economic intelligence at our expense. They do not only use traditional methods to collect intelligence but increasingly deploy sophisticated technical attacks, using the internet to penetrate computer networks. It is a matter of some disappointment to me that I still have to devote significant amounts of equipment, money and staff to countering this threat. They are resources which I would far rather devote to countering the threat from international terrorism – a threat to the whole international community, not just the UK.
In 2009, Evans went on to say:
Events over the summer in the United States underlined the continuing level of covert intelligence activity that takes place internationally. Espionage did not start with the Cold War and it did not end with it either. Both traditional and cyber espionage continue to pose a threat to British interests, with the commercial sector very much in the front line along with more traditional diplomatic and defence interests. Using cyberspace, especially the Internet, as a vector for espionage has lowered the barriers to entry and has also made attribution of attacks more difficult, reducing the political risks of spying. And cyber espionage can be facilitated by, and facilitate, traditional human spying. So the overall likelihood of any particular entity being the subject of state espionage has probably never been higher, though paradoxically many of the vulnerabilities exploited both in cyber espionage and traditional espionage are relatively straightforward to plug if you are aware of them. Cyber security is a priority for the government both in respect of national security and economic harm. Ensuring that well informed advice is available to those who need it, including through the use of private sector partners is, and will remain, vital.
As recently as July 2022, the current Director General of the Service, Ken McCallum was joined by the FBI Director Christopher Wray in a joint speech where he warned of the threat posed by the Chinese Communist Party to UK and US interests. In that address he said. inter alia:
Our subject for today lies right at the opposite end of the spectrum. Rather than lone actors, a coordinated campaign on a grand scale. Rather than lightning pace, a strategic contest across decades. Rather than the actions of volatile individuals, we see planned, professional activity:
The most game-changing challenge we face comes from the Chinese Communist Party. It’s covertly applying pressure across the globe. This might feel abstract. But it’s real and it’s pressing. We need to talk about it. We need to act.
McCallum went on:
The scale of (CCP’s) ambition is huge. And it’s not really a secret. Any number of public strategic plans, such as Made in China 2025, show the intent plainly.
This means standing on your shoulders to get ahead of you. It means that if you are involved in cutting-edge tech, AI, advanced research or product development, the chances are your know-how is of material interest to the CCP. And if you have, or are trying for, a presence in the Chinese market, you’ll be subject to more attention than you might think. It’s been described as “the biggest wealth transfer in human history”. MI5 teams see the CCP working to extract UK advantage in multiple ways.And then there’s Cyber. A wide range of government and commercial targets were attacked by the three so-called ‘Advanced Persistent Threat’ groups which the UK government has attributed to China’s Ministry of State Security. Over the last year the UK has shared intelligence with 37 countries to help defend against such espionage. In May we disrupted a sophisticated threat targeting critical aerospace companies.
The UK’s National Cyber Security Centre (a part of GCHQ) has, since it inception in 2016, continued to warn about the inherent vulnerability of much of what is now becoming known as the “Internet of Things” (IoT), i.e. all those increasingly intelligent, (and internet connected) devices embedded in everything from your TV, your sound systems, your baby monitor, that CCTV camera you bought off ebay, your mobile devices, and yes, your car, through to the more obvious network infrastructure of your routers, your PCs and printers and your tablets (including those things you give your kids to play with).
At a speech in Singapore in October last year, Lindy Cameron, the CEO of NCSC noted that:
Consumer level IoT has exploded in scale over the last decade or so. There were 8.4 billion devices or ‘things’ connected to the Internet in 2017 and it is estimated that there will be a staggering 75 billion by 2025. At an enterprise level, the story is very similar. The proliferation of IoT has been rapid and very broad-based. Network printers, smart building management systems and security products are being used to boost productivity and automate repetitive tasks. And at a city level, we see the growth of technology to manage transport, waste, CCTV, streetlights, traffic lights, parking and public services such as health and social care or emergency services. At every level, individual households, businesses, cities and local governments are keen to reap the benefits of ‘smart devices’. The benefits are obviously compelling. They provide a range of critical functions and services to us all. This should be an opportunity, not a threat.
But Cameron went on to say:
But the sheer scale of changes that we are talking about, and our growing dependency on technology also brings risks. That is why now is the time to make sure we’re designing and building them properly. We all know that connected places are an evolving ecosystem, comprising a range of systems that exchange, process and store sensitive data, as well as controlling critical operational technology. Unfortunately, this makes these systems an attractive target for a range of threat actors. The threat posed by nation states is particularly acute. Some countries will seek to obtain sensitive commercial and personal data from other nations, including from us in the UK. These countries may also seek to influence a supplier or cause disruption to overseas services. Suppliers that are part of corporate groups based in these countries may be subject to influence from the host government to access and exfiltrate data from connected places, in support of that government’s security and intelligence services. Such suppliers may also be used as a vector for an attempt to take down an essential service overseas, causing possible destructive impacts and endangering local citizens, if systems were switched off.
And as long ago as early 2016, James Clapper, the then US Director of National Intelligence admitted that intelligence agencies “might use the internet of things for identification, surveillance, monitoring, location tracking, and targeting for recruitment”.
Further back in March 2012, CIA Director David Petraeus, enthused:
Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters – all connected to the next-generation internet using abundant, low-cost, and high-power computing.
Guess where the majority of IoT devices are maufactured. Outside of the US itself, which country has the largest electronic fabrication capability? And which Country produces the majority of either components for, or indeed complete domestic electronic appliances? China, by a long way.
According to data published by the United Nations Statistics Division, China is the world’s manufacturing superpower, acccounting for 28.7% of all manufacturing output in 2019.
According to the Allamericanmade website:
China’s national economy is ranked second in the world, the first being the United States. On the other hand, China is the world’s number one exporter of goods and has held that title since 2009.
and
China is the world’s largest manufacturer of electronics. Chinese factories are often set up so that parts and components factories are nearby where the final assembly factories are located to cut down on logistics time
According to the Chinese Press itself in 2019:
China is the world’s largest producer, consumer and exporter of consumer electronics, said an official from the country’s Ministry of Industry and Information Technology (MIIT) on April 8.
China also remains the world’s largest manufacturer of mobile phones, computers and televisions, respectively producing over 90 percent, 90 percent and 70 percent of these devices in 2018.
At a seminar held in Shenzhen on Monday, Qu Xiaojie, director of the Division of Consumer Electronics, MIIT, introduced that China has the largest category of consumer electronics in the world, and is also leading in associated industries, technological application and services.
Statistics indicate that China produced 1.8 billion mobile phones, 300 million computers and 200 million televisions last year.
Additionally, shipments of smartphones, personal computers and televisions made in China accounted for 27.8 percent, 20 percent and 20 percent of the global total, respectively.
The country’s export value of major electronics including mobile phones, computers, televisions and sound equipment stood at $294.7 billion, or nearly 12 percent of China’s total export.
Now to move specifically to cars. The automotive industry has long been interested in standardising software for use in vehicles. The motivation is, as always, cost reduction, but the evolution of what the industry calls “connected cars” has given the industry a new set of opportunities for monetising the software in use.
Back in early 2018, the RAC defined “connected cars” thus:
Connected cars are part of ‘the internet of things’, a term used to describe everyday objects that can be connected to the internet in an attempt to make your life easier. As well as giving you the ability to control these objects remotely (often by using an app on your smartphone), these gadgets will also communicate with each other.
The RAC goes on:
Connected cars are cars that are connected to an external network in some way. Whether that’s connected to your phone, via bluetooth, connected to GPS with its own dashboard sat nav system, or connected to the internet, from an internal SIM. Most commonly the term relates to cars that have their own internet connection, usually via an embedded SIM card, allowing them to remain online or ‘connected’ at all times. This gives them added functionality and allows you to communicate with your car when you are not with it, usually via an app on your smartphone. It’s not technology of the future either, as we’re already seeing them on our roads.
Furthermore
Growing numbers of new cars are being offered with Apple CarPlay and Android Auto, which mirror your phone’s screen to the car’s infotainment display and also makes your car connected. Even in-car assistants, such as Amazon Alexa, are being offered in new cars, allowing people to issue voice commands without taking their hands off the wheel. Many premium cars have their own 4G internet connection that can be used by passengers via a Wi-Fi hotspot, while a number of cars also offer roadside or emergency assistance at the touch of an SOS button. The most well-known of this kind of feature is Vauxhall’s OnStar, which offers a range of services, from dialling a call centre at the touch of the button to automatically calling the emergency services if you’re involved in a crash. Most in-car satellite-navigation systems now receive traffic updates, allowing you to divert to avoid congestion, while many cars will save their location on your phone, helping you find the vehicle when parked. Some cars also allow you to start them remotely, meaning you can defrost them and warm up the interior on a cold morning.
And these are not really new capabilities, as the RAC article points out:
Connected cars are nothing new. The first connected cars appeared around 20 years ago in the USA. General Motors worked with Motorola to introduce its first version of OnStar in the 1996 Cadillac DeVille, Seville and Eldorado. This was a basic system, which would connect the driver to a call centre in the case of a crash that triggered the airbags. As technology advanced, it would also allow the call centres to view the car’s location using GPS. BMW Assist was introduced as an answer to OnStar in 1997, while Mercedes-Benz launched its similar TeleAid system in 1999, allowing cars to be tracked via telematics in case of theft. The early 2000s saw connected car features becoming more commonplace, with OnStar reaching its fourth-generation and providing real-time traffic information as well as remote door locking and unlocking.
Sound scary? Oh yes indeed.
On a personal note, when I bought my current car (a Vauxhall) last year, the salesperson could not understand why I opted for the model with the “old fashioned” satnav system rather than using the embedded google maps/apple carplay capability. Now I may be forced (by virtue of my choice of vehicle) to accept the embedded capabilities of Vauxhall’s Onstar system (which provides telemetry data to Vauxhall – ostensibly to “protect me in case of an accident”), but I’ll be damned if I will voluntarily provide any real time data to google if I can avoid it. And anyway, my mobile does not have google maps on it.
If you live in the UK or EU you can’t get away from automated vehicle connectivity though. Since 31 March 2019, all new vehicles with an EU type approval must be equipped with an automatic emergency call system. This means that if you have an accident, the vehcle will call home and give details of your location without any intervention from you. Of course, this capability means that the vehicle must perforce have geo-location and telemetry capability built in. Whether you like it or not.
BMW has been a leader in connected car technology for some time. Their history of the connected car notes in particular that:
In 2004 the SIM card entered the first BMW cars. Thanks to this, drivers were able to access messages, the weather and office functions while online. On the other hand, the SIM card allowed for forecasting of congestion: Anonymous tracking created the possibility of making reliable predictions of heavy traffic and jams. All in all, the SIM card was a further important step towards the connected car.
Note that 2004 is over 18 years ago. This aint new.
BMW goes on to enthuse:
It began in 1998 with the name BMW Assist, and today exists in 45 countries: BMW ConnectedDrive is one of the forerunners in the automobile industry’s digital transformation. In 2018, four million customers already used ConnectedDrive services, underlining both the innovation and its practical use. With this, the connected car became a part of the driver’s digital life and is becoming easier and easier to control with natural language, like for example with the BMW Intelligent Personal Assistant.
However, BMW has an interesting history of “innovation” in the connected car. In particular it (along with Tesla and Mercedes) has found a way of directly monetising the communication capabilites of the car throughout its lifecycle.
BMW sells you a “ConnectedDrive” account with the car when you buy it. The account allows you to purchase certain options or upgrades with the vehicle (such as additional infotainment options, or remote starting etc.). The proprietary software industry has run this sort of scam for decades. You buy a licence for certain features in the software. The features are all already there, it is simply just a case of a licencing change to switch them on or off. BMW has taken this model to its logical conclusion with in-car software. Rather than having to ship a variety of different spec levels of car, they produce a more limited range and then offer the enhancements as software upgrades. Back in March 2021 one Will Ballard noted on Twitter that “upgrades won’t even transfer over to a new driver if they purchase the car off you as they are attached to your connected drive account”. So. unlike when you buy an unconnected car with lots of upmarket options (which many used car buyers do because they can then afford more bells and whistles than if they bought the same model new) the buyer of a used BMW does not get the bells and whistles unless he pays (again) for them.
Neat trick. (I call this “brakes-as-a-service….” Think about taking this to its logical conclusion….)
In early 2021, McKinsey wrote about how car manufactures could “unlock the full life-cycle value from connected car data”. In that article, McKinsey said:
Connected cars provide a unique customer experience while simultaneously delivering cost and revenue benefits to mobility companies, including OEMs, suppliers, dealers, insurers, fleets, tech players, and beyond. To date, however, most players have overlooked opportunities to monetize data from these vehicles — a significant oversight, considering how companies in other industries are aggressively generating value from data. In fact, seven of the ten most valuable companies in the world already generate billions in profits from data-based services. These businesses include both new attackers and tech companies. Players in traditional industries are increasingly following the same path and transitioning from hardware to software-as-a-service (SaaS) and subscription businesses.
In discussing what they characterise as “slow progress with connectivity and data monetization”, McKinsey went on to say:
Many OEMs have struggled with connectivity or related software developments, resulting in poor customer reviews and delayed start of production. Only a few get the software-defined car right, and even fewer fully monetize vehicle data. Those companies that do successfully differentiate themselves focus on three important activities:
– providing end-to-end access to 1 to 2 terabytes of raw data per car each day to enable continuous product and service improvements.
– focusing on monetization throughout the vehicle life cycle through recurring revenues from monthly subscriptions, such as those for premium connectivity services, and paid over-the-air (OTA) upgrades, which may eventually include those related to full-self-driving capabilities.
– bringing services from the idea stage to vehicle integration in up to six weeks using dedicated end-to-end teams — a strategy that has helped some players, especially new OEMs specializing in electric vehicles (EVs), achieve record-high valuations, even though their sales are a fraction of the sales of their much larger peers.
Most companies are much less successful than the leaders in profiting from connected cars and monetizing information.
(Note that “1 to 2 terabytes of raw data per car each day”. I find that statistic terrifying (if a little suspect). Where is all that data going? How well is it protected? Is it anonymised? If not, is it aggregated with other personally identifiable information (drawn from the connected mobile ‘phone for example)? Who, beyond the intended recipient of the data, has access to that data? How, if at all, can I opt out of this data collection? Who can I hold accountable for its (mis)use?).
McKinsey (as would be expected of a US Business Consultancy) add somewhat wistfully, that:
Monetization from car data has thus grown more slowly than we anticipated in our 2016 report on this topic, which was published at a time when the industry seemed to hold great promise.
Read – Great promise of monetising your data, all 1-2 terabytes per day of it.
That said, if the automotive industry has had connected car capability for as long as it has, and has (knowingly) included components with embedded communication capabilities in its vehicles, and furthermore has (knowingly) sourced those components from China, why should (unidentified) “security and intelligence” professionals now be so suprised at that fact. And why is the press making such a fuss about it now?
Answers on a postcard please – to the usual address.