Could North Korea hack a Tesla? The terrifying truth about Netflix’s Leave the World Behind
For anyone who remembers the Government’s “Protect and Survive” leaflets of the 1980s, the recent advice from deputy Prime Minister Oliver Dowden may have had a familiar ring.
While touring the Porton Down defence lab in his capacity as Minister for Disaster Preparedness, the country’s “Doomsday Czar” issued an update on how to survive Armageddon in the digital age.
It is no longer enough, it seems, to hide in a cupboard with a stash of baked beans, as “Protect and Survive” advised in the event of a nuclear strike. Today’s apocalypse, Mr Dowden warns, is just as likely to be a cyberattack – making an old-school radio essential as well.
“The world has changed unrecognisably and our society is highly reliant on digital infrastructure,” he said. “It used to be that everyone could access a battery-operated FM radio. How many people actually have that kind of communication device now, that isn’t reliant on digital and electric?”
If Mr Dowden’s warnings aren’t enough to make you add an FM radio to your Christmas list, you may change your mind if you watch Leave the World Behind, the new Netflix movie about a catastrophic cyberattack. (Warning: spoilers follow.)
Julia Roberts and Ethan Hawke star as the Sandfords, a New York couple who take their children on an Airbnb break in rural Long Island, keen for 48 hours off from phones and screens. They get that in spades, as malign cyber-forces start to play havoc with more than just the Wifi.
First, a giant oil tanker ploughs into the beach where they’re sunning themselves, its GPS navigation system awry. Then the mobile phone network goes down, plus the signal on the fancy flatscreen TV. Meanwhile, word spreads of a massive power black-out back home in New York city. Or so they hear anyway: with no internet, there’s no way of getting the news. Instead, their only information is a fuzzy, analogue-style message that repeat-broadcasts from the TV, warning of an unspecified “national emergency”.
As America’s internet superhighway veers off into a dead-end of error messages and egg-timer symbols, the real-world consequences become ever more terrifying. Airliners plunge from the sky. Self-driving Tesla cars run amok, creating giant pile-ups. Worse still, the Sandford’s teenage daughter, Rose, complains of feeling “incredible anxiety” about not being able to watch Friends, that cool 1990s show she’s been streaming. It is a nod to a safer, pre-digital time – and a sign, too, of just how web-addicted many Generation Zers are.
Director Sam Esmail’s film is already topping the Netflix global chart, and has been likened to a cyber-version of Threads, the harrowing 1983 BBC drama about a nuclear strike on Britain. It also features a range of other apocalyptic scenarios, such as a microwave weapon that makes victims’ teeth fall out, and the disruption of animal migration patterns, with geese flying in the wrong direction, deer behaving strangely and flamingos landing in the pool. But how realistic is it? Are such horrors safely confined to the realms of Hollywood? Or could they actually happen?
The answer – with a few worrying qualifiers – is broadly “No”, according to Jake Moore, a former police cybersecurity expert who works for ESET, a major European cybersecurity firm. He’d still be more than happy, though, if Mr Dowden made it compulsory viewing for Downing Street’s COBRA crisis-response meetings.
“It’s a fantastically-made film, and anything that makes people question their own cybersecurity is a huge plus, whether it’s in their personal use or in business. Is this kind of scenario possible? Theoretically, yes – but it would be nearly impossible to take down so many completely separate networks at once.”
This, arguably, is the film’s central premise – and, indeed, how most people would envisage a major cyberattack, with the entire internet wiped out completely. It does, however, rest on the somewhat analogue-era assumption that the web itself is like one single computer, with a “plug” that can be pulled out. In fact, it is made up of countless independent hubs serving different countries, governments, cities and businesses – all of which would have to be knocked out simultaneously.
“For example, Meta (Facebook) have their data on seven separate site locations, so if something affected one of them, it wouldn’t affect them all, and there you are talking about just one large private firm,” Moore says. “There would be more impact in targeting a firm with fingers in many pies, like Sky, which provides TV channels, news services, internet and a mobile phone network. But they will have their own internal firewalls between those services, and even if you took down Sky, you’d still have lots of other providers out there.”
The only known way to cripple a nation’s entire electrics network would be an electromagnetic pulse, or EMP, says Lisa Forte, co-founder of the firm Red Goat Cyber Security. During early nuclear bomb tests, scientists noticed that detonations at high-altitude could distort the earth’s magnetic field, creating voltage surges that knocked out streetlights and fuse boxes nearly 1,000 miles away.
According to US government assessments, one large nuclear bomb detonated 250 miles above Kansas could disable all of America’s electrics. But while many world powers are now secretly developing bespoke EMP weapons that do not require a nuke’s crude explosive power, none are so far thought capable of knocking out more than a few square miles of infrastructure.
Another unsettling scene in the film is when the Sandfords attempt to drive back to their home in New York, only to run into a miles-long pile-up of thousands of crashed Teslas. A hack on the Teslas’ satnavs has made them all drive to the same spot, while accelerating to top speed at the last minute (the Sandfords’ car is nearly hit by several new arrivals careering down the road).
This plays on long-running concerns about malfunctions in self-drive cars – although given how crucial safety is to the marketability of its product, Tesla is not complacent about the risks. Like many tech firms, it offers so-called “Bug Bounties” – prizes to any hacker who can expose weaknesses in the car’s cybersecurity.
“Techies generally love pointing out things that are wrong, and they’ll do this either for the reward or simply because it’s the right thing to do,” says Matthew Haynes, a former British military officer who runs cybersecurity firm Askari Blue. “Tesla also release a lot of their source code, so that people can identify any exploitable bugs in it.”
He points out that Tesla will also have their undisclosed safety features in their cars, all of which would have to be hacked separately. But among cybersafety professionals, the working operational rule is that there is “no such word as unhackable”.
One theoretical chink in self-drive cars, for example, is in “poisoning the dataset” that it uses to recognise and obey road signs. Typically, such cars use machine learning, whereby it will be fed, say, one million different real-life images of a 40mph speed limit sign – shot from every conceivable angle, and in different weather and visibility conditions.
“If a hacker then added in a photo of that same 40mph sign with, say, a green square sticker on it, with instructions for the car to treat it as 100mph, then they could then plaster those stickers on various random signs and cause havoc,” Haynes says. “But it would require a sophisticated hack, and physical legwork too.”
Mercifully, some of the film’s other plot lines appear to belong firmly in the realm of science fiction. There is no known way of reversing the direction of the earth’s magnetic field, which migratory birds are thought to use as a compass. And while sonic weapons already exist for dispersing crowds, none have the capacity to deafen an area the size of Long Island, as happens in the movie.
Nor is any such weapon known to be able to make people’s teeth fall out – the grisly fate of the Sandford’s teenage son, Archie. In the movie, this episode is blamed on “Havana Syndrome” – a reference to the mysterious headaches and sickness suffered by American diplomats at their embassy in Cuba in 2016.
US investigators at first thought the diplomats might have been targeted by a long-distance microwave weapon, creating small, concentrated areas of pressure in brain tissue. But the credibility of Havana Syndrome has since been questioned, and earlier this year, a US intelligence assessment concluded that there was “no credible evidence” that a hostile actor was involved.
Still, Forte fears that developed nations like Britain continue to have weaknesses in their national infrastructure, and that “we are probably surviving off luck so far in the sense that it just hasn’t happened”.
Particularly vulnerable, she says, is stuff built in the 1990s, which uses e-technology from a more innocent period, when nobody envisaged organised cyberattacks by nation states. “Things like modern train signals and certain systems in hospitals, which could cause a lot of problems if hacked, often use these 1990s-era industrial control systems that are intrinsically insecure,” she says.
A wake-up call came in 2017, when 60 NHS trusts were hit by the worldwide “WannaCry” ransomware attack, thought to have been carried out by North Korean hackers. It prevented hospitals accessing patient records and forced some to divert ambulances to other facilities, although no patients were hurt.
Investigators later blamed NHS managers for failing to do basic software security updates. But it remains to be seen if lessons have been really learned. Parliament’s national security strategy committee recently warned the UK was still at “high risk” of a catastrophic ransomware attack on government services, which could “bring the country to a standstill.”
Yet as Moore points out, a cyberhack wouldn’t have to disable the entire digital infrastructure to make civilisation wobble. Instead, it can simply target pinchpoints in the system, such contactless payment, which could spark huge queues at ATMs and supermarkets. The Covid lockdown, which saw fights breaking out among panic-buyers, was a glimpse of the chaos that can ensue. As one of Britain’s past M15 chiefs is said to have remarked, “We are only four meals away from anarchy”.
Indeed, in the wake of the WannaCry attack, when Moore was still working with Dorset Police, he sat on a steering committee advising the county on how to cope with a serious cyberattack.
“A lot of it was about protecting things like the grocery supplies and the water supply, which are things that can quickly cause civil unrest if they’re not available,” he said. “You even have to think about things like toilet roll.”
True, a film about a global shortage of loo paper might not make for such dramatic plotlines as those in Leave the World Behind. But it shows how even the most mundane, everyday aspects of life can be exploited by well-targeted cyberhacks.
So as well as that FM radio, think also about a few spare rolls of Andrex for the Doomsday emergency cupboard. Plus a big stock of old-school DVDs – including, perhaps, a box set of Friends. Then, hopefully, you’ll survive The One Where Everyone Gets Hit by Cybergeddon.