Just three years ago, Chris Valasek and his colleague Charlie Miller left Wired writer Andy Greenberg trapped on the Interstate 64 on-ramp.
Using a combination of laptops, Sprint cellphones, and network-security expertise, the duo managed to hack a Jeep Cherokee while Greenberg sat helplessly in the drivers’ seat.
Along with cutting the vehicle’s transmission, Miller and Valasek were able to control a variety of functions, including dashboard commands, steering, brakes, and the radio – even the central display showed a picture of the hackers in matching track suits.
Today’s cars are more connected than ever. Basic vehicle operations like braking run through a central computer. Even your “low tire pressure” light comes from a radio sensor in the vehicle’s wheel. The Jeep Cherokee, in fact, had an Internet-connected computer in the dashboard called Uconnect – which became the point of entry for the hackers.
The car’s internal communication systems, known as the Controller Area Network (CAN), carries information to various electronic control units (ECUs) that handle functions like braking and steering.
By “breaking into” the car over the cellular network, the two-man team could then send fake messages to the CAN bus. Valasek and Miller were able to remotely command Greenberg’s car to blast music, honk the horn, or even cut the brakes – a somewhat startling demonstration that you can watch for yourself below.
To patch the demonstrated vehicle vulnerabilities, automaker Chrysler Fiat later recalled 1.4 million of its vehicles.
Now at Cruise, GM’s self-driving-car startup, Valasek still works on securing today’s increasingly sophisticated cars by exposing their vulnerabilities. The cybersecurity expert recently spoke with Tech Briefs about how automotive security threats have changed since he sent Andy Greenberg into a ditch.
Tech Briefs: What made you decide to demonstrate the Jeep Cherokee hack in 2015?
Chris Valasek: It was actually the build-up of the years of research. We were poking at cars when we were kind of connected to them physically for a couple years prior, then decided it was time to step up our game and show something like this could happen over the cellular network.
Tech Briefs: Were you more of a “computer science guy,” or were you always kind of fascinated by cars?
Valasek: I'm 36 years old, so I think everyone my age probably has a Lamborghini poster or two on their walls, right? I was doing computer hacker stuff for so long, and then wanted to do something different. Cars seemed really interesting, and they were becoming more computerized as time went on. It was a good logical step. I wasn't a gear head by any means, but I was the type of guy that definitely watched my share of Top Gear.
Tech Briefs: What kinds of action could you enable remotely?
Valasek: We could do everything from the kind of funny and benign — changing the splash screen to the radio to a picture of Charlie and I in track suits, turning on the windshield wipers, spraying the windshield washer fluid all the way — to disabling the ability to use the brakes, turning the steering wheel, or even disabling the transmission. We were able to basically do everything the car could do with computers.
Tech Briefs: What were the biggest security vulnerabilities that enabled this hack?
Valasek: It’s kind of a few different pieces. First, you could talk to this car by using a cell phone just because we were on the same network. So, the network that the car used was Sprint, and we had a burner phone that we bought from Walmart and were able to talk to cars. That shouldn't happen, right? Lo and behold, they picked that.
Additionally, there was code on the head unit on the radio in the car that permitted us to remotely gain access. From there, even internally, we were able to reprogram portions of other computers on the car that touched the network that could talk to things like Siri and braking.
You have this radio in your car, and to most people, it just shows you your maps or your radio stations or what's playing on the CD player, but a lot of these things have some level of connectivity and that means they have a cellular modem in it that communicates to the outside world. So, we figured out, “Hey, we're able to connect to this thing and find different ways around the vehicle,” which was challenging to say the least.
We spent months and months and months trying to figure out how we go from this radio to sending the type of messages that we knew from previous research can control physical things.
Tech Briefs: Has this kind of hack changed the way cars are being made?
Valasek: Well, I only know about the cars that we looked at. I'd like to think, after we debuted this, that companies are taking automotive security more seriously, and I know for a fact some are. But yeah, I think the industry has realized that they're also software companies now too and not just mechanical engineering power houses.
Tech Briefs: Can you summarize for me the kind of “baseline” security measures now required to protect against any of the vulnerabilities related to a vehicle’s computer network?
Valasek: There are 3 key points:
1) Having a cell phone on a network being able to talk to a vehicle is generally a bad idea. There should be no reason that a random phone should talk to a vehicle. Sprint actually shut down the port that we were using to talk to our car (port 6667), which was probably the best mitigation.
2) Knowing what all the code does on a system that talks to an outside world. We exploited a service that permitted us to execute commands on the head unit without any authentication. Not only was the service unneeded, but it doesn't require anything like a username or password to run commands. This service should have been turned off prior to shipping the vehicles into production.
3) Lastly, we could alter the binary code that was run on the piece of the car that could talk to critical pieces of the automobile, like braking, steering, and acceleration. There is a technique called “code signing” which cryptographically ensures that code is coming from a known entity (in this case Jeep) and that it is unaltered (even changing a single bit would trigger an error).
Tech Briefs: What vehicle features concern you the most from a security perspective now?
Valasek: When I secure cars now, the first thing I look at is things that communicate with the outside world, because that's essentially the most concerning problem. The thing that we did with the Jeep was a big deal, not only because it could control something like steering, but we could do it remotely anywhere in the country. So, things that communicate over cellular interfaces are concerning and you look at them. The good news is we're pretty good at knowing how we have to secure these things and how they interact with cars now.
Tech Briefs: What in the outside world is the car communicating with?
Valasek: It could really be anything. I think most people understand cellular technology, because we all have cell phones. It's the same concept with a car. At the same time, there's even little radios in your wheels. If you've ever seen the light come on that says you have low tire pressure, that's actually a radio sensor in the wheel communicating with some computer in the car. So even something as minute as that, could be a potential attack factor. Again, things that interact with the outside world to me, usually end up being some kind of wireless communication, or Wi-Fi or some other proprietary radio technology.
Tech Briefs: What a typical day is for you?
Valasek: I'm the team lead of the autonomous vehicle security team at Cruise Automation. Cruise Automation is a company based out of San Francisco, but really kind of has a parent company of General Motor and they are working on self-driving cars.
My day is really looking at everything from a system level: How does this car communicate to the outside world? How could I secure it? Then we get down to the nitty gritty details about, "Hey, this piece of hardware needs to have these physical security features on it, or these types of chips that we know do secure operations."
So basically, everything under the sun. My team — and Charlie works there too — focuses on securing our driverless future.
Tech Briefs: How did your career path change after the 2015 demonstration?
Valasek: When we were doing that research, I worked at a consultancy called IOActive. They were the ones that were nice enough to actually buy us the Jeep. After we did the research, both Charlie and I were approached by Uber to secure their driverless car efforts. We spent two years doing that and then moved to Cruise. It's a cool position to be in because not only have we hacked cars, we're now securing driverless cars. You acquire a unique skillset from doing that type of work over the course of a couple years.
Tech Briefs: What are some examples of why someone would want to hack a car and take control of it?
Valasek: I think motive, just like anything else is dependent on the person. We wanted to show that it could be done so things could change, so we would have more security in cars. But you could imagine, I don't know, a country or an organized crime group wanting to do stuff like this to try to assassinate someone or listen in what they were doing, or so on. I'm not really sure why people would do it; we just want to make sure that it's really, really hard to do.
Tech Briefs: What are the biggest cyber security concerns for “Level 4” or highly automated, cars?
Valasek: They have the same concerns as your passenger vehicle, because at the end of the day, it's doing the same thing. It's driving. It just so happens that a human's not going to control the steering or braking, but a computer is going to make the decision to do that. If you think about it, that's the way it works anyway right now, right? When you press the brake pedal, it doesn't pull a break line and wire anymore. It sends a signal to some computer and that computer breaks the car.
The same thing happens in driverless cars; it just so happens the human's not there anymore. So, we really have the exact same concerns as we do with passenger vehicles, except there's no longer going to be someday a steering wheel and pedals in the car.
Tech Briefs: What is it like working in competitive environments at companies like Uber and now at GM?
Valasek: When you really like what you're doing and you're working with a good team of people to do it, the competitive nature I think is good because you want to be a high performer and you want to produce results. Initially, with security, especially when it comes to automobiles, you know what you're doing is going to make people safer. It's easy to be dedicated to your work and push yourself hard because you know that you're making people safe.
What do you think? Share your comments and questions below.