It seems that all of Silicon Valley is designing artificial intelligence for driverless cars. But before we hand over our driving to computers, Charlie Miller, a well-known computer security researcher, would like car companies to pay attention to security.
Miller, who is a security engineer at Uber’s advanced technology center, spent a few years looking into the security of automobiles. And what he found didn’t impress him. He and his friend Chris Valasek hacked a Jeep remotely in 2014, and, after a series of denials from the car company, Chrysler had to announce a recall of 1.4 million vehicles. Miller gave a scary and hilarious talk at the recent ARM TechCon event in Santa Clara, Calif.
“Hopefully, things are going to get better, but we are not in such great shape now,” said Miller. “I want [car makers] to be working on security, and I would love greater transparency. I would love to see white papers written by car makers on exactly how their systems are designed for security. Then I could spend a weekend reading their white paper rather than two years tearing apart their cars.”
Miller got started on car hacking after he read a 2010 paper by a team at the University of California at San Diego and the University of Washington. They were able to hack into a car’s main electronics system and control the brakes and windshield wipers. The paper didn’t stir up much concern, so the team hacked into a car remotely a year later, demonstrating that the security vulnerability was a more serious problem than first thought. But the researchers didn’t publish the details of their research, fearing that it would become a tool for nefarious hackers.
“I read these papers and I was blown away,” Miller said in his talk. “It was something I had wanted to do. The problem was they had done everything, but they didn’t release any details. That was too dangerous, they said. You couldn’t reproduce their work. We wanted to know. Was it just that one car (a Chevy Malibu)? Or all cars?”
But Miller and Valasek took a more open approach, as they were concerned that the car companies weren’t going to do anything. The Defense Advanced Research Projects Agency (DARPA) gave Valasek and Miller — a former National Security Agency security consultant who built a reputation hacking Apple’s iPhone and MacBook products — a small grant to look into car security. In 2013, the pair showed they could hack a Toyota Prius and a Ford Escape, taking control of the steering.
In July 2015, they hacked a 2014 model Jeep Cherokee, paralyzing it on a highway. They were able to get into the car via the wireless connection for the OnStar car security system, which used a vulnerable Sprint network data connection. They found that the Sprint device would talk to another Sprint device, so they used a Sprint smartphone to compromise the network. Miller discovered that they were able to find vulnerable cars on an online map, and could have taken control of them. Sprint eventually blocked that exploit.
“I saw a Dodge Viper, and I was tempted,” Miller said. “But I’m a good guy.”
They released their findings and their tools. They gave Chrysler nine months notice before a story came out in Wired. Then Chrysler issued a fix within a week.
“We released everything,” Miller said. “Car research doesn’t scale if we rely on Chris and Charlie to do everything.”
Chrysler had to dish out a lot of money for the recalls.
“You could have hired a security consultant for a lot less than the billions,” Miller said. “I would have worked for a tenth of that.”
In 2016, Miller and Valasek remotely compromised a moving car. Miller said that the failure to think about security goes a long way back.
“We build systems and don’t think about security because we don’t need to,” Miller said. “That’s what happened with cars. They took you places. Then we added more features. As you add more features, you get wires all over the car. In the 1970s, they created the CAN (controller area network) bus, designed to let small computers known as microcontrollers talk to each other within a car. Everything connected to the CAN bus over time.”
“In the end, that’s kind of a security nightmare,” Miller said. “The system was originally designed for internal communications only, and so all inputs in the system were inherently trusted.”
The main dashboard computer for the Jeep car was made by Harman Kardon, not Chrysler. Miller poked around for three weeks before he found the first vulnerability. The Harman Kardon computer used an ARM chip with a couple of layers of software. Miller and Valasek showed they could take over the radio in the car and make it play any music they wanted. They were able to disable the brakes of the car, but only when it was going below five miles per hour.
Miller isn’t sure how many cars are vulnerable, but he and Valasek found multiple car models across multiple years that had problems. Now that cars are being connected to the internet, and self-driving cars are in the wings, Miller is worried.
But he hopes that the work he and Valasek are doing will help draw attention to the problems and lead to greater vigilance.
“There was good that came out of this,” Miller said.