Podcast: Interview with Car Hacker Chris Valasek of IOActive

Valasek (pictured) and Miller developed a method to use a wireless attack on the car
Valasek (pictured) and Miller developed a method to use a wireless attack on the car’s entertainment system to affect critical vehicle functions. (Image courtesy of Chris Valasek.)

In-brief: Security Ledger Editor in Chief Paul Roberts speaks with Chris Valasek, the Director of Vehicle Research at IOActive about the work he and Charlie Miller did to develop wireless based attacks that control the braking, steering and acceleration of late model Chrysler vehicles. 

As you’ve probably heard, Fiat Chrysler yesterday announced that it was recalling 1.4 million vehicles following a demonstration by researchers Chris Valasek of Charlie Miller of a method for doing remote, wireless and software based attacks on critical features of Chrysler vehicles: controlling acceleration, braking and even the windshield wipers.

Security Ledger had the opportunity to speak with Chris earlier this week about his research on the Chrysler Jeep that was the subject of his demonstration. Chris talked with me at length about the work he and Charlie did to reverse engineer both the wireless UConnect technology that is used to connect Chrysler vehicles to the Internet, and then jump from UConnect to the internal CAN bus that is used to control the critical functions of the vehicles.*

Valasek said that the hacks he and Miller demonstrated took months to develop. But he also noted that the barrier to such hacks is low in many, late model connected vehicles. The biggest obstacle to hacking a vehicle, Valasek argued, may be the cost of the vehicle itself, rather than any technical impediment in the hardware or software that runs the car.

“This is like hacking web browsers 10 years ago where people are just learning about how they work and what you can do with them,” Valasek said.

But car companies should prepare for more hacks of this type, Valasek argues.

“One of our key points with this…is (that) while the manufacturer might have understood that tjos could happen remotely and you could control the radio, they probably didn’t understood that with a bunch of work you could use what’s in the head unit to gain access to physical control systems.”

Check out my conversation with Chris below:

Soundcloud
[soundcloud url=”https://api.soundcloud.com/tracks/216322790″ params=”color=ff5500&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false” width=”100%” height=”166″ iframe=”true” /]
MP3 from Security Ledger

(*) Excuse the spotty sound quality in parts of this recording!

Spread the word!

5 Comments

  1. Defense/Whitehat, 2015 IOActive Non-Dan-Kam Edition: Attack the hell out of shit and let the world know. When asked for quote say ‘the world needs to be prepared for more of these sorts of hacks’.
    Defense/Whitehat, 2015 Desautels Edition: “Our slogan is the literal definition of extortion, dontcha know”. Psst, wanna buy some 0day?

    I love my industry. I miss when defense actually meant coming up with solutions, not creating the problems, inserting backdoors, and inciting mass panic. And to think, I thought that was a blackhat’s job.

  2. Pingback: Plug and Pray? Virta Labs Using Power Analysis to Spot IoT Compromises | The Security Ledger

  3. Pingback: Report: Era of Automobile Hacking has just begun | The Security Ledger

  4. Pingback: What will it take to secure the Internet of Things? | The Security Ledger

  5. Pingback: CAN bus attacks | SecureMachinery.com