Two security experts famed for hacking a Jeep say the auto industry is finally getting serious about cyber security.
Dr Charlie Miller and Chris Valasek who both now work for Cruise, General Motors’ self-driving car unit, said car makers are now learning the same security lessons software companies started learning two decades ago.
Back in 2015, the pair were able to attack a Jeep Cherokee over the internet by exploiting a vulnerability in the connected car’s code. Miller and Valaseck were able to remotely take control of the vehicle’s radio, air conditioning, brakes, steering and transmission.
“If we look at the demo that we did with the Jeep, I think that opened a lot of eyes that this is a problem that companies need to face. Everyone I’ve talked to in the industry sees it as a serious problem that they’re trying to address to the best of their abilities,” Miller said, speaking to Which-50 between sessions at the AISA conference in Sydney last week.
Miller argued car companies already have a long history of taking safety very seriously and now cyber security is a safety consideration like seat belts or airbags.
“I think that’s a great position to make changes because they already have this culture of safety and no one is going to buy an unsafe car. It affects their bottom line and they realise that, so they’re doing their best to make their cars safe, whether that means physical or cyber,” Miller said.
Valasek agreed, arguing cyber security is now thought of along the same lines as corporate and IT security, with car makers putting the money and talent in place to ensure security is built into design and manufacturing processes.
“20, 25 years ago people didn’t think of web browsers as needing security,” Valasek said. “But now we know that a huge piece of end-user security is how secure the web browser is. This is where we are going with automobiles.”
“Just like we saw with Microsoft and other software companies it’s an iterative process and it will get better over time. At one point Microsoft was the insecure operating system. Now they’re doing a really good job of it. So it just takes time.”
Securing Autonomous Vehicles
The pair argues hijacking cars via the internet is today largely a theoretical exercise — only two other groups of researchers have remotely compromised a vehicle for control.
“It’s not something you can do on a weekend. It’s not something you have to worry about a bored teenager doing. It’s really difficult to do and it’s only ever been done for research purposes,” Miller said.
The pair acknowledge fully autonomous vehicles, which don’t require manual controls like a steering wheel or brake pedals, are raising the security stakes. But they’re confident the driverless cars hitting the roads in the future will be secure.
“You have to remember that in the car industry it takes a long time to make changes, so the cars designed today won’t see the road for three or four years. And so it will take a while. But I think we are going to get there,” Miller said.
“Toasters will probably never be secure but hopefully, important things like pacemakers and cars will be,” Miller said.