Charlie Miller, whose hacking exploits on a Jeep Cherokee sparked a recall of 1.4 million Fiat Chrysler vehicles, will explain how he did it and why society needs to be aware of vehicle vulnerabilities at the upcoming ARM TechCon 2016 in Santa Clara, CA.
“Cars are a lot different than personal computers,” Miller, who now serves as a security engineer for Uber Technologies, Inc., told Design News. “If someone hacks into your computer, they can steal your photos and maybe even get your credit card numbers, so you have a bad day. But if they can hack into your car and crash it while you’re driving with your family, that’s another matter.”
The chilling story behind Miller’s Jeep hack is proof that the potential dangers are real. With a writer from Wired at the wheel in 2015, Miller and fellow hacker Chris Valasek remotely operated the vehicle’s radio, climate system, and windshield wipers. Then, with the writer rolling down I-64 in Missouri, they disabled the accelerator. The hackers accomplished those feats from a laptop computer located 10 miles away.
”We were sending messages to these computer systems, pretending to be other computers on the vehicle network,” Miller explained. “We would tell them to do things, like disabling the brakes. From end to end, we could remotely attack the car and control physical systems, and that’s really scary.”
Within days of Miller’s widely-reported hack, Fiat Chrysler Automobiles recalled a host of its vehicles, including various modes of the Jeep Grand Cherokee, Dodge Viper, Dodge Durango, Chrysler 200, Chrysler 300, Dodge Challenger, and Ram.
Miller, who holds a Ph.D. in mathematics from the University of Notre Dame, isn’t formally trained in automotive engineering. He’s a cyber security expert who spent five years at the National Security Agency and later became notable for compromising a variety of consumer products. In 2008, he won a $10,000 cash prize at a hacker conference in Vancouver, Canada, for being the first to find a bug in the MacBook Air. In 2009, he won $5,000 for cracking a Safari web browser. In 2011, he found a security hole in Apple’s iPhone and iPad products that would let malicious hackers install unauthorized apps to steal consumers’ data.
Miller’s work on the Jeep has been his most notable to date, however. He told Design News that he and Valasek did it by accessing the Jeep’s Uconnect service, going through its radio-navigation computer in the head unit, and then linking to its CAN bus. “We were trying to find the shortest path from the computers that talked to the outside world to the computers that affected physical safety,” he said. The key was the Jeep’s park assist and lanekeeping systems, both of which were accessible, he added.
Although Chrysler has since fixed the bugs, Miller believes hackers will conjure up new ways to remotely access vehicles. “We have these features that make our lives easy and protect us,” he said. “But those same features are also a way for a hacker to take advantage and gain control of our cars.”