Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/28/2015
10:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Valasek Not Done With Car Hacking Just Yet

Security Pro File: Chris Valasek chats up the daunting challenge of topping the Jeep Cherokee hack, '80s Adidas tracksuits, his loathing of coding, and his love for Windows -- and Hall & Oates.

Renowned car hacker Chris Valasek grew up in -- wait for it -- Ford City. 

The security researcher best known for his groundbreaking car-hacking research with fellow white hat Charlie Miller graduated high school in a class of 83 students in that tiny town 45 miles north of Pittsburgh, Pa. His family didn't have a computer until his junior year, and it was Jon Larimer -- now a Google security engineer for Android -- who first introduced him to computing and later, security. Larimer attended the same high school in Ford City and was the kid with all of the slick new technology at his house:  "He was the guy who would have all these computers in his room," Valasek says.

Valasek was hooked and decided to study computer science in college at the University of Pittsburgh. "It's funny because for what I do, I don't use a computer science degree for reverse-engineering and hacking. I went there because I wanted to do computer stuff, but I had to know all this other stuff. I was a really terrible computer science student," he says.

As an undergraduate at Pitt, Valasek preferred writing his own software applications in C and exploring computer networks over his comp sci curriculum. "I had more fun playing around with the networking stuff and writing my own apps to do weird things [such as] awful IRC clients and chat clients, servers," says Valasek, who is director of vehicle security research at IOActive, where he heads up car security research and testing methods. "I probably should have taken it more seriously."

His first job out of college in 2005 was a programming gig with Cambia, now part of Tripwire, and a year later he joined Internet Security Systems (ISS), now part of IBM, where he wrote software for ISS's intrusion prevention and detection products. All the while, Valasek kept breaking and reverse-engineering things after-hours.

Valasek realized he really didn't like coding after all. "But I [did] like this research part where you can figure out how these attacks work and you can write these signatures for them," he recalls. "I liked writing the attacks more than the code … I spent 40 hours a week writing signatures for IDS/IPS and the rest of the [time] teaching myself how to "reverse-engineer Windows applications," he says.

The ISS research team would reverse-engineer a threat so Valasek and other members of the development team could then write the signature to detect and block it. But Valasek wanted to reverse-engineer the vulnerabilities himself: "I would get the research team to tell me how" to reverse-engineer it, he says. "The research part was way more intriguing to me. I knew I wasn't good at the programming part. So I kept doing these reverse-engineering projects and was begging the research team" to hire me, he says.

He finally secured a research position on the ISS X-Force Team in 2008. Later that year, Valasek discovered multiple HEAP overflow vulnerabilities in Trend Micro's ServerProtect antivirus server -- one of the hacks Valasek says he is most proud of. "It was supposed to keep you more protected, but it exposed you to more" threats, he says of the then-vulnerable AV server. But that was just one in a series of HEAP overflow finds Valasek scored over the years.

He met Miller in 2011 when the two worked at consulting and penetration testing firm Accuvant. Cars didn't hit their radar screen until they read the pioneering academic paper on remote car-hacking that year by researchers at the University of Washington and the University of California-San Diego. The academics found ways to hack car features via Bluetooth and rogue CDs, for instance, but kept private some details of their research including the type of cars they hacked.

"It was so cool that those guys kicked so much ass," Valasek says of the original car hacking research. "But [I thought] wouldn't it be cool if we had some of their data points? There really was no information" on that, he says. That was when he and Miller hatched a plan to use the DARPA Fast Track R&D funding Miller had been awarded to do some car hacking of their own. Neither knew a thing about the inner workings of cars, nor were they hardware hackers, so they began by ripping the dashboards out of the vehicles and studying the networking and automation features.

Valasek and Miller's first car-hacking research in 2012 -- where they were able to wrest control of automated features in a 2010 Toyota Prius and the 2010 Ford Escape to force the vehicles to steer wildly, brake, and accelerate -- made the "Today" show. But they got little attention from the carmakers themselves; Ford dismissed the hacks as low-risk physical manipulations of the vehicle.

They wanted to take their hack to the next level, remotely controlling a car having to physically get inside the vehicle. So they did some heavy-lifting homework, studying the networked automation features in late-model vehicles, and in 2013 released their findings on the world's most hackable cars -- remotely hackable, that is. The 2014 Jeep Cherokee was at the top of the list.

That project, of course, culminated in their recent demo of how they were able to wrest control of the Jeep from their laptops 10 miles away while the driver in the test was traveling at 70mph on a St. Louis highway.

Valasek and Miller caught some flack -- mainly from members of the security community -- for their in-your-face live demonstration that featured Wired reporter Andy Greenberg behind the wheel. The critics felt they took it too far, potentially endangering Greenberg and other drivers on the road in their live road test and then backfiring on security research. But Valasek says he has "zero" regrets.

"It's taking your foot off the gas pedal. Cars break down all the time" on the road, he says.

Interestingly, a "60 Minutes" segment aired showing University of Washington researchers remotely hacking a car in a parking lot prior to Valasek and Miller's viral video and research didn't get the attention Valasek and Miller's findings did. "Most people don't remember it [the 60 Minutes segment]," he says. "One of the things … is it needed the pizazz we could bring to the subject matter" to get the attention of the public and carmakers, he says. Their research indeed grabbed the attention of most major cable television outlets, and was one of the premiere talks at Black Hat USA earlier this month, where they revealed the actual bug they exploited in their hack.

But perhaps the biggest impact was Fiat Chrysler's ultimate recall of 1.4 million of its vehicles that harbored the security vulnerability, an unnecessarily open communications port in the infotainment system. Valasek says he hopes automakers will provide over-the-air updates in the future so that recalls won't be necessary for fixing security bugs. He's not worried about his car or any car getting hacked anytime soon, though: "Only a handful of people really have the baseline experience to do this type of stuff. I'm not too worried about it," he says.

After the Jeep hack demo, Valasek told Dark Reading he was "done" with car hacking. But now, about a month and a kayak/bike trip later, he says he's getting the itch once again. "Charlie and I have been talking about some stuff," he says. There are plenty of unsolved issues in cars beyond the fix in the Jeep: "There are still the systemic problems that exist when you're not cryptographically signing code, and you can reprogram a chip with a car in motion," he says.

But how do you top the Jeep hack? "Our idea is to go back to square one when we didn't know anything and think about the problems we'd wished we had solved but didn't," he says. "I'm sure we'll do something."

It probably won't be in the "grand" style that they commandeered the Jeep Cherokee, he says. "I wouldn't see anything monumental. Let the young kids have [at] it," the 33-year-old researcher says.

[UPDATE: Reuters reported late today that an unnamed source said Valasek and Miller have been hired by Uber Technologies Inc. Prior to that, neither researcher would comment on their next jobs, although Valasek announced late today that his last day at IOActive will be Monday, August 31. Uber is working on self-driving vehicles. Miller tweeted a confirmation about his new job at Uber after the Reuters story broke.]

Chris Valasek, IOActive
Photo: Stephen A. Ridley
Chris Valasek, IOActive Photo: Stephen A. Ridley

PERSONALITY BYTES

What Valasek's co-workers don't know about him: I wanted to be a chef long before I wanted to work with computers. I hate computers. All kinds.

Something no one knows about fellow car hacker Charlie Miller:  Charlie was Missouri State Cycling Champion, 1998.

Why the circa-1980s tracksuits as Valasek and Miller's style statement: We figured it would all be very professional people in suits. We wanted to separate ourselves from the pack and listened to a lot of old school hip-hop while car hacking. We were trying for this.

Ride: Porsche 911 C2S (997). I love Porsches and always had 911 models as a kid. So I finally bought one.

Car 101:  I know so much about mechanics' tools for cars now. It's outrageous. I'm convinced you can put me in a Toyota dealership right now and I could diagnose Priuses. I couldn't fix the car, but I could tell you what's wrong.

Security must-haves: A computer, preferably running Windows 8. IDA Pro. VMWare, WinDBG. The rest is just for show.

iPod music mix right now: The Very Best of Daryl Hall & John Oates.

Hangout: Shady Grove, Shadyside, Pittsburgh, PA.

Comfort food: Anything Thai.

For fun: Boxing, yoga, running, lifting, biking, watching sports, wake surfing, going out drinking.

Favorite team: Any University of Pittsburgh athletics.

Actor who would play Valasek in a film: Trick question:  I should have been chosen over Chris Hemsworth for the lead role in "Blackhat."

Next career: Owning a bar.

Why @nudehaberdasher: It's a slight on a friend of mine. An inside joke.

Valasek is an avid wake-surfer.
Valasek is an avid wake-surfer.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/31/2015 | 11:22:46 PM
Re: "terrible...student"
And, more to the point, grades are also less than reliable predictors of employment/employability.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/31/2015 | 11:21:48 PM
Re: Autonomous cars?
It's important to remember that even our present, newer cars that are not autonomous are still just as hackable/insecure.  It's an issue we're dealing with now, and manufacturers have been not as responsive as security researchers might like.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2015 | 8:23:31 AM
Interesting background
I like his answers to personality bytes. Hating computer is normal, what's up with the bar? :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2015 | 8:19:36 AM
Re: "terrible...student"
Good point. Grades are almost like irrelevant in today's world. What we experience is that some students get the highest grades and they are not the highest performers in their professions.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2015 | 8:16:46 AM
Re: "terrible...student"
Agree. Most successfully people are the ones who did not give up following their passions. And being dedicated to what they are doing.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2015 | 8:14:40 AM
Re: "terrible...student"
I agree, studies give some foundation but people define their own destiny.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2015 | 8:13:27 AM
Autonomous cars?
I wonder what will happen when we reach to era of autonomous cars. With the level of security hacks we are facing today in digital word, even with the 1% of that will be very problematic since it may result in injuries or death. We have to come up with better prevention techniques before that.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/30/2015 | 11:31:30 PM
Re: "terrible...student"
...and, more to the point, that if you're passionate enough about a subject, you can find the solution and become skilled at it regardless of grades or pedigree.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/30/2015 | 2:52:43 PM
Re: "terrible...student"
I think Chris's story is a testament to how important it is to find and follow your passion. He figured out early on that reverse-engineering and research was his real love and he went after it--after-hours and then ultimately, as a living. Pretty cool.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/28/2015 | 11:10:19 PM
"terrible...student"
I think young people should pay heed to Valasek's words about him being a "terrible" student.  So often "good" students wind up not doing so well in the real world, and "bad" and mediocre students excel.

As explained to me once: "The B's work for the C's, and the A's teach."
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12280
PUBLISHED: 2019-06-25
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
CVE-2019-3961
PUBLISHED: 2019-06-25
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
CVE-2019-9836
PUBLISHED: 2019-06-25
Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
CVE-2019-6328
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.
CVE-2019-6329
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6328.