Valasek Not Done With Car Hacking Just Yet

Security Pro File: Chris Valasek chats up the daunting challenge of topping the Jeep Cherokee hack, '80s Adidas tracksuits, his loathing of coding, and his love for Windows -- and Hall & Oates.

Chris Valasek, IOActive Photo: Stephen A. Ridley

Renowned car hacker Chris Valasek grew up in -- wait for it -- Ford City. 

The security researcher best known for his groundbreaking car-hacking research with fellow white hat Charlie Miller graduated high school in a class of 83 students in that tiny town 45 miles north of Pittsburgh, Pa. His family didn't have a computer until his junior year, and it was Jon Larimer -- now a Google security engineer for Android -- who first introduced him to computing and later, security. Larimer attended the same high school in Ford City and was the kid with all of the slick new technology at his house:  "He was the guy who would have all these computers in his room," Valasek says.

Valasek was hooked and decided to study computer science in college at the University of Pittsburgh. "It's funny because for what I do, I don't use a computer science degree for reverse-engineering and hacking. I went there because I wanted to do computer stuff, but I had to know all this other stuff. I was a really terrible computer science student," he says.

As an undergraduate at Pitt, Valasek preferred writing his own software applications in C and exploring computer networks over his comp sci curriculum. "I had more fun playing around with the networking stuff and writing my own apps to do weird things [such as] awful IRC clients and chat clients, servers," says Valasek, who is director of vehicle security research at IOActive, where he heads up car security research and testing methods. "I probably should have taken it more seriously."

His first job out of college in 2005 was a programming gig with Cambia, now part of Tripwire, and a year later he joined Internet Security Systems (ISS), now part of IBM, where he wrote software for ISS's intrusion prevention and detection products. All the while, Valasek kept breaking and reverse-engineering things after-hours.

Valasek realized he really didn't like coding after all. "But I [did] like this research part where you can figure out how these attacks work and you can write these signatures for them," he recalls. "I liked writing the attacks more than the code … I spent 40 hours a week writing signatures for IDS/IPS and the rest of the [time] teaching myself how to "reverse-engineer Windows applications," he says.

The ISS research team would reverse-engineer a threat so Valasek and other members of the development team could then write the signature to detect and block it. But Valasek wanted to reverse-engineer the vulnerabilities himself: "I would get the research team to tell me how" to reverse-engineer it, he says. "The research part was way more intriguing to me. I knew I wasn't good at the programming part. So I kept doing these reverse-engineering projects and was begging the research team" to hire me, he says.

He finally secured a research position on the ISS X-Force Team in 2008. Later that year, Valasek discovered multiple HEAP overflow vulnerabilities in Trend Micro's ServerProtect antivirus server -- one of the hacks Valasek says he is most proud of. "It was supposed to keep you more protected, but it exposed you to more" threats, he says of the then-vulnerable AV server. But that was just one in a series of HEAP overflow finds Valasek scored over the years.

He met Miller in 2011 when the two worked at consulting and penetration testing firm Accuvant. Cars didn't hit their radar screen until they read the pioneering academic paper on remote car-hacking that year by researchers at the University of Washington and the University of California-San Diego. The academics found ways to hack car features via Bluetooth and rogue CDs, for instance, but kept private some details of their research including the type of cars they hacked.

"It was so cool that those guys kicked so much ass," Valasek says of the original car hacking research. "But [I thought] wouldn't it be cool if we had some of their data points? There really was no information" on that, he says. That was when he and Miller hatched a plan to use the DARPA Fast Track R&D funding Miller had been awarded to do some car hacking of their own. Neither knew a thing about the inner workings of cars, nor were they hardware hackers, so they began by ripping the dashboards out of the vehicles and studying the networking and automation features.

Valasek and Miller's first car-hacking research in 2012 -- where they were able to wrest control of automated features in a 2010 Toyota Prius and the 2010 Ford Escape to force the vehicles to steer wildly, brake, and accelerate -- made the "Today" show. But they got little attention from the carmakers themselves; Ford dismissed the hacks as low-risk physical manipulations of the vehicle.

They wanted to take their hack to the next level, remotely controlling a car having to physically get inside the vehicle. So they did some heavy-lifting homework, studying the networked automation features in late-model vehicles, and in 2013 released their findings on the world's most hackable cars -- remotely hackable, that is. The 2014 Jeep Cherokee was at the top of the list.

That project, of course, culminated in their recent demo of how they were able to wrest control of the Jeep from their laptops 10 miles away while the driver in the test was traveling at 70mph on a St. Louis highway.

Valasek and Miller caught some flack -- mainly from members of the security community -- for their in-your-face live demonstration that featured Wired reporter Andy Greenberg behind the wheel. The critics felt they took it too far, potentially endangering Greenberg and other drivers on the road in their live road test and then backfiring on security research. But Valasek says he has "zero" regrets.

"It's taking your foot off the gas pedal. Cars break down all the time" on the road, he says.

Interestingly, a "60 Minutes" segment aired showing University of Washington researchers remotely hacking a car in a parking lot prior to Valasek and Miller's viral video and research didn't get the attention Valasek and Miller's findings did. "Most people don't remember it [the 60 Minutes segment]," he says. "One of the things … is it needed the pizazz we could bring to the subject matter" to get the attention of the public and carmakers, he says. Their research indeed grabbed the attention of most major cable television outlets, and was one of the premiere talks at Black Hat USA earlier this month, where they revealed the actual bug they exploited in their hack.

But perhaps the biggest impact was Fiat Chrysler's ultimate recall of 1.4 million of its vehicles that harbored the security vulnerability, an unnecessarily open communications port in the infotainment system. Valasek says he hopes automakers will provide over-the-air updates in the future so that recalls won't be necessary for fixing security bugs. He's not worried about his car or any car getting hacked anytime soon, though: "Only a handful of people really have the baseline experience to do this type of stuff. I'm not too worried about it," he says.

After the Jeep hack demo, Valasek told Dark Reading he was "done" with car hacking. But now, about a month and a kayak/bike trip later, he says he's getting the itch once again. "Charlie and I have been talking about some stuff," he says. There are plenty of unsolved issues in cars beyond the fix in the Jeep: "There are still the systemic problems that exist when you're not cryptographically signing code, and you can reprogram a chip with a car in motion," he says.

But how do you top the Jeep hack? "Our idea is to go back to square one when we didn't know anything and think about the problems we'd wished we had solved but didn't," he says. "I'm sure we'll do something."

It probably won't be in the "grand" style that they commandeered the Jeep Cherokee, he says. "I wouldn't see anything monumental. Let the young kids have [at] it," the 33-year-old researcher says.

[UPDATE: Reuters reported late today that an unnamed source said Valasek and Miller have been hired by Uber Technologies Inc. Prior to that, neither researcher would comment on their next jobs, although Valasek announced late today that his last day at IOActive will be Monday, August 31. Uber is working on self-driving vehicles. Miller tweeted a confirmation about his new job at Uber after the Reuters story broke.]


What Valasek's co-workers don't know about him: I wanted to be a chef long before I wanted to work with computers. I hate computers. All kinds.

Something no one knows about fellow car hacker Charlie Miller:  Charlie was Missouri State Cycling Champion, 1998.

Why the circa-1980s tracksuits as Valasek and Miller's style statement: We figured it would all be very professional people in suits. We wanted to separate ourselves from the pack and listened to a lot of old school hip-hop while car hacking. We were trying for this.

Ride: Porsche 911 C2S (997). I love Porsches and always had 911 models as a kid. So I finally bought one.

Car 101:  I know so much about mechanics' tools for cars now. It's outrageous. I'm convinced you can put me in a Toyota dealership right now and I could diagnose Priuses. I couldn't fix the car, but I could tell you what's wrong.

Security must-haves: A computer, preferably running Windows 8. IDA Pro. VMWare, WinDBG. The rest is just for show.

iPod music mix right now: The Very Best of Daryl Hall & John Oates.

Hangout: Shady Grove, Shadyside, Pittsburgh, PA.

Comfort food: Anything Thai.

For fun: Boxing, yoga, running, lifting, biking, watching sports, wake surfing, going out drinking.

Favorite team: Any University of Pittsburgh athletics.

Actor who would play Valasek in a film: Trick question:  I should have been chosen over Chris Hemsworth for the lead role in "Blackhat."

Next career: Owning a bar.

Why @nudehaberdasher: It's a slight on a friend of mine. An inside joke.


About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights