Jeep Hacker Says IoT Security a Complex Issue

At the Security of Things event, Chris Valasek says the responsibility for securing IoT devices rests with all those involved in building the systems.

Chris Valasek

CAMBRIDGE, Mass.—Chris Valasek and Charlie Miller made headlines last month when they demonstrated at two security conferences how they were able to hack into a moving Jeep Cherokee, remotely taking control of the vehicle.

Their hacks led to Fiat Chrysler Automobiles to recall 1.4 million vehicles to fix the vulnerability, and put an even greater spotlight on the complex issue of security and the Internet of things (IoT). During a keynote address at the second annual Security of Things conference here Sept. 10, Valasek used the work he and Miller did to talk about the challenges presented by the need to secure the tens of billions of devices that will make up IoT over the next several years, the responsibility that all players involved in the development of a connected product have in addressing security and the need for more security professionals to test these products.

The job of security people is not to embarrass the companies whose products they hack, Valasek said.

"Information security people are the shepherds of the Internet," he said. "We'll show you when you messed up" and help businesses fix the problems.

Much of the focus during the morning portion of the conference—sponsored by The Security Ledger news site and the Christian Science Monitor's Passcode security site—focused on the multiple issues surrounding securing the increasingly connected cars that are coming onto the roads and the growing challenges facing automakers. Valasek's address was followed by a panel discussion about security and automakers.

The interest in connected vehicles is not surprising: According to Godfrey Chua, principal analyst with Machina Research, connected cars will represent 52 percent of the machine-to-machine (M2M) cellular connections in 2024, ranking at the top of the list. Connected cars mirror much of IoT, where security is top of mind, Chua said during the conference.

"It is a key friction point in the industry right now," he said. "Security is clearly a multifaceted issue."

Valasek came to the conference with several messages: that IoT security is a more complex and complicated challenge than many understand, and that responsibility lies with all parties involved in the development of a connected device—from the component makers to the OEMs to the wireless network vendors. And that in a world where there will be 27 billion M2M connections by 2024, hackers like himself play an important role in shining a light on vulnerabilities and helping improve security.

He pointed to the recent work by a Northeastern University graduate who found vulnerabilities in the mircrochips used in Furbys, intelligent toys that could communicate with each other. The work the student did may not have had the reach of the hack of the moving car, but such work is important, Valasek said. Other connected devices may also have used the same microchips with the same vulnerabilities as the Furby toys, he said. In addition, work on small items like the toy can encourage security professionals to take on larger challenges.

"Some hacks don't really impact safety and security, but learning how to do it is smart," Valasek said. "High-impact research can stem from low-impact research."

In the work involving the Jeep Cherokees, Valasek and Miller—both of whom late last month joined Uber's Advanced Technology Center—showed how they could remotely take control of the vehicles by exploiting a vulnerability in their UConnect communications module developed by Harman and sold to Fiat Chrysler. Using a "burner" phone bought at Wal-Mart that they used as a wireless hotspot, the two were able to get into the cars' entertainment systems through a CAN bus that also gave them access to other systems in the automobile, enabling them to not only see data on the cars' speed and location, but also to control such workings as blinkers, windshield wipers, radios, steering and braking.

Their work raised a number of issues regarding security and IoT, Valasek said. One was the need for manufacturers of connected devices to engineer security into the design of the machines rather than bolting it on later. In addition, the responsibility for security goes beyond just the OEM. Fiat Chrysler (the OEM) recalled the 1.4 million cars to fix what he called air-gapped connection between the CAN buses running the entertainment system and the other aspects of the car, and Sprint (the carrier) shut down open ports that enabled Valasek and Miller to use the burner phone to gain wireless access to the vehicles.

(Fiat Chrysler on Sept. 10 recalled another 7,810 SUVs sold in the United States due to software-related vulnerabilities.)