Miller & Valasek: Security Stakes Higher for Autonomous Vehicles

Car hacking specialists shift gears and work on car defense in their latest gigs - at GM subsidiary Cruise Automation.

No 80s-era Adidas tracksuits. No video of a
hacked Jeep Cherokee
slowing to a crawl from 70 mph on a highway after losing its acceleration power. No steering-wheel hijacked Jeep stuck in a muddy ditch. This time, famed car hackers Charlie Miller and Chris Valasek came purely as defenders - rather than hackers - of automobile security.
Valasek and Miller, now both principal security architects for autonomous-vehicle manufacturer Cruise Automation, at Black Hat USA last week mapped out the key issues surrounding securing this new generation of driverless cars, based on their past three years working in the self-driving vehicle industry collectively for Uber, Didi Chuxing, and now Cruise, of which General Motors is a majority owner.
We have a unique perspective ... weve done a bunch of car hacking, Miller said in an interview in Las Vegas prior to his and Valaseks presentation. In the last three years, its all been all about protecting cars from attack, he says.
His and Valaseks
2016 hack of the Jeep Grand Cherokee steering at speed
was at least physically defendable, he says: Such a remote attack on an autonomous vehicle would not be. The moment we turned the steering wheel, we [the driver] had a shot at resisting the attack. But in the future, theres not going to be steering wheels and brakes, so youre completely reliant on the car to drive itself, Miller says of autonomous cars. So the stakes are even higher.
The goal of their driverless car security work, they say, is not about sniffing out the most or least hackable self-driving cars, but to make hacking them too much work for an attacker to bother doing. [Its] how to make the ROI [return on investment] so low for an attacker that its not worth doing, Valasek explains.
Among the devices theyre helping secure are the tablets that serve as the human interface to the autonomous vehicles. Reducing the potential attack surface found in many of todays modern driver-run cars is a goal: if Bluetooth is unnecessary, it shouldnt be included, for example.
Theres always going to be vulnerabilities in code. So if you dont need something, take it out, Miller says. If the vehicle needs Bluetooth, for instance, it should have as few ways as possible to take data from the outside world to the car, he says.
Ethernet is the communications network infrastructure of choice for autonomous vehicles, the researchers say. And the key is isolating connected components from components that control the vehicle. For example, the communications module should not have a direct connection to the CAN bus and should not be the same as the main compute module. Likewise, the tablets should be isolated as much as possible from more trusted components of the vehicle, Miller and Valasek wrote in
a white paper
they published last week.
Autonomous vehicles do come with some inherent advantages security-wise: since theyre owned and deployed by a service in many cases, that provider also handles monitoring and maintenance of its fleet. The cars return to a garage each day where they get checked or fixed, and their software can be updated, while traditional cars rarely get software updates.
If a problem is detected in a self-driving car, it can be remotely powered down, or returned to the garage. In addition, the vehicles come with custom communications modules rather than a standard Web interface.
Threats
Among the possible remote threats to an autonomous vehicle, they say, are attacks on: the listening service in its communications module; remote assistance features; and on the infotainment system, for example. An attacker also could target the vehicles fleet management service, or its software update service.
On the local side, Wi-Fi, Bluetooth, and tire pressure-monitoring systems could be targeted, as well as sensors in the vehicle. But Miller and Valasek say the biggest concern is a remote attack that could result in an attacker physically controlling the vehicle.
We know what to do. We know whats on the line, Valasek says of their security work.
It doesnt matter if its Cruise, Waymo, or Uber - the hack of a driverless vehicle is bad for everybody, he says. We want to share our thought process here. We dont want anyone to have incidents.
The new security advancements being forged in autonomous cars likely will trickle down to traditional driver cars, too. Once [security] is in the firmware, it will be easy to do in regular cars, Valasek says.
Meanwhile, Cruise has not yet rolled out its autonomous vehicle models nor has it provided a timeframe for the release.
Were the pre-flight [security] check, Valasek says.
Related Content:
Epic Security #FAILS Of The Past 10 Years
Police Car Hacks: Under The Hood
Valasek Not Done With Car Hacking Just Yet
Chrysler Recalls 1.4 Million Vehicles After Jeep Hacking Demo
Learn from the industrys most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for
more info
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Miller & Valasek: Security Stakes Higher for Autonomous Vehicles