The man behind the hacks

By David Tanner, Land Line senior editor

In the moving-target world of computer hacking and security, it's hard to believe that one of the leading experts in the field is, for all intents and purposes, a hobbyist. But don't let the word hobbyist fool you. Charlie Miller is all business, conducting invaluable research into vehicle systems and their hackability.

Miller and vehicle security researcher Chris Valasek of IOActive are the men behind the recent remote hack of a Jeep that led to a Chrysler recall of 1.4 million vehicles and sent various technology companies scurrying to update their security patches.

In August, the pair presented their Jeep research at the annual Black Hat security conference, demonstrating how they made the vehicle do all sorts of wacky things including stopping it dead on a St. Louis highway. At previous Black Hat conferences, Miller presented hacking research on Fords and Toyotas, as well as various Internet-based systems that come as standard equipment or - perhaps ironically - safety features on those vehicles.

Land Line reached out to Miller to discuss his notable hacks and to see how the same principles could also be applied to systems found in long-haul trucks. Perhaps the most striking aspect of Miller's ascent in the world of cyber research is the fact that he's mainly a hobbyist in the field.

"For me it is just a hobby," he told Land Line by email. At the time, his day job was keeping hackers out at the social media giant Twitter. "I work full-time doing something non-car related. I just do car research on evenings and weekends for fun."

Other "fun" things he has done include hacking the iPhone, various Android phones, and Internet browsers. The job offers come when you're this good.

In early September, Miller had been scooped up by ride-for-hire company Uber, a free market competitor to taxicabs. There, he'll be doing advanced technical work, likely - and perhaps ironically again - to keep out the people that share his penchant for hacking.

Knowing what makes them tick helps to keep them out.

So what about those trucking-related systems - electronic logging devices, fleet management systems, GPS navigators, vehicle-to-vehicle and vehicle-to-infrastructure technology?

"We haven't looked at a system that is secure yet," Miller says while acknowledging that he's never worked directly on trucking-related systems.

"It is possible to design these systems securely, and perhaps they are quite secure, but my experience is that new systems typically have multiple security issues and could be vulnerable to compromise. Of course it isn't trivial to do this and also requires access to the systems in question. For example, for the Jeep hack we did, it took us one year and we needed a Jeep."

Just what can a hacker do to a vehicle? Miller cites his own research into Ford, Toyota and Jeep.

"In all three cases, depending on the actual features on the car, we were able to control steering, make the brakes engage, make the brakes not engage, turn the steering wheel, activate locks, windshield wipers, turn signals, etc."

A hack requires an entry point, and Miller says all systems have them.

It's possible then, that electronic logging devices, GPS systems or fleet management systems are vulnerable.

"You could imagine capturing and recording this information," Miller said.

Manufacturers are secretive about what they're doing to protect against hacks, and rightly so. This is an industry in which all technologies must be put to the test against cyber threats.

"Automotive manufacturers say they are working on this problem, but they don't share any details of what they are doing," Miller said. "There is almost no transparency on how they design secure vehicles, if they are even doing that."

"Against the type of attack we did, there isn't much you can do," he adds. LL