Uber Hires the Hackers Who Wirelessly Hijacked a Jeep
If it’s possible to wirelessly attack an Internet-connected Jeep to hijack its steering and brakes, what could hackers do to a fully self-driving car? A pair of the world’s top automotive security researchers may be about to find out, with none other than Uber footing the bill.
Starting Monday, the ridesharing startup’s Advanced Technology Center will employ Charlie Miller and Chris Valasek, two hackers who have devoted the last three years to developing digital attacks on cars on trucks. Their work culminated last month in a full, over-the-internet takeover of a 2014 Jeep Cherokee, (with me behind the wheel) including the ability to turn off its transmission or engine, and even disable its brakes at low speeds. Their demonstration led Chrysler to recall 1.4 million affected vehicles, the first known automotive recall for a cybersecurity vulnerability.
— uɐᴉɹoʞᴉɹʞ ᴉɟɟɐɹ (@raffi) August 28, 2015
According to Reuters, which first reported the move, Miller and Valasek will help Uber with its future-focused efforts to develop its own fleet of self-driving cars, and keep them secure from more malicious hackers. The company’s autonomous vehicle ambitions are no secret: It’s already hired more than 40 robotics engineers from Carnegie Mellon and partnered with the University of Arizona to further develop the technology. Uber board member Steve Jurvetson recently commented that if Tesla developed an autonomous vehicle, Uber would buy half a million of them in 2020.
An Uber spokesperson wrote in a statement to WIRED that “Charlie and Chris are joining the team at Uber’s Advanced Technologies Center, and will also work closely with Chief Security Officer Joe Sullivan and Chief Information Security Officer John Flynn to continue building out a world-class safety and security program at Uber.” Miller and Valasek declined to comment. Miller had previously been employed as a security engineer for Twitter. Valasek had been the director of automobile security research for the security consultancy IOActive.
For car hackers, autonomous vehicles could someday soon represent a juicy new target. In previous car hacking demonstrations by Miller, Valasek and others, security researchers have shown that they can exploit existing computerized functions to control a car’s steering and brakes. If the car has an automated braking feature, hackers can trigger it to stop the car on command, for instance, or use lane-assist or self-parking steering features to move the car’s steering wheel. An insecure autonomous vehicle, in which every feature is computerized, could be a hacker’s ideal playground.
“[Autonomous vehicles] have broader attack surfaces, more sensors, [and] the computer has the ability to control the steering,” says University of California at San Diego computer science professor Stefan Savage, who helped develop the first known wireless car hacking technique in 2010 and 2011. “It just makes the problem worse.”
In other words, if Miller and Valasek’s new mission is to secure Uber’s self-driving car of tomorrow, they’ll have their work cut out for them.