How two car hackers plan to keep GM's self-driving cars safe

Rob Pegoraro · Contributing Editor

Mon, Aug 13, 2018, 10:19 AM

Charlie Miller and Chris Valasek, both now working as security architects at the GM (GM) subsidiary Cruise Automation, explained how removing such standard car features as Bluetooth, the radio and even the traditional notion of ownership will help them craft self-driving vehicles that don’t easily let a hacker remotely grab the wheel.

That approach is grounded firmly in basic information-security principles. But in relying on the plans of the company GM bought in 2016 to offer self-driving vehicles as a for-hire service like Uber or Lyft instead of as a product people buy, this safety architecture also cuts against a century’s worth of auto-industry practice.

A history of car hacking

The duo outlined the complexity of networked gear in an autonomous vehicle, from the array of cameras, radar and LIDAR sensors to computing hardware needed to process those inputs—in Valasek’s words, “a supercomputer in the trunk that would be more fit for Bitcoin mining.”

Then they explained how hackers have been able to worm in through cracks opened up by that complexity.

* In 2011, researchers at the University of Washington and the University of California San Diego took over a Chevy Impala, first by exploiting a vulnerability in its Bluetooth software and then by calling its OnStar cellular radio and playing a special sequence of tones.

* In 2015, Miller and Valasek gained control of a Jeep Cherokee by reprogramming its vehicle-control systems over the internet. This attack could have been written to spread from vehicle to vehicle — a possibility that led Miller and Valasek to not-so-humble-brag, “Damn, that was baller,” in the report they posted after their talk. Fiat Chrysler wound up recalling 1.4 million vehicles to fix the flaw.

* In 2016, the Chinese software giant Tencent’s Keen Security Lab hacked into a Tesla (TSLA) Model S by exploiting vulnerabilities in its dashboard web browser and onboard WiFi. In 2018, the same lab showed how to compromise a BMW i3 through such routes as its cellular connection.

Don’t trust, do simplify

At that point, the two speakers moved to offer some reassurance. “Chris and Charlie are here to tell you that we’re not screwed,” Valasek said.

Chris Valasek speaks during a presentation at the Black Hat Conference in Las Vegas, Nevada, U.S., on Wednesday, Aug. 5, 2015. Source: Bloomberg/David Paul Morris

Their plan for the autonomous vehicles coming from Cruise, based on the Chevy Bolt electric car, starts with a simple premise: Remove the systems that opened up those other vehicles to remote attacks.

Bluetooth? Forget it — the car is driving itself, so you don’t need hands-free calling. The radio? You’ll listen to your phone anyway. And that fancy touchscreen hardwired into the dashboard doesn’t need to exist either, not when the passengers can interact with the car via a stripped-down, locked-down tablet.

“If you don’t need something, take it out,” Valasek said. It’s Security 101 to reduce a device’s “attack surface” — the parts that respond to outside inputs, and which an adversary could therefore try to exploit. But it hasn’t always been Connected Car 101.

Miller’s and Valasek’s formula also includes a healthy dose of paranoia. Their design calls for the car to refuse any inbound connections — no data will come to the vehicle unless it asks for it first.

And much as in the locked-down framework Apple (AAPL) built for the iOS software inside iPhones and iPads, this autonomous-vehicle system will digitally sign and verify code at all levels, with messages from one component to another encrypted whenever possible.

Miller noted one possible speed bump: The wired networking in many cars is too old to support that encryption. “The components in cars are just so far behind,” he complained.

Not for sale at any price

If this level of security by design sounds like something worth paying extra for — sorry, you can’t. Cruise Automation will run only as a ride-hailing service, like an Uber or Lyft but devoid of life forms in the driver’s seat.

That solves the issue of how you sell a car without a radio or Bluetooth: You don’t have to.

It also offers a route around a huge problem with connected devices in general: ensuring that they keep getting updates after a vendor has taken the customer’s money.

“You don’t have to design a car that you’re going to sell to somebody and maybe never see again,” Miller said. And because Cruise cars will return to a garage for servicing every night, the company doesn’t have to worry about delivering updates over the air; a technician can plug a flash drive into a hidden port to install each one.

GM isn’t the only company working on an autonomous ride-hailing service. The Waymo subsidiary of Google parent Alphabet, Inc., (GOOG, GOOGL), for instance, will also sell self-driving-car transportation as a service.

The car industry isn’t all taking the same road to autonomous driving, though. Partial-autonomy projects as Tesla’s Autopilot or the Super Cruise option on some Cadillacs both assume individual purchase of cars and continued human operation in some scenarios — meaning stripping out the radio or Bluetooth isn’t an option.

Riding in a car more resistant to hacking than competitors may make you feel a little more safe.

As Miller said during a press Q&A after the talk, “We’re going to make it so hard that they’re going to want to hack something else.” However, Cruise’s cars will still have to share the same roads as everybody else’s.

Why the Sprint and T-Mobile merger could be good for you

Apple’s Safari has dropped the ball on security

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.