General Motors hired two security researchers that hacked into a Jeep Cherokee over the internet in 2014, cutting its transmission and disabling the brakes in an experiment that still reverberates in the automotive industry.
Chris Valasek and Charlie Miller were both hired by Cruise Automation, the autonomous driving unit that GM formed in 2016. Previously, Valasek worked on Uber’s self-driving cars and Miller was a security researcher at Chinese ride-sharing firm Didi Chuxing. The hires were confirmed by Cruise’s chief executive Kyle Vogt on Twitter last week.
The move is the latest acknowledgement of the looming threat that hackers pose to connected cars. Many experts consider security as a moving target as cars increasingly connect to the internet of start driving themselves on highways – a constant tug-of-war with hackers to prevent accidents and expensive recalls.
Valasek and Miller’s fame came after finding cellular vulnerabilities that allowed them to rewrite firmware in the Jeep’s entertainment system. The edits could be made from a laptop on the other side of the country as long as it had cellular connectivity. With that, they could turn off the engine, cut the transmission, control the air conditioning, and steer with the vehicle in reverse.
The duo shared the findings with Fiat Chrysler nine months before they were profiled in a 2015 Wired article. In a demonstration, they cut the brakes while a reporter was behind the wheel in a parking lot, sending him into a ditch. The vulnerabilities forced a recall of around 1.4 million vehicles, which could not be patched wirelessly.
The problems with automotive security seemed to loom larger after that. To keep pace with the creativity and persistence of hackers, Fiat and Tesla have started paying bounties for previously unknown security flaws in their software. Others are weighing new ways of wiring electronic control units so that brakes, for instance, can't be accessed through dashboard displays.
Last year, the National Highway and Transportation Safety Administration proposed guidelines for security in cars, pushing for layered defenses and limited access to vehicle firmware. Where new routes into firmware are discovered, automakers are also aiming to patch software remotely to make digital repairs more quickly – though progress has been slow.
GM – which created a cybersecurity chief role for Jeffrey Massimilla in 2014 – will allow such updates before 2020, said chief executive Mary Barra in a recent earnings call. Last year, Ford said that it would wirelessly upload Android Auto and Apple CarPlay to touchscreens in vehicles. Delphi has also expanded into over-the-air updates with its Movimiento acquisition.
Over time, that updatability could also be used to edit autonomous driving software, which GM has been pouring vast sums into perfecting. The company reportedly paid more a billion dollars last year for Cruise Automation, then a start-up that had raised almost $19 million in venture capital.
The Detroit automaker has vowed to increase the unit’s headcount from 100 to 1,200 over the next five years. It is testing around 50 self-driving electric cars in Detroit, San Francisco and Scottsdale, Arizona, with plans to release more into the wild.