Computer researcher Chris Valasek of Seattle-based security-consulting company IOActive is among those dedicated to investigating the vulnerabilities and potential dangers of today’s computer-equipped cars.

Share story

Imagine cruising down the highway, when suddenly your car swerves into oncoming traffic as if it had a mind of its own.

As you fight to regain control, the brakes become inoperable, the power windows begin going up and down by themselves, the GPS says you’re in a foreign country, and the stereo starts blasting AC/DC’s “Highway to Hell.”

What in the world?

You’ve just been the victim of a cyber attack that has taken command of your onboard computers, turning your car into a dangerous projectile under the control of a malicious hacker.

Most Read Stories

Unlimited Digital Access. $1 for 4 weeks.

While a nightmare scenario such as this may sound like science fiction, computer researcher Chris Valasek of Seattle-based security-consulting company IOActive is among those dedicated to investigating the vulnerabilities and potential dangers of today’s computer-equipped cars.

“I think it’s still easier for someone to cut someone’s brake lines or put a bomb under the driver’s seat,” says Valasek, director of vehicle security research at IOActive, a global provider of computer-based security services for a variety of industries.

“That being said, (automakers) are adding more and more connectivity to vehicles because that’s what people want in their cars,” he says. “And this brings obvious concerns. That’s really the message we’re trying to raise and bring awareness to.”

Help from federal grant

Two years ago, Valasek and fellow researcher Charlie Miller, a security engineer at Twitter (now a member of IOActive’s advisory board), received a grant of more than $80,000 from the federal Defense Advanced Research Projects Agency (DARPA) to research security vulnerabilities in automobiles.

As part of their research, Valasek and Miller reverse engineered the software on two 2010 cars: a Toyota Prius and Ford Escape. By accessing a diagnostic port used by mechanics, they were able to send commands from their laptops to slam on the cars’ brakes, disable power steering or repeatedly blast the horns, all to demonstrate the mayhem that a hacker could cause.

Vegas demonstration

Valasek and Miller presented their findings and tools at the 2013 DefCon hacker conference in Las Vegas, sharing it freely with all attendees.

“I’ve been involved in computer security long enough to realize that you want smart people investigating this technology,” Valasek says. “Because in all reality, most of the people doing the work are good guys like us who report problems and want to help companies fix their technology. We’re all consumers of it, and we want it to be as robust as possible.”

Valasek, who lives and works in Pittsburgh, makes regular trips to IOActive’s Seattle headquarters. It has testing labs and a garage, allowing the company to provide automakers and equipment manufacturers with strategies for enhancing security and mitigating risk.

By the time Valasek and Miller received their DARPA grant, researchers at the University of Washington and University of California, San Diego, had already demonstrated that a car’s onboard computers could be accessed remotely through a cellular connection, a deceptive Android app synced to the car through a driver’s smartphone, or even a virulent audio file in the car’s sound system.

Showing the potential

But Valasek and Miller’s research showed what could be done once inside the car’s network.

“We knew through previous research that a wireless breach was possible,” Valasek says. “We just wanted to show, in newer cars, what you could do if you were on this computer network inside the vehicle.”

Valasek and Miller continue to advance their research on car hacking, now looking at more than two dozen vehicles.

“The research two years ago with the DARPA grant was a great first step,” Valasek says. “We got to learn on vehicles that were going to the junkyard after we were done. So we didn’t hesitate to rip a piece out and see what it did. I think we’ve made leaps and bounds since then.”