Expert Explains How He Hacked Two Cars For Research

His work on automotive cyber threats has one U.S. senator asking questions

Chris Valasek isn't your traditional gearhead. He doesn't care about the horsepower of his engine. He doesn't change his own oil. "I don't even get my oil changed," he confesses.

What he does know about cars, however, is enough to scare major car companies, federal lawmakers and cyber security experts.

Valasek and a colleague, Dr. Charlie Miller, hacked into a Ford Escape and Toyota Prius last summer and published details of their exploits in a landmark report on automotive cyber security. Sitting in the rear seats, they controlled nearly every imaginable function of the cars, manipulating things like steering, throttle inputs and dashboard indications. They demonstrate their feats in the above video.

Their successful breaches of the vehicles' security systems have drawn the concern of U.S. Senator Ed Markey, (D-Mass). Last month, Markey sent the country's leading automakers a seven-page letter asking questions on how they plan to fend off such cyber attacks. In it, he cited Valasek and Miller's research as one of the bases for his worries. Responses are expected from car companies in February.

Computers govern almost every aspect of the way cars operate these days. Most cars have 40 to 80 electronic control units that control everything from on-board touchscreens to engine performance. These ECU's are often linked on a Controller Area Network.

Cars were easy to infiltrate

Valasek, director of security intelligence at IOActive in Seattle, said it took about nine months of working part time on the project to master his understanding of the systems. Once he and Miller gained access to the vehicles, however, it was frightfully easy to exploit them.

"If you are on the network and you know the messaging format, you have the keys to the castle," he told AOL Autos. "They really have no resilience against a determined attacker."

As car companies rush to add features that keep drivers connected to their online lives, such as USB ports, app stores, browsers and in-car wifi networks, Valasek foresees more potential entry points for hackers. And it doesn't matter if a hacker broke into one area of the car's network, such as the telematics units, as they can still affect another area.

"Once you're in the car, it's a trusted environment," he said. "They assume there's never an attacker on the network. ... The way these networks are set up to, say, control steering, you don't have to compromise the computer that does the steering. You just have to compromise a computer on the same network."

Automakers downplayed the results of the study, which was funded by the Department of Defense's Advanced Research Projects Agency.

A letter written to Markey on behalf of the car companies focused on the phyiscal breach of the vehicle. The Alliance of Automobile Manufacturers noted that anyone with access to a vehicle can compromise safety in non-electronic ways, such as cutting brake lines. But previous research showed a physical breach isn't necessary to hack a vehicle. A study conducted at the University of California San Diego and University of Washington demonstrated cars are equally susceptible to being remotely hacked and controlled.

Ford and Toyota did not return multiple emails from AOL Autos that asked questions regarding their cyber-security measures in the wake of Valasek's study. He says he never heard from either company.

Experts released details

In some circles, Valasek and Miller were criticized for releasing detailed blueprints of their breaches. Their transparency stood in contrast to the Cal-San Diego and Washington researchers who didn't even identify the makes and models of cars they hacked.

By releasing data right down to the diagnostic packet codes that allowed them to manipulate the car, Valasek said it would make it harder for car manufacturers to downplay their findings. He said it would ultimately help security, because more experts would have an avenue to fix the security holes.

Hacking into a vehicle would be more difficult than hacking into a computer, he said, because while most people have a computer, not everyone has a spare vehicle. Infiltrating the car took time, experimenting and, of course, the cars themselves.

"The nice thing was that we had cars that weren't ours, and we could say, 'Oh, I guess we won't fix that,'" he said. "I had to take the Prius to the shop twice because we blew up the inverter. [We were ] simulating the throttle opening and we did it a bit too long. I had it towed back to the dealership, and I had to drive a rental car back to Pittsburgh."

What's ahead in 2014

This spring, he and Miller hope to conduct further automotive hacking research. Although he wouldn't divulge details of future plans, he nodded toward Nissan's new steer-by-wire system, a cutting-edge technology the company calls Direct Adaptive Steering.

Sensors in the car monitor the position of the steering wheel and, in turn, control the direction of the car. The steering wheel itself is not mechanically linked to the wheels, (though it does have a more traditional backup system in case of failure).

"That's the future of automotive networks and functionality, and it'd be cool to look at cars on the bleeding edge of that to see what kinds of safety and security measures exist," Valasek said.

Pete Bigelow is an associate editor at AOL Autos. He can be reached via email at and followed on Twitter @PeterCBigelow.

RELATED: CarKnow Car Hacking | TRANSLOGIC Car Hacking With CarKnow: TRANSLOGIC 135

Share This Photo X