The Security Ledger Podcast

The Security Ledger Podcast


Encore Podcast: Chris Valasek on Hacking The Jeep Cherokee

July 30, 2021

If its midsummer, it must be time for hacker summer camp. The Black Hat Briefings cybersecurity conference kicks off tomorrow in Las Vegas, after a year that saw both Black Hat and DEFCON postponed. Both conferences will be held in person and online And, after a year interrupted by the COVID pandemic, 2021 promises a return to something approaching normal – if you can look past the surging Delta Variant COVID cases in and around Las Vegas. 

With the event almost upon us, we’re running an encore edition of the podcast and looking back to one of the the most significant Black Hat presentations of all time, the 2015 demonstration of a wireless, software based hack of a Chrysler Jeep Cherokee by security researchers Chris Valasek and Charlie Miller. 

In this interview from July 2015, I speak with Chis, who was then, the Director of Vehicle Research at IOActive about the work he and Charlie did to develop their wireless attack that gave them remote control the Cherokee’s braking, steering and acceleration of late model Chrysler vehicles. (Chris is now the Director of Product Security at Cruze.)

The issue is one that has taken on even more importance in the six years since this interview aired. For one thing: the role of software in modern vehicles has only grown, with software based hands free and “autonomous” driving features now common in late model vehicles. Tesla recently released FSD v9 – an update to its “fully self driving” software that – the company admits – is a bit of a misnomer. NHTSA is investigating three dozen crashes involving vehicles using driver assistance features.  

Autonomous vehicles could save more lives than they take. That might not matter.

As it has in recent years, DEFCOn will feature a Car Hacking Village this year that brings together some of the world’s top automotive cyber experts (and a lot of tinkerers) to poke holes in common vehicle hardware and software systems. With US roads being used as a test bed and drivers filling in as “crash test dummies” for companies like Tesla, the concerns about vehicle cyber security have never been higher.

That makes this conversation all the more interesting, with Chris telling me about the work he and Charlie did to reverse engineer both the wireless UConnect technology that is used to connect Chrysler vehicles to the Internet, and then jump from UConnect to the internal CAN bus that is used to control the critical functions of the vehicles.

Valasek said that the hacks he and Miller demonstrated took months to develop. But he also noted that the barrier to such hacks is low in many, late model connected vehicles. The biggest obstacles to hacking a vehicle, Valasek argued, may be researchers’ unfamiliarity with vehicle systems and the cost to obtain a vehicle to test – not any technical impediment in the hardware or software that runs the car.

“This is like hacking web browsers 10 years ago where people are just learning about how they work and what you can do with them,” Chris told me. Check out our full interview above, or by clicking the button below.