The old phrase that it's hard to teach an old dog new tricks may not be as accurate as one might have thought, as the notorious car hackers Charlie Miller and Chris Valasek gave a talk this week.
The duo last appeared at Black Hat two years ago when they revealed their hack of a Jeep Cherokee and announced their retirement from car hacking. But this latest appearance featured the two guys, who now work for Cruise - a GM division developing self-driving vehicles for ride-share businesses - discussing how they have used their hacking skills to help make the upcoming generation of autonomous vehicles as safe as possible from a cyber-attack.
Miller and Valasek said with visible confidence that they would be able to defend such a fleet of vehicles from outside intrusions, citing a long list of reasons, most of which focused on the fact that their Cruise cars are being built from the ground up with security in mind, and that for once they have been given a vehicle to play with and work their magic on in a controlled environment.
Valasek told the packed house that their main worry is remote attacks, resulting in a malicious actor gaining physical control of a vehicle. To a lesser extent they are concerned with physical attacks- - the type where someone would gain access to the vehicle and somehow inject malware or alter the software to take over.
"Security needs to be iterative and flexible and constant security updates are needed," Valasek said.
Another area of concern is the underlying vehicle that some ride-share cars are built on. In some cases these are older designs, like the Chrysler Pacifica, that have their own inherent security flaws that must be taken into consideration when they are turned into autonomous ride-sharing vehicles.
Miller and Valasek said they used both their car hacking skills along with their general knowledge on how to secure a data centre to build the security envelop for the Cruise car. Each ride-share car's trunk is filled with the system needed to keep the car on the road and moving safely -- essentially a data centre.
"We built security for a data centre with four wheels that can drive," Miller said, adding all the components talk to each other using Ethernet cable.
The entire basis of the security is to eliminate ways bad guys can access the vehicles.
Their first move was to reduce the attack surface, taking out the car's WiFi and Bluetooth systems, along with the entertainment unit -- all of which can, and have been, used to hack cars in the past.
Additionally, the cars will not accept inbound communications. Instead, the car itself has to initiate any connections with the outside world. This is important because these fleet vehicles will have to be in constant contact with their home base for tracking and other purposes. By simply not accepting any incoming calls ,the cars are safer, the two said.
Over-the-air updates were also eliminated. Instead, the cars will be serviced when off duty and in a secure facility. Another benefit of having the cars stored all in one place is that it makes it much more difficult for someone to gain direct access to do malicious activity, as opposed to having a car parked in someone's driveway.
Miller said there remains a concern that the tablet computer mounted inside the car for the passengers to use could be accessed in some manner, but he believes enough is known on how to secure a tablet to keep these safe.
Miller and Valasek are not concerning themselves now with developing defences for personally-owned self-driving cars, which would reintroduce many of the now-removed attack surfaces, as these are not likely to be on the road any time soon.