Chris Valasek can control cars remotely – without the drivers being able to do anything about it. He works together with his friend Charlie Miller, a hacker and former NSA employee, and together they’re the most famous car hackers in the world. Now both of them work for Uber, and insist: we are definitely not hacking the taxi industry.
SZ: Mr. Valasek, the global corporation Fiat Chrysler had to recall 1.4 million cars thanks to you. Just how unpopular did you make yourselves by doing that?
Chris Valasek: I didn’t get any hate letters. I was never trying to put the hurt on any company. We picked the Jeep Cherokee as the target of our hack because it was affordable and well-suited to what we had planned. Afterwards the company worked together with us, and we advised several agencies on safety issues.
You show how easy it is to manipulate cars and then you put the results out on the internet. Aren’t you endangering other drivers by doing that?
Fortunately, all the weak points that we uncovered in our hack were corrected. Chrysler took the issue very seriously and recalled the affected vehicles. In general, I think it’s best to recognize problems openly because the customers and even the manufacturers don’t become aware of them until you do. And besides, texting behind the wheel is still more dangerous than our hacks.
Is the automobile industry doing enough to protect its customers in general?
Up until now, we’ve only looked at a very small number of vehicles, and I have to say that the automobile industry is not being very transparent about these things. You never know exactly what they’re working on. So it’s hard to say whether the industry is doing enough to protect its products and the people who buy them. Anyway, I hope that our experiment encourages them to take safety more seriously.
Why did you become a car hacker of all things?
I love cars, and I even have a big Porsche poster hanging in my office. For several years, I just hacked normal computers. That was fun, but after a while, it became routine. Cars are a lot more tangible. When you hack a PC, something happens in some program. With a car you see the result right away. It doesn’t respond to the gas pedal, the brakes freeze up, or the engine doesn’t start. So it made sense that Charlie and I went in that direction.
You mean Charlie Miller, who you’ve done almost all of your big hacks with. Where do you know him from?
From a consulting firm that we both worked for several years ago. We became friends and at some point decided to start a project together. And that’s how the cars started.
Charlie used to work for the NSA, and you were also always employed at major companies. Doesn’t that go against the hacker code?
Yes, Charlie worked for the NSA, and I always had a job. I wanted to pay off my house at some point! It’s not a contradiction for me: you can always keep your hacker attitude even when you work for a big company.
How hard was it to get a job after you wrecked things for Chrysler? After all, the industry knows how much potential damage you can do.
That was probably why they hired us. Our employers know that we can do certain things – and then that helps them improve their systems.
Have you actually never had any legal problems because of what you do?
No, not at all. Once there was a complaint. After the hack, we sat down with Chrysler and talked about everything. Here in the US we advised different players – the Department of Transportation and the National Highway Authority. We just want to help make it safer to drive cars. There were no threats or anything from that side – but also no job offers.
Now you work for Uber. Should your taxi competition be worried?
No, no, we’ve already shown that we’re not bad boys. We just. . .well, unfortunately we can’t talk about exactly what we do at Uber, because everything is pretty secret. But anyway, we’re not hacking any taxi companies. We’re the good guys.
And the bad guys? How dangerous are other car hackers?
Hard to say. Right now it’s pretty hard to just hack a car. You have to know networks and reverse engineering pretty well before you can hack a car. Plus you need all the equipment – and of course you have to buy a car. Fortunately for us, the company paid for it. It’s definitely not something that you can just do on the weekend.
But you have always had a full-time job. Did you stay up all night on the computer?
Charlie probably did more than I did. Most of it happened in our free time, which is why we needed more than a year for the project. IOActive was generous enough to give me some freedom. For Charlie it was really true: during the day he worked at Twitter, and at night he hacked cars.
So you’re total computer nerds?
We’re big sports fans, too! That’s really how we got to know each other. We both like football, and we talked about that even more than computers.
What is your next big hack going to be?
We’re taking it easy for now. It took so much time for the Jeep hack that we need to take a break and rest a little.
That will make the auto industry happy.
INTERVIEW: STEVE PRZYBILLA
Valasek, born in 1982, became world-famous through his hack attacks on cars. After studying computer science at the University of Pittsburgh he worked as a programmer, most recently at the consulting firm IOActive. Since September of 2015 he is the head of security at the Uber Advanced Technology Center. He is also head of “SummerCon,” the oldest hacker convention in the US.
The German version of the article appeared on Süddeutsche Zeitung on January 18, 2016.
Research was made possible by the Transatlantic Media Fellowship Program.
Please note that the views expressed by the author(s) do not necessarily reflect those of the Heinrich Boell Foundation.