Interview with Chris Valasek & Charlie Miller, Cybersecurity Experts & White Hat Hackers
At Aurum Speakers Bureau we have the great pleasure and honor to represent some of the most extraordinary people in the world today and bring them all around the planet to inspire the audience of your next event. In this new section of our blog, you’ll get to know a bit more about them before they speak at your conference. Welcome to Aurum Speakers Series.
According to a study by PwC presented at Davos, cybersecurity threats ranked #2 among US CEOs’ top worries and 50% of them said they were extremely concerned about cyber threats such as a breach of data privacy and ethics; cybersecurity breaches affecting business information and critical systems; and information technology outages and disruptions.
But it’s not only companies and CEOs who should be worried about cyber-attacks. From simple malware that steals your browsing data to sophisticated phishing attacks to get your passwords and hack your online accounts, cyber threats don’t stop increasing for everyone. And with the development of technologies like the Internet of Things (IoT), more and more household items such as TVs, security webcams or even washing machines and fridges are hooked up to the internet. Can those be hacked? Of course!
And while we might not be particularly scared of getting our fridge hacked, what about our car? Cars nowadays are as much software as hardware, and thus, offer services like navigation, music streaming, voice assistants and more. That means our cars are connected too, and that poses a threat that hackers can exploit. Moreover, manufacturers are heavily investing in autonomous technology and brands like Tesla already have all the hardware needed for fully autonomous self-driving cars.
In the summer of 2015, Chris Valasek & Charlie Miller managed to remotely hack, from a 10-mile distance, a 2014 Jeep Cherokee in St. Louis with a reporter from Wired driving it. They found a vulnerability in the vehicle’s Internet-connected entertainment system and exploited it to gain complete control of the car: from silly things like turning on the windshields or blasting the radio volume; to really serious threats like turning the steering wheel, disabling the breaks or killing the engine in the middle of the highway.
Because of it, Fiat Chrysler was forced to recall 1.4 million Jeep Cherokees and issued a patch closing that vulnerability. What Chris and Charlie did was scary, but they did it to help Chrysler fix the issue and protect millions of drivers who would have been at the mercy of hackers with not such good intentions. That’s what white hat hackers do.
We spoke with Chris & Charlie about ethical hacking, car security and autonomous vehicles, and about the biggest threats in cybersecurity. Here’s what he had to say about it:
- Your Jeep-hack stunt made you famous as it made headlines all around the world. But has it been a wakeup call for car manufacturers? Realistically, would you say it’s possible that in the future a similar hack is performed to try to hurt someone?
Chris: I think it was a big wake up to the auto industry. Since that time it seems the automotive manufacturers are investing heavily in security and are working hard to make sure that doesn’t happen in the future. That said, no system is un-hackable so it is always possible that in the future cars could get hacked. However, we hope the extra attention being paid by these companies now will keep us safe down the road.
- What is a “white hat hacker” / ethical hacking? How is the day to day of someone who does it for a living?
Charlie: White hat hackers find flaws in systems but instead of attacking the systems and, say, stealing credit card numbers or photos, we report these flaws to the vendors so they fix them. For example, I found the first remotely exploitable flaw in the iPhone and reported it to Apple so that it would get fixed. I later found another flaw in the iPhone that an attacker could take over the phone just by sending a text message. I also found similar flaws in Android devices. But, these flaws are now fixed because I reported them.
Basically, I work a job like everyone else. I’ve been a consultant, worked for the NSA, worked for Twitter and Uber, etc. Then in the evenings or weekends, I do bug hunting. Its mostly a hobby but it also makes me feel good to know I am helping make the products that people use safer. Some of these flaws might be found very easily but most take considerable effort…
Chris: Exactly. Some flaws can be spotted rather easy, but I’d say a typical flaw in something like an iPhone like Charlie said might take weeks or even months of effort to discover. The work we did to demonstrate the flaw in the Jeep took us.. almost a year of work!
- Self-driving cars are the future of transportation and you currently work as Principal Autonomous Vehicle Security Architects at Cruise Automation, the driverless car company acquired by GM in 2016 for $1 billion. When do you expect this technology to reach the famous “Level-5” or full autonomy? What are the main problems or challenges to securing self-driving cars?
Charlie: Self driving cars are really cool and I can’t wait for the day they solve many of the problems facing driving today like the problems caused by distracted and drunk drivers, or helping elderly or disabled individuals stay mobile. However, as we pointed out with the Jeep, we need to make sure that these self driving cars are safe from cyber attack. Chris and I work hard at Cruise making sure that the types of vulnerabilities we demonstrated against the Jeep are not present in our self-driving cars.
- Before Cruise, you have been working for other top companies such as Uber (both), Twitter (Charlie), IBM (Chris) and more. Would you say cybersecurity is one of the main concerns of corporations nowadays? How is it possible that every few months we hear about another major company getting hacked and losing millions of customers’ private data? Are they not paying enough attention to this matter?
Chris: When a company gets hacked, it usually means they did something wrong. But the thing is, defense in cyber security is very difficult. You can do everything right for a very long time, make one tiny mistake, and that’s all it takes. So I always wonder when I read about a big breach if they were just terrible at security and it was a matter of time or if they were on top of their game and had one tiny hiccup.
Charlie: This also depends on who the bad guys are. If you are defending against bored teenagers you have to have one level of defense, but if you are defending against a nation state, you need a whole other level of security…
- What can smaller companies that cannot afford to hire a cybersecurity expert do to protect themselves? Should everyone care about this issue and take steps to protect their devices? Any tips or suggestions?
Chris: That is a very difficult question! A a lot is going to depend on the type of organization we’re talking about. The company needs to think about what can go wrong in their particular situation.
Charlie: Yeah, like are you worried about ransomware attacks? In that case make sure you have good backups (and test recovering from them). Are you worried about phishing? Encourage use of a password manager like 1password and encourage adoption of two-factor authentication. Worried about a data breach? Limit and monitor access to your databases as much as possible.
Chris: They can always bring us to speak at their next event to protect themselves! (laughs)