When introducing the keynote speaker at the Iowa Tech Summit Tuesday morning, Paul Hlivko, chief technology officer at Wellmark Blue Cross and Blue Shield, jokingly warned the audience to turn off any devices they wanted to keep control over. 

Charlie Miller waved it off: “I’m not good enough to hack and give a speech at the same time,” he told the sold-out summit.

Of course, in 2015, Miller and his research partner Chris Valasek were good enough to hack into a 2014 Jeep Cherokee, taking over the vehicle’s radio, windshield wipers, steering system and even the brakes at a low speed. 

The problem with security is simple to wrap up: “You kind of suck for a while and then you get better,” Miller said. 

“We live in a world where things are insecure, and it’s basically because we don’t want to spend the resources and money to secure everything,” he said. 

Take, for example, the internet of things, known as IoT.  

“What is internet of things? It’s all the little things in the world that used to be fine. They were fine products, they worked, and then we stuck them on the internet and this opened up some security issues,” Miller said. “People do want this for whatever reasons, and so we need to start thinking about what the implications of this are.” 

Researchers and product designers have been focusing for years on securing servers, web browsers and email clients, Miller said, but the design process behind IoT devices doesn’t follow the model by software designers. Companies behind products like phones, web browsers and smartwatches have a vested interested in creating secure products, compared with companies just entering the IoT field. 

“If people stop buying their $2,000 computer because they think they’re insecure, that’s going to be a big dent in their pocket,” Miller said. “If you compare this to the companies that make an IoT lock, or toaster … internet-connected locks is probably a very, very small part of their business compared to just selling traditional locks with keys.”

This opens the vulnerabilities: In an IoT baby monitor, hackers can target the camera, the web cloud, the company’s web infrastructure and the smartphone or web application parents are using to view the camera feed. If parents are viewing over a smartphone, there’s also the cellular carrier who could be hacked. 

“This is different than getting your email stolen, because now it’s affecting things in your life,” Miller said. 

Back to the 2014 Jeep Cherokee, which Miller and Valasek spent about a year probing. By this time, carmakers have introduced Wi-Fi, remote start on key fobs, and sensors in tires that alert drivers to low tire pressure. Computers are also controlling brakes, acceleration, parallel parking and GPS — “you can start to see that that can be a problem,” Miller said. 

To hack into the Jeep’s controlling computers, Miller and Valasek turned to the entertainment system, supplied by Harman Kardon to Chrysler. They managed to access it by buying cellphones on the Sprint cellular network, and reprogrammed a piece of the car’s computer network.  

The research wasn’t without bumps, and a few trips to the local dealership, which would fix the “broken radio.”

“If you screw up your computer, you can reinstall it. If you screw up your installation of Firefox, you can re-download it,” Miller said. “But if you screw up something when you’re trying to exploit your car, your car doesn’t work anymore.” 

“The warranty at Fiat Chrysler, I highly recommend.” 

Miller and Valasek did figure out the correct attack on the Jeep, and demonstrated their research with a Wired reporter in the driver’s seat as the reporter drove 70 mph along a St. Louis highway.  
Today, Miller works for Cruise, a self-driving car company owned by GM, where he leads the company’s autonomous vehicle security team. Car hacking has only successfully been accomplished by three teams of researchers, and average individuals likely don’t need to fear a successful hack on their vehicles.  

“Cars are going to become more connected, not less,” Miller said. “It’s something we want to get ahead on. We don’t ever want to be reactive.”