A few hundred people crowded into an expansive ballroom in Las Vegas are laughing and clapping at a joke I don't get. That happens a lot here.
I'm at the Black Hat cyber security conference and a computer science minor has not prepared me for quips about lua script, femtocells or daughter boards. But that's not why I'm at this talk. And it's not why hundreds of cyber security researchers have planted themselves in seats and then stood by the dozens in the Mandalay Bay convention center.
We came because two guys are here to tell us how they hacked into a Jeep while it was on the highway, taking over the radio, speedometer, windshield wipers and transmission -- bringing the car to a crawl in traffic while the hapless driver panicked. Later, they said they took over the steering in reverse and braking at slow speeds. And they said they could've done it to thousands of other vehicles, and continuing research could lead to even more dangerous maneuvers.
Cyber security researchers Charlie Miller of Twitter and Chris Valasek of IO Interactive said they have been breaking into cars' electronic systems for years, but after the pair used a WIRED reporter as a guinea pig in a terrifying live test using new hacking techniques last month, the world took notice. They said they weren't physically wired into the vehicle and didn't need previous access to it to perform their hack -- they just needed the car's IP address and could potentially break in from miles away if they wanted.
In the simplest terms, Miller and Valasek said they were able to go in either over the car's WiFi or cellular connection, break into the car's entertainment and navigation system and, from there with a bit of clever work, slip into more critical systems, like the car's transmission.
In the talk Wednesday, the pair showed a slide with just the few lines of code that were exploited to eventually gain control over the Jeep.
"If you want to own 1.4 million vehicles, there's four lines of Python," Valasek joked. "We wanted it to be sexier, [but] that's it. Right there."
Valasek was referencing a recall announced late last month by Fiat Chrysler for 1.4 million vehicles "equipped with certain radios." The company said it was taking action against "remote manipulation" following the WIRED report. The pair's research has also brought about talk of new legislation to secure vehicles' electronic systems and a reported newly-filed class action lawsuit. Miller and Valasek said that after the recall, a manufacturer-provided update via USB stick and, more importantly, after a wireless carrier disabled a vulnerable link in its related network, they can no longer hack into the vehicles the same way.
In previous demonstrations in which Miller and Valasek connected their computers directly to a vehicle in order to take over the controls, some critics dismissed the vulnerabilities because the hackers still needed physical access.
"The difference this year is, a lot of the car companies [had said], 'Well if you had physical access, you could strap dynamite [to the vehicle] or slash the tires,'" Joshua Corman, CTO of the software management firm Sonatype, told Fusion's Tim Pool. "So what [Miller and Valasek] did with the more recent one is they shattered that excuse for good now."
So car hacking is forefront in the minds of cyber security researchers here and at other cyber security conventions nearby (several are timed to coincide in Las Vegas). Black Hat today will feature a second car hacking session and two, including a repeat of Miller and Valasek's, are planned for the popular, if more subversive conference DEFCON. That conference also plans to have a "car hacking village" for researchers to delve into vehicle vulnerabilities.
At B-Sides, a smaller conference here, Miller and Valasek's hack was subject of some controversy -- were the two actually doing good, or was it a dangerous cyber stunt that put drivers at risk?
Miller vigorously defended the work.
"Stunt hacking?" he said in a B-Sides panel in reaction to a question. "It worked, right? And you can't argue with that... Listen, like six months before this thing happened, on '60 Minutes' they did exactly the same thing with Lesley Stahl driving in a f***ing parking lot with cones and guess what happened? Nothing. Right? All the sudden you get out on the highway, people are like 'Oh, s***, that could've been me.'"
To a cheering crowd at Black Hat, Valasek added Wednesday, "Hackers did something. A physical change happened and it wasn't in the infosec [information security] community, it was in the real world."
"Remote compromises are capable, right? We don't have to prove this anymore... Just know that it's possible," he said. "This is an everybody issue."