Black Hat experts in Las Vegas address hacking cars, medical devices

Security experts at the Black Hat conference Thursday in Las Vegas sought to alleviate fears about the ease of hacking autonomous cars.

Other conference speakers, though, sent heart rates higher over the vulnerability of implanted medical devices, like pacemakers.

The two discussions were part of about 80 sessions held at Black Hat at Mandalay Bay for more than 17,000 industry professional to learn about the latest threats to networks and connected devices as well as solutions to defeat them.

Charlie Miller and Chris Valasek, vehicle security architects for San Francisco-based Cruise Automation, said hacking autonomous ride-sharing cars will be more difficult than believed as automakers reduce the number of ways a vehicle software system can connect with users, and as owners regularly update operating systems. Cruise is helping General Motors develop a fleet of autonomous cars.

Miller and Valasek said self-driving cars will also include devices that are expensive and not available to the general public, making it harder for hackers to get their hands on to analyze.

“It’s hard to hack the car when you don’t have the hardware, software and radars,” Valasek told hundreds of attendees at the session.

Update security flaws

Several groups have remotely hacked semi-autonomous cars over the years, including a Tesla, raising concerns about the security of fully autonomous cars. Miller and Valasek said they remotely hacked a Jeep Cherokee in 2015, taking control of the automobile’s operations.

The first self-driving vehicles will likely be owned and operated by corporations, such as ride-sharing companies, they said.

The corporations will have the ability to update any software security flaws the day they become available across their fleet, Miller and Valasek told the audience.

Manufacturers of autonomous ride-sharing cars can reduce the ability of hackers to gain control by removing potential remote access points like Bluetooth, they said.

Companies owning cars would also be able to monitor the engine control units in each vehicle and stop the car — or prevent it from starting — if any unauthorized changes have been made to it.

Hackers need to break through two, three, or even four security blocks to remotely gain access to a car today. By increasing the strength at each level, companies can make hackers’ “return on investment so low” that some won’t even bother, Valasek said.

“I think we are doing a pretty good job right now,” he said about the industry’s progress to stop remote hacking.

However, the situation changes when the fully autonomous car is owned by an individual, who may not regularly update security flaws.

“It’s a harder problem” to resolve and not something Cruise is focused on at the moment, he said.

Pacemakers, insulin pumps

Jonathan Butts, founder of QED Secure Solutions, and Billy Rios, founder of WhiteScope, demonstrated that they could alter the operation of implanted medical devices such as pacemakers as well as insulin pumps.

The two said they found flaws that allowed them to increase or halt delivery of insulin as well as alter the pulses sent by pacemakers.

Butts and Rios told the audience they found vulnerabilities in four of the major pacemaker devices, but added people should nonetheless use them as the health benefits outweigh the cybersecurity risks.

“Most vendors are trying to do the right thing, but the industry has a long way to go,” said Butts.

Contact Todd Prince at 702-383-0386 or tprince@reviewjournal.com. Follow @toddprincetv on Twitter.