UCSD-Cyber-Sleuth receives award for revealing how hackers can take control of cars


Hackers cannot remotely take control of moving cars like they did in the 2017 film The Fate of the Furious. It’s just Hollywood magic, isn’t it?

In fact, computer scientist Stefan Savage and his staff at UC San Diego did the feat years ago, and they turned off the car’s brakes.

It was part of a groundbreaking series of experiments that revealed a poorly understood truth – cars and trucks are vulnerable to potentially dangerous cyberattacks. The automotive industry responded with quick, but not foolproof, design changes.

The American Association for the Advancement of Science recognized the importance of the discovery on Wednesday and presented Savage and three of his associates with a Golden Goose Award – a coveted honor given to government-funded research that largely benefits society.

AAAS – the largest scientific society in the country – also presented the award to two researchers who pioneered mRNA-based vaccines and to a scientist known as the “father” of the cancer drug tamoxifen.

The Savage honor is the latest of several significant awards and prizes to be presented to San Diego researchers, reflecting the region’s long and profound dedication to science, medicine, and technology.

Savage is the third UCSD professor to have won a Golden Goose since 2012. His predecessors include the late Nobel Prize winner Roger Tsien, who contributed to the discovery and development of fluorescent proteins useful in medicine, and Larry Smarr, the lead author of a proposal that would allow the government to set up supercomputing centers at American universities, including the UCSD to set up.

Earlier this month, Scripps Research biochemist Jeff Kelly won a $ 3 million Breakthrough Prize for his protein research. And the scientific community says two local researchers, chemist Barry Sharpless from Scripps and biologist Ron Evans from the Salk Institute, did the kind of work that will make them candidates for the Nobel Prize in early October.

The golden goose is different from many awards. Washington, DC-based AAAS says it focuses on scientists doing research on relatively obscure topics that may even sound “funny” to outsiders, but potentially have big profits.

This story is for subscribers

We offer subscribers exclusive access to our best journalism.
Thank you for your support.

That describes what Savage did in 2009 when he and University of Washington staff decided to use non-federal discretion to purchase two new GM Chevrolet Impala cars that were equipped with OnStar, a cellular-based, in-vehicle service that provides roadside assistance .

At the time, it was not widely believed that cars were generally vulnerable to cyberattacks. And services like OnStar have been viewed by many as simple functions rather than sensitive computer systems.

That sounded strange to Savage and his staff, even though they weren’t exactly subject matter experts.

“We had no idea how cars were actually made or how many computers there were,” said Savage, 52, who was born in Paris and grew up in New York City.

“We had seen a few OnStar commercials. So we knew there was probably something there. But there were no drivers on this team. We basically got each other by buying these cars and taking them apart. “

As a child, Savage owned a TRS-80 Model III, one of the first mass-market home computers. And he took many computer science courses at Carnegie Mellon University. So his curiosity was natural, maybe even genetic. And it was worth it.

The team quickly learned that there were many bugs in the car’s computer systems, in part because they hadn’t gone through the kind of comprehensive safety tests that personal computers are made of, Savage said.

He added that it would have been difficult for engineers to convince their companies to invest millions “to keep the pink elephants out because we are not under attack … The automotive industry is incredibly cost-driven”.

The team went on to decipher and exploit the car’s computer software. At first they were able to do simple things like control flashing lights. They worked their way up and eventually found a way to remotely disable the car’s brakes.

In early 2010, they took one of the cars to a disused airport two hours north of Seattle for testing. Alexei Czeskis, a graduate of the University of Washington, signed a waiver and got behind the wheel because the Impala had to be driven.

The car started moving and the scientists soon proved they could deactivate and reactivate the brakes.

That wasn’t the only revelation.

During another experiment, team member Stephen Checkoway, who is doing a PhD from UCSD, used a cellular service in La Jolla to see if he could access the microphone in the test car in Washington. The answer was yes. And unexpectedly, he discovered that he could also listen to the students while they were working on the car.

The joint work of researchers in La Jolla and Seattle resulted in the publication of landmark papers in 2010 and 2011 that rocked the auto industry, especially GM. The scientists did not identify which make of car they used in their tests. But they shared their data privately with the automaker.

“We made a point of not being hostile,” said Savage. “We followed a relationship and worked with GM who updated their software.”

Since then, he’s made many headline-grabbing breakthroughs, including research in 2014 that found hackers could break into some of the apps and wireless devices used by private pilots. The possibility existed that a hacker could intentionally give a pilot false information about where his aircraft is in relation to others.

Savage’s research earned him a 2017 Genius Grant from the MacArthur Foundation. The award was accompanied by a no-obligation gift of $ 625,000 that was paid out over five years.

The money didn’t drive him out of the lab. He works on many projects, including examining how the computer systems of 737 jetliners could potentially be exploited by hackers.

“Technology can be a medium for conflict,” Savage said on Wednesday as UCSD prepared for the start of the fall quarter on Thursday. “The question is, does this conflict pose an imminent threat to someone who drives a car or does not so much fly an airplane?

“I firmly believe that you should get out of this stuff instead of waiting for it to cause a crisis.”


About Author

Leave A Reply