Less than a month after their command performances at the Black Hat and Def Con security conferences in Las Vegas, security researchers Charlie Miller (late of Twitter) and Chris Valasek (formerly of the security firm IOActive) have been poached by Uber—which ironically had security flaws in its own in-car technology exposed by University of California-San Diego researchers this month as well. According to a report from Reuters, Uber will announce the hiring of Miller and Valasek on Monday.
Miller and Valasek's research on Fiat Chrysler's Uconnect system exposed vulnerabilities in the design of the system that allowed them to take remote control of many of the systems of a targeted vehicle—as they demonstrated by shutting down the throttle of a 2014 Jeep Cherokee while it was being driven on an interstate by Wired reporter Andy Greenberg. The research, coordinated with Fiat Chrysler, led to the distribution of a fix by Chrysler and blocking of vulnerable ports by Sprint, the mobile carrier providing the network for Uconnect. But the attention garnered by the video led to Chrysler announcing a recall of 1.4 million vehicles to accelerate the installation of the software patches.
Uber announced grants to the University of Arizona to fund autonomous vehicle technology earlier this week. The hiring of Miller and Valasek is likely part of an effort to ensure that Uber's autonomous vehicle development work remains secure and may be partially prompted by the findings of the UCSD researchers Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage. The group presented research at the Usenix Security conference two weeks ago that showed a telematics device used by Uber and some auto insurers could be compromised to take remote control of systems in a similar fashion to Miller and Valasek's hack of the Jeep.