In the summer of 2015, two security researchers remotely took control of a Jeep Cherokee traveling at 70 mph on a St. Louis highway — cutting the transmission, disabling the brakes, and steering it into a ditch, all from a laptop miles away. The driver, journalist Andy Greenberg, had agreed to be the guinea pig. The researchers behind the exploit were Chris Valasek and Charlie Miller, a former NSA analyst, five-time Pwn2Own champion, and the person who arguably did more than anyone else to drag the automotive industry into taking cybersecurity seriously. Chrysler recalled 1.4 million vehicles. Congress introduced legislation. And the entire auto industry was forced to reckon with a terrifying truth it had been ignoring for decades: modern cars are computers on wheels, and they were wide open to attack.
Early Life and Education
Charlie Miller grew up in the United States with an early aptitude for mathematics and computer science. He attended the University of Notre Dame, where he earned a bachelor’s degree in mathematics. His academic trajectory pointed toward a career in pure research, but Miller was drawn to the practical, adversarial side of computing — the kind of work where understanding a system meant understanding how to break it.
Miller went on to pursue a Ph.D. in mathematics, also at Notre Dame, completing his doctorate in the early 2000s. His dissertation work gave him a rigorous formal foundation that would later distinguish his security research from that of many peers. Where others relied on intuition and brute-force fuzzing, Miller often approached vulnerabilities with mathematical precision, modeling attack surfaces and reasoning about exploitability in ways that anticipated entire classes of bugs rather than individual instances.
It was during graduate school that Miller first became interested in information security, recognizing that the abstract reasoning of mathematics could be applied to the very concrete problem of protecting — and compromising — computer systems. That realization would lead him to one of the most secretive employers in the world.
Career and Technical Contributions
After completing his doctorate, Miller joined the National Security Agency (NSA), where he spent five years as a computer security researcher in the agency’s elite hacking division, the Tailored Access Operations (TAO) unit. Details of his work there remain classified, but Miller has spoken publicly about the experience shaping his understanding of how nation-states approach offensive security — the patience, the depth of analysis, and the willingness to study a target for months before making a move.
Leaving the NSA, Miller transitioned into the private sector, initially working at Independent Security Evaluators (ISE) alongside other notable researchers. It was in this period that he began making a name for himself in the competitive hacking community, particularly at the Pwn2Own competition — the annual event where researchers demonstrate zero-day exploits against major software products for cash prizes. Miller won Pwn2Own an unprecedented five times, exploiting Safari on macOS in 2008, 2009, 2011, and other targets in subsequent years. His Safari exploits were particularly notable because Apple’s platform was widely perceived as more secure than Windows at the time, and Miller’s repeated success challenged that assumption head-on.
Technical Innovation: Remote Vehicle Exploitation
Miller’s most consequential technical contribution came through his partnership with Chris Valasek — a collaboration that produced the most dramatic cybersecurity demonstration in history. Beginning in 2013, Miller and Valasek systematically dismantled the security of modern automobiles, starting with a DARPA-funded project to explore car hacking through physically connected interfaces.
Their initial research involved connecting a laptop directly to the OBD-II diagnostic port of a 2010 Ford Escape and a 2010 Toyota Prius. From that wired connection, they were able to send Controller Area Network (CAN bus) messages that overrode the vehicles’ electronic control units (ECUs). They demonstrated the ability to jerk the steering wheel, disable the brakes at low speed, and manipulate the speedometer — all while the vehicle was moving with a journalist in the passenger seat.
The CAN bus protocol, designed in the 1980s by Robert Bosch GmbH, was never built with security in mind. It uses a broadcast architecture where any node on the network can send messages to any other node, with no authentication, no encryption, and no access controls. Miller and Valasek exploited this fundamental design flaw brilliantly:
# Simplified demonstration of CAN bus message injection
# Shows the fundamental vulnerability Miller & Valasek exploited
# CAN bus has NO authentication - any node can send any message
import can
def send_can_message(channel, arbitration_id, data):
"""
Send a raw CAN message to the vehicle network.
In a real vehicle, arbitration_id determines which ECU responds.
There is no authentication step - this is the core vulnerability.
"""
bus = can.interface.Bus(channel=channel, bustype='socketcan')
message = can.Message(
arbitration_id=arbitration_id,
data=data,
is_extended_id=False
)
bus.send(message)
bus.shutdown()
# Example: CAN IDs mapped to vehicle functions
# These IDs were reverse-engineered by Miller & Valasek
CAN_TARGETS = {
'steering': 0x00F0, # Electronic Power Steering ECU
'brakes': 0x0152, # Anti-lock Braking System ECU
'transmission': 0x0191, # Transmission Control Module
'speedometer': 0x0309, # Instrument Cluster
}
# The attack: inject a spoofed message to the braking ECU
# No password, no token, no certificate - just raw bytes
send_can_message('can0', CAN_TARGETS['brakes'], [0x00, 0x00, 0x00, 0x00, 0x00, 0x01])But the 2013 demonstration required physical access. Critics — particularly from the auto industry — dismissed the research as unrealistic. Who would plug a laptop into your car’s diagnostic port? Miller and Valasek took that criticism as a challenge.
Over the next two years, they conducted a massive survey of automobile attack surfaces, analyzing 24 different vehicles across multiple manufacturers and rating them for remote exploitability. They looked at Bluetooth stacks, cellular modems, Wi-Fi connections, telematics units, and infotainment systems. Their analysis identified the 2014 Jeep Cherokee’s Uconnect system — which used a Sprint cellular connection for remote services — as particularly vulnerable.
The Uconnect head unit ran a version of QNX (a real-time operating system also used in critical infrastructure), and Miller and Valasek discovered that its D-Bus service was accessible over the cellular network with no authentication. From that initial foothold, they pivoted from the infotainment system to the CAN bus through a chip that bridged the two networks, ultimately achieving full remote control of the vehicle’s physical systems from anywhere with a cellular signal.
Why It Mattered
The Jeep Cherokee hack was a watershed moment for cybersecurity, for the automotive industry, and for public policy. Before Miller and Valasek’s demonstration, car manufacturers largely treated cybersecurity as an afterthought — if they considered it at all. The vehicles rolling off assembly lines contained dozens of interconnected ECUs communicating over unencrypted, unauthenticated networks, and those networks were increasingly connected to the internet through telematics and infotainment systems.
The immediate impact was staggering. Fiat Chrysler Automobiles issued a recall of 1.4 million vehicles — one of the first cybersecurity-motivated recalls in automotive history. The National Highway Traffic Safety Administration (NHTSA) opened an investigation. Senators Edward Markey and Richard Blumenthal introduced the SPY Car Act (Security and Privacy in Your Car Act), legislation designed to establish federal standards for automotive cybersecurity. The research was cited in congressional testimony, regulatory filings, and industry white papers for years afterward.
More broadly, the hack catalyzed the creation of automotive cybersecurity as a formal discipline. Before Miller and Valasek, there were no dedicated automotive security teams at most manufacturers. After them, every major automaker established one. Industry groups like Auto-ISAC (Automotive Information Sharing and Analysis Center) were created specifically to share threat intelligence among manufacturers. The ISO/SAE 21434 standard for automotive cybersecurity engineering — published in 2021 — traces its lineage directly to the conversations Miller and Valasek’s research started.
Other Notable Contributions
While the car hacking research defined Miller’s public reputation, his contributions to information security extend far beyond vehicles. His early work on iOS security was groundbreaking. In 2007, Miller was among the first researchers to develop a remote exploit for the original iPhone, discovering a vulnerability in the device’s Safari browser that allowed arbitrary code execution. This was less than six months after the iPhone launched and helped establish the iPhone — and by extension, all smartphones — as a serious target for security research.
Miller continued pushing iOS security forward, demonstrating exploits at Pwn2Own and through independent research. In 2011, he discovered a flaw in iOS’s code signing enforcement that allowed unsigned code to run on the device through a specially crafted app. Apple responded by revoking his developer certificate — a move that generated controversy but ultimately led to Apple strengthening its code review processes. Miller’s relationship with Apple exemplified the sometimes adversarial dynamic between security researchers and the companies whose products they study.
His work on NFC (Near Field Communication) security was equally prescient. In 2012, at the Black Hat conference, Miller demonstrated vulnerabilities in the NFC implementations of Android devices, showing how a malicious NFC tag could force a phone to open a malicious URL, pair with a Bluetooth device, or trigger other unintended actions. This research arrived just as NFC-based payment systems like Google Wallet were gaining traction, and it helped shape the security architecture of the mobile payment systems that followed, including Apple Pay.
Miller also conducted significant research on battery firmware, demonstrating that the embedded controllers in Apple laptop batteries could be compromised, potentially allowing an attacker to brick the battery, cause overheating, or establish persistent malware that survived operating system reinstalls. This work highlighted a class of embedded device vulnerabilities that the security community had largely overlooked.
After the Jeep Cherokee research, Miller joined Uber’s Advanced Technologies Group in 2015 to work on the security of self-driving cars — putting him at the intersection of the two fields he understood best. He later moved to Cruise (General Motors’ autonomous vehicle subsidiary) as a principal autonomous vehicle security architect, and then to Autonomous Stuff, continuing to shape how the industry approaches the security of vehicles that drive themselves. His career arc from offensive research to defensive engineering at autonomous vehicle companies demonstrated a path that the field increasingly encourages — the idea that the best defenders are those who once learned to attack.
# Modern automotive security architecture influenced by Miller's research
# Contrast with the flat, unauthenticated CAN bus he originally exploited
vehicle_network_architecture:
# Segmented zones — the fundamental lesson from the Jeep hack
zones:
safety_critical:
systems: [brakes, steering, powertrain, airbags]
protocol: CAN-FD with SecOC (Secure On-Board Communication)
gateway: hardware_security_module
access: no_external_connectivity
adas_zone:
systems: [lidar, radar, cameras, sensor_fusion]
protocol: Automotive Ethernet (100BASE-T1)
authentication: TLS_1.3_mutual
isolation: dedicated_vlan
infotainment_zone:
systems: [head_unit, navigation, media, phone_integration]
protocol: Ethernet + CAN
connectivity: [cellular, wifi, bluetooth]
firewall: application_layer_gateway
telematics_zone:
systems: [ota_updates, remote_diagnostics, v2x]
protocol: Ethernet
encryption: AES-256-GCM
certificate_management: PKI_with_HSM
# Central gateway — did not exist in vehicles Miller first hacked
gateway:
function: "All cross-zone traffic must pass through the gateway"
security:
- message_authentication_codes
- rate_limiting
- anomaly_detection
- intrusion_detection_system
hardware: dedicated_HSM_with_secure_bootPhilosophy and Key Principles
Charlie Miller has articulated several principles throughout his career that reveal a coherent philosophy about security research and its role in society. Understanding these principles helps explain why his work had such outsized impact.
Public demonstration trumps private disclosure. Miller has been an outspoken advocate for full disclosure — the practice of making vulnerability details public after giving vendors reasonable time to patch. His approach to the Jeep Cherokee research was deliberate: he and Valasek gave Chrysler nine months of advance notice before their Black Hat presentation, but they insisted on presenting publicly. Miller argued that without the public demonstration, Chrysler would have quietly patched the issue and the broader industry would have continued ignoring automotive cybersecurity. The recall and legislative response proved him right.
Attack the assumptions, not just the code. Miller’s most impactful research consistently targeted systemic assumptions rather than individual bugs. The car hacking research didn’t merely find a bug in Uconnect — it challenged the assumption that vehicle networks could safely be connected to the internet. His iOS research didn’t just exploit a single vulnerability — it challenged the assumption that Apple’s platform was inherently more secure. This principle aligns with the approach of researchers like Kevin Mitnick, who demonstrated that the weakest link in any system is often the human assumptions built into it.
Simplicity in exploitation reveals depth of vulnerability. Miller often pointed out that the most alarming aspect of the Jeep Cherokee hack was not its sophistication — it was its simplicity. The CAN bus had no authentication. The D-Bus service had no access controls. The bridge between the infotainment network and the vehicle network existed with no filtering. Each individual decision might have seemed reasonable in isolation, but together they created a system that was trivially exploitable. Miller used this observation to argue that security must be designed into systems from the ground up, not bolted on afterward.
Security researchers should eventually build, not just break. Miller’s career arc — from NSA offense to academic research to competitive hacking to defensive engineering at Uber and Cruise — embodies the principle that offensive skills are most valuable when applied defensively. He has publicly encouraged young hackers to view offensive research as a learning phase, not a career endpoint, and has argued that the security field needs more builders who understand how attackers think. This philosophy is increasingly reflected in how organizations like Toimi approach digital security — integrating offensive awareness into the development process rather than treating it as a separate audit phase.
Legacy and Impact
Charlie Miller’s legacy extends across multiple domains, but three contributions stand above the rest in terms of lasting impact.
The automotive cybersecurity industry exists because of his work. Before the Jeep Cherokee hack, there was no automotive cybersecurity industry to speak of. Today it is a multi-billion-dollar sector with dedicated companies (Argus Cyber Security, Upstream Security, Karamba Security), dedicated standards (ISO/SAE 21434, UNECE WP.29 R155), dedicated academic programs, and dedicated roles at every major automaker. Miller and Valasek did not single-handedly create all of this, but they provided the forcing function — the undeniable public demonstration that made ignoring the problem impossible. In that sense, their contribution mirrors the role that Whitfield Diffie and Martin Hellman played in public-key cryptography: they made visible a problem that insiders already knew about but had failed to address.
He changed how the security community communicates risk. The Jeep Cherokee demonstration was a masterclass in security communication. By partnering with journalist Andy Greenberg, by staging the demo on a real highway (at carefully controlled speeds, with safety precautions), and by timing the public disclosure to coincide with a Black Hat presentation, Miller and Valasek created a narrative that was impossible for the media, the public, or policymakers to ignore. The approach was controversial — some in the security community argued it was reckless — but its effectiveness was undeniable. It established a template that subsequent researchers have followed when trying to communicate the severity of systemic vulnerabilities to non-technical audiences.
He proved that hacking competitions drive real security improvement. Miller’s five Pwn2Own victories were not just personal achievements. Each exploit he demonstrated led to patches in widely used software, and his repeated success against Apple’s Safari browser contributed directly to Apple’s significant investments in browser sandboxing, ASLR improvements, and other hardening measures throughout the late 2000s and early 2010s. For teams managing complex digital products — whether using platforms like Taskee for project coordination or custom internal tools — Miller’s work underscored a critical lesson: security testing must be continuous and adversarial, not periodic and checkbox-driven.
Miller’s transition from offense to defense also carries significant weight. By joining Uber and later Cruise to work on autonomous vehicle security, he demonstrated that the most impactful security work happens not when researchers find vulnerabilities from the outside, but when they bring their offensive mindset inside the organizations building the next generation of technology. Today, the concept of embedding security researchers within product teams — rather than keeping them in separate audit groups — is standard practice at companies building autonomous systems, and Miller’s career arc helped legitimize that model.
Perhaps most importantly, Miller showed that individual researchers — working with modest budgets, off-the-shelf hardware, and extraordinary persistence — can force entire industries to change course. The Jeep Cherokee hack was not the product of a government program or a corporate lab. It was the work of two independent researchers with a laptop and a curiosity about how things fail. In that sense, Miller belongs to the tradition of researchers like Phil Zimmermann, who created PGP to give ordinary people access to strong encryption, and Moxie Marlinspike, who built Signal to make encrypted messaging the default. They all share a conviction that security is too important to be left to institutions alone.
Key Facts
| Detail | Information |
|---|---|
| Full Name | Charlie Miller |
| Education | B.S. and Ph.D. in Mathematics, University of Notre Dame |
| NSA Tenure | ~5 years, Tailored Access Operations (TAO) |
| Pwn2Own Victories | 5 (2008, 2009, 2011, 2012, 2013) |
| Landmark Research | Remote exploitation of 2014 Jeep Cherokee (with Chris Valasek) |
| Vehicles Recalled | 1.4 million (Fiat Chrysler, July 2015) |
| Legislation Inspired | SPY Car Act (Security and Privacy in Your Car Act) |
| Key Employers | NSA, Independent Security Evaluators, Twitter, Uber ATG, Cruise, Autonomous Stuff |
| Primary Research Areas | Automotive security, iOS exploitation, NFC security, battery firmware |
| Conferences | Black Hat, DEF CON, Pwn2Own, CanSecWest |
Frequently Asked Questions
What exactly did Charlie Miller do to hack the Jeep Cherokee?
Miller, working with Chris Valasek, exploited a chain of vulnerabilities in the 2014 Jeep Cherokee’s Uconnect infotainment system. The system used a Sprint cellular connection that exposed a D-Bus service with no authentication. From that initial access point, they pivoted through the vehicle’s internal network to reach the CAN bus — the communication backbone connecting the car’s electronic control units. Because CAN bus messages have no authentication or encryption, they could inject commands that controlled the steering, brakes, transmission, and other physical systems. The entire attack was performed remotely over the cellular network, with no physical access to the vehicle.
How did the Jeep Cherokee hack change the automotive industry?
The hack triggered the largest cybersecurity-motivated vehicle recall in history (1.4 million Chrysler vehicles), prompted federal legislation (the SPY Car Act), and led to the creation of industry-wide organizations like Auto-ISAC for sharing threat intelligence. Every major automaker subsequently established dedicated cybersecurity teams. The research also contributed to the development of international standards like ISO/SAE 21434 and UNECE WP.29 R155, which now mandate cybersecurity considerations throughout the vehicle development lifecycle. The modern practice of network segmentation, secure gateways, and hardware security modules in vehicles can be traced directly to the vulnerabilities Miller and Valasek exposed.
Why did Charlie Miller leave offensive research for autonomous vehicle companies?
Miller has spoken about believing that the most impactful security work involves building secure systems, not just breaking insecure ones. After the Jeep Cherokee research demonstrated the severity of automotive cybersecurity risks, he joined Uber’s Advanced Technologies Group in 2015 to help secure self-driving vehicles — systems where a cybersecurity failure could be immediately life-threatening. He later moved to Cruise (GM’s autonomous vehicle subsidiary) and Autonomous Stuff. His career transition embodied a principle he has advocated publicly: that offensive security researchers should eventually apply their skills defensively, bringing attacker knowledge into the design and engineering of the systems they once targeted.
What were Charlie Miller’s most significant contributions beyond car hacking?
Before his automotive research, Miller was one of the foremost iOS security researchers in the world. He developed the first remote exploit for the original iPhone in 2007, won Pwn2Own five times (primarily exploiting Apple’s Safari browser), and discovered a code signing bypass in iOS that led Apple to strengthen its app review processes. He also pioneered research into NFC security vulnerabilities in Android devices (2012), demonstrating attacks that influenced the security design of mobile payment systems. His work on Apple laptop battery firmware revealed an entirely overlooked class of embedded device vulnerabilities. Each of these contributions opened new areas of security research that other researchers subsequently expanded.
