In July 2015, a Jeep Cherokee was driving down a highway in St. Louis when its air conditioning suddenly blasted at full power, its radio switched to a different station at maximum volume, and its windshield wipers began spraying fluid across the glass. Then the transmission cut out entirely. The driver — Wired journalist Andy Greenberg — had agreed to be the test subject, but even so, the experience was terrifying. The two researchers controlling the vehicle were sitting on a couch ten miles away, laptops open, exploiting a chain of vulnerabilities that gave them wireless access to the Jeep’s most critical systems. One of those researchers was Chris Valasek. The demonstration, which led to the recall of 1.4 million Chrysler vehicles and fundamentally changed how the automotive industry thinks about cybersecurity, was the culmination of years of meticulous research into a question most people had never considered: what happens when the computers inside your car can be reached from the internet? Valasek, alongside his collaborator Charlie Miller, did not just answer that question — they proved, in the most dramatic way possible, that the automobile industry had a security problem it could no longer ignore.
Early Life and Education
Chris Valasek grew up in Pittsburgh, Pennsylvania, a city with a deep tradition of engineering and industrial innovation. From an early age, he was drawn to computers — not just using them, but understanding how they worked at a fundamental level. Pittsburgh in the 1990s was home to Carnegie Mellon University and a growing technology ecosystem, and Valasek absorbed the culture of hands-on technical problem-solving that permeated the region. He was the kind of kid who took things apart to see what made them tick, a trait that would later define his approach to vehicle security research.
Valasek studied computer science, developing a strong foundation in low-level programming, operating systems, and network security. But like many of the most impactful security researchers of his generation — people like Dan Kaminsky and Kevin Mitnick — his real education happened outside formal curricula. He immersed himself in the vulnerability research community, studying how software breaks, how memory corruption works, and how seemingly insignificant bugs can be chained together into devastating exploits. This mindset — looking at systems not as their designers intended them to be used, but as they actually behave under adversarial conditions — became the foundation of everything he would accomplish.
After completing his education, Valasek began his career in traditional software security, working on Windows kernel exploitation and vulnerability research. He spent several years at companies like Coverity and Accuvant (later Optiv), where he built deep expertise in reverse engineering and exploit development. His early work focused on finding and reporting vulnerabilities in widely used software, contributing to the broader ecosystem of responsible disclosure that researchers like Bruce Schneier had long championed. But Valasek was increasingly drawn to a question that few security researchers were asking at the time: if every modern car contains dozens of networked computers, what are the security implications?
Career and Technical Contributions
The modern automobile is not just a mechanical machine — it is a network of computers on wheels. A typical car today contains between 70 and 150 Electronic Control Units (ECUs), small embedded computers that manage everything from engine timing and brake pressure to infotainment systems and tire pressure monitoring. These ECUs communicate with each other over an internal network, most commonly using the Controller Area Network (CAN) bus protocol that was designed in the 1980s by Robert Bosch GmbH. CAN bus was engineered for reliability and real-time performance in an era when the only people with physical access to a car’s internal wiring were mechanics and engineers. It was never designed to resist a malicious actor. There is no authentication, no encryption, and no access control. Any ECU on the bus can send any message to any other ECU, and every ECU trusts every message it receives.
Valasek recognized that this architecture, combined with the increasing connectivity of modern vehicles — Bluetooth, Wi-Fi, cellular modems, USB ports, OBD-II diagnostic ports — created an attack surface that the automotive industry was not prepared for. In 2012, he teamed up with Charlie Miller, a former NSA analyst and veteran security researcher known for his work on iOS and macOS exploitation. Together, they embarked on what would become the most consequential vehicle security research program in history.
Technical Innovation
Valasek and Miller’s research unfolded in stages, each building on the previous one to construct an increasingly alarming picture of automotive insecurity. Their first major publication, presented at DEF CON 21 in August 2013, focused on a 2010 Ford Escape and a 2010 Toyota Prius. For this initial phase, they worked with physical access — a laptop plugged directly into the car’s OBD-II diagnostic port. From that wired connection, they demonstrated that they could send crafted CAN bus messages to override the vehicle’s own systems: jerking the steering wheel, disabling brakes at low speed, spoofing the speedometer, and honking the horn. The demonstrations were alarming, but critics pointed out that physical access to a car’s diagnostic port was a high bar for an attacker. Valasek and Miller understood this objection — and spent the next two years proving it was irrelevant.
The breakthrough came with the 2014 Jeep Cherokee. Chrysler had equipped the vehicle with a Uconnect infotainment system that included a Sprint cellular modem, giving the car a persistent internet connection. Valasek and Miller discovered that the Uconnect system, which ran a variant of QNX (a real-time operating system developed by security-focused engineers but deployed here without adequate hardening), was accessible via its cellular connection. The system’s D-Bus message broker had unauthenticated services that allowed remote code execution. From there, they pivoted to the head unit’s firmware, which they could reflash to include their own code. The head unit, in turn, was connected to the CAN bus through a CAN-to-SPI bridge chip — and that bridge had no filtering or authentication whatsoever.
The following conceptual diagram illustrates the architectural layers of a modern vehicle network and the attack path that Valasek and Miller exploited. This represents the high-level topology of how wireless entry points connect to safety-critical systems:
┌─────────────────────────────────────────────────────────────┐
│ VEHICLE NETWORK ARCHITECTURE │
│ (Attack path: Valasek & Miller, 2015) │
├─────────────────────────────────────────────────────────────┤
│ │
│ EXTERNAL INTERFACES (Entry Points) │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌────────────┐ │
│ │ Cellular │ │Bluetooth │ │ Wi-Fi │ │ OBD-II │ │
│ │ (Sprint) │ │ │ │ │ │ Port │ │
│ └─────┬────┘ └────┬─────┘ └────┬─────┘ └─────┬──────┘ │
│ │ │ │ │ │
│ ▼ ▼ ▼ │ │
│ ┌─────────────────────────────────────┐ │ │
│ │ HEAD UNIT / INFOTAINMENT │ │ │
│ │ ┌─────────┐ ┌────────────────┐ │ │ │
│ │ │Uconnect │ │ QNX RTOS │ │ │ │
│ │ │ D-Bus │ │ (firmware │ │ │ │
│ │ │ (no │ │ reflashable) │ │ │ │
│ │ │ auth) │ └────────────────┘ │ │ │
│ │ └────┬────┘ │ │ │
│ └───────┼────────────────────────────┘ │ │
│ │ │ │
│ ▼ │ │
│ ┌──────────────────┐ │ │
│ │ CAN-to-SPI │◄───────────────────────────┘ │
│ │ Bridge Chip │ (No message filtering) │
│ │ (No auth/filter) │ │
│ └────────┬─────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ CAN BUS (No encryption/auth) │ │
│ ├──────────┬──────────┬──────────┬─────────────────────┤ │
│ │ │ │ │ │ │
│ ▼ ▼ ▼ ▼ │ │
│ ┌────┐ ┌────┐ ┌────────┐ ┌──────────┐ │ │
│ │ECU │ │ECU │ │ ECU │ │ ECU │ ... 70-150 │ │
│ │Eng │ │Brk │ │Steering│ │Transmssn │ ECUs total │ │
│ └────┘ └────┘ └────────┘ └──────────┘ │ │
│ │ │
│ ALL ECUs trust ALL messages — no sender verification │ │
└─────────────────────────────────────────────────────────────┘The result was a complete kill chain from the internet to the car’s physical systems. From a laptop anywhere in the world, Valasek and Miller could connect to the Jeep’s cellular IP address, exploit the Uconnect D-Bus vulnerability, upload modified firmware to the head unit, and then send arbitrary CAN bus messages to control the engine, transmission, brakes, and steering. The attack required no physical access, no user interaction, and no prior knowledge of the target vehicle beyond its IP address — which they demonstrated could be discovered by scanning Sprint’s network for Uconnect devices.
Their research also revealed that the CAN bus messages used by different vehicle systems were not standardized across manufacturers but were predictable enough to reverse-engineer through systematic fuzzing. By sending carefully crafted sequences of CAN frames and observing the vehicle’s response, they mapped out the message IDs and payloads that controlled specific functions. The following code shows a simplified model of CAN bus message structure and the kind of systematic analysis Valasek and Miller performed:
"""
CAN Bus Message Analysis — Educational model of the
systematic approach Valasek & Miller used to reverse-engineer
vehicle control messages.
CAN (Controller Area Network) uses a broadcast protocol where
every ECU sees every message. Messages are identified by an
arbitration ID and carry up to 8 bytes of data payload.
"""
import struct
from dataclasses import dataclass
from typing import Optional
@dataclass
class CANFrame:
"""
Standard CAN 2.0A frame structure.
11-bit arbitration ID + up to 8 bytes of data.
The arbitration ID determines message priority
AND identifies the message type — but there is
NO sender authentication in the CAN protocol.
"""
arbitration_id: int # 11-bit identifier (0x000–0x7FF)
data: bytes # 0–8 bytes payload
dlc: int # Data Length Code
timestamp: float = 0.0
def __repr__(self):
hex_data = ' '.join(f'{b:02X}' for b in self.data)
return (
f"CAN ID: 0x{self.arbitration_id:03X} "
f"[{self.dlc}] {hex_data}"
)
def analyze_message_patterns(captured_frames: list[CANFrame]):
"""
Valasek & Miller's approach: capture CAN traffic during
known vehicle actions (braking, accelerating, steering),
then correlate message patterns with physical behavior.
This systematic fuzzing methodology mapped hundreds of
CAN arbitration IDs to their corresponding vehicle functions.
"""
frequency_map = {}
for frame in captured_frames:
aid = frame.arbitration_id
if aid not in frequency_map:
frequency_map[aid] = {
'count': 0,
'data_variations': set(),
'min_interval': float('inf'),
'last_seen': 0
}
entry = frequency_map[aid]
entry['count'] += 1
entry['data_variations'].add(frame.data)
if entry['last_seen'] > 0:
interval = frame.timestamp - entry['last_seen']
entry['min_interval'] = min(
entry['min_interval'], interval
)
entry['last_seen'] = frame.timestamp
return frequency_map
# Example: known CAN arbitration IDs from public research
# (These are educational examples, not exploitable specifics)
KNOWN_VEHICLE_FUNCTIONS = {
0x130: "Electronic Power Steering torque request",
0x1A4: "Brake pressure modulation (ABS/ESC)",
0x2A8: "Transmission gear selection",
0x164: "Engine RPM / throttle position",
0x17C: "Parking brake actuator",
0x1B0: "Wheel speed sensor data",
0x292: "HVAC / climate control commands",
0x3E9: "Instrument cluster display",
}
def demonstrate_can_vulnerability():
"""
The fundamental CAN bus security problem:
ANY device on the bus can send ANY message,
and ALL other devices will trust it.
There is no concept of 'this ECU is authorized
to send steering commands' — the bus simply
broadcasts all messages to all participants.
"""
# A legitimate steering ECU message
legitimate = CANFrame(
arbitration_id=0x130,
data=bytes([0x00, 0x00, 0x07, 0xD0, 0x00, 0x00, 0x00, 0x00]),
dlc=8
)
# An attacker-injected message — structurally identical
# The CAN bus cannot distinguish between the two
spoofed = CANFrame(
arbitration_id=0x130,
data=bytes([0x00, 0x00, 0x0F, 0xA0, 0x00, 0x00, 0x00, 0x00]),
dlc=8
)
return (
f"Legitimate: {legitimate}\n"
f"Spoofed: {spoofed}\n"
f"CAN bus treats both identically — no authentication."
)
print(demonstrate_can_vulnerability())Why It Mattered
The Jeep Cherokee hack was not just a technical feat — it was a watershed moment for the entire automotive industry. Before Valasek and Miller’s research, vehicle cybersecurity was largely theoretical. Academics had published papers about potential risks, but manufacturers dismissed them as impractical or unrealistic. The dominant industry attitude was that cars were too complex, too proprietary, and too physically isolated for remote attacks to be feasible. Valasek and Miller shattered that assumption with an undeniable, live demonstration that made global headlines.
The consequences were immediate and far-reaching. Chrysler issued a recall of 1.4 million vehicles — the first cybersecurity-related recall in automotive history. Sprint blocked the specific network ports used in the attack. The National Highway Traffic Safety Administration (NHTSA) opened an investigation and subsequently issued formal cybersecurity guidance for the automotive industry. In Congress, Senators Ed Markey and Richard Blumenthal introduced the SPY Car Act (Security and Privacy in Your Car Act), directly citing Valasek and Miller’s research. While the legislation did not pass in its original form, it catalyzed a broader regulatory conversation that led to the establishment of automotive cybersecurity standards including UNECE WP.29 R155 and ISO/SAE 21434.
Perhaps most importantly, the research changed the culture inside automotive companies. Before 2015, most major automakers had no dedicated vehicle security teams, no bug bounty programs, and no formal processes for handling vulnerability reports from external researchers. Within two years of the Jeep hack, General Motors, Tesla, Fiat Chrysler, Ford, and Toyota had all established some form of coordinated vulnerability disclosure program. The Auto-ISAC (Automotive Information Sharing and Analysis Center), founded in 2015, grew into an industry-wide forum for sharing threat intelligence. Valasek and Miller had not just found a vulnerability — they had forced an entire industry to take security seriously, much as Linus Torvalds had demonstrated that open-source collaboration could produce systems more robust than proprietary alternatives.
Other Notable Contributions
While the Jeep Cherokee research is Valasek’s most famous work, his contributions to security extend well beyond that single project. Before turning his attention to vehicles, he was a respected Windows security researcher. His work on Windows heap exploitation techniques, presented at venues like Black Hat and SyScan, advanced the state of the art in understanding how memory corruption vulnerabilities could be exploited on modern operating systems. He contributed to the development of exploitation mitigation bypass techniques that helped Microsoft and other vendors improve their defenses — a pattern that echoes the broader security research philosophy of making systems stronger by demonstrating their weaknesses.
In 2016, both Valasek and Miller were hired by Uber’s Advanced Technologies Group, the division working on autonomous vehicles. The hiring was significant: it signaled that the autonomous vehicle industry recognized that security needed to be built into self-driving systems from the ground up, not bolted on after the fact. Valasek later moved to Cruise, General Motors’ autonomous vehicle subsidiary, where he served as Director of Vehicle Security Research. At Cruise, he was responsible for building the security architecture for vehicles that had no human driver as a fallback — systems where a successful cyberattack could have consequences with no manual override available. This work required integrating security into every layer of the vehicle stack, from the sensor fusion algorithms that process lidar and camera data to the vehicle control systems that execute driving decisions.
Valasek’s shift from offensive research to defensive engineering represented a natural evolution. Having spent years demonstrating how vehicles could be attacked, he was uniquely qualified to design systems that could resist those attacks. His work at Cruise involved implementing hardware security modules for ECU authentication, designing network segmentation architectures that isolated safety-critical systems from infotainment and connectivity modules, and developing intrusion detection systems specifically tailored to the CAN bus environment. This kind of defense-in-depth approach — drawing from the same principles that make the work of projects like OpenBSD so respected — was exactly what the automotive industry needed.
Beyond his corporate roles, Valasek has been a consistent presence at major security conferences. His presentations at DEF CON, Black Hat, and other venues have educated thousands of security researchers about the unique challenges of embedded systems security. He and Miller published their research openly, releasing detailed technical papers and tools that enabled other researchers to conduct their own vehicle security analyses. This commitment to open research — making knowledge available rather than hoarding it for competitive advantage — directly mirrors the ethos that drives communities managed with tools like Taskee, where transparent collaboration accelerates collective progress.
Philosophy and Key Principles
Valasek’s approach to security research is grounded in several principles that have made his work both technically rigorous and practically impactful.
Demonstrate, don’t theorize. Valasek has consistently argued that the most effective way to drive security improvements is to build working demonstrations that prove a vulnerability is real and exploitable. Theoretical papers about potential risks are easy for manufacturers to dismiss. A video of a Jeep losing its transmission on a highway is not. This philosophy — that proof-of-concept exploits are the most powerful tool for driving defensive improvements — has been a recurring theme throughout his career.
Attack the architecture, not just the bug. While many security researchers focus on finding individual vulnerabilities, Valasek’s most important insights were architectural. The Jeep hack succeeded not because of a single bug but because of a series of design decisions — an internet-connected head unit, an unfiltered bridge to the CAN bus, a bus protocol with no authentication — that, taken together, created an exploitable path from the internet to the brakes. This systems-level thinking, examining how components interact rather than looking at each in isolation, is what separated his research from less impactful vulnerability disclosures.
Responsible disclosure serves everyone. Valasek and Miller followed a careful disclosure process, working with Chrysler and giving the company time to develop a patch before publishing their research. They coordinated with NHTSA and law enforcement. When they demonstrated the Jeep attack for Wired, the vehicle was driven on a closed section of highway with consent. This discipline — balancing the public interest in knowing about critical vulnerabilities against the need to give manufacturers time to fix them — reflects the same ethical framework that guides the best work in cybersecurity, and that companies like Toimi apply when coordinating complex security-sensitive projects across distributed teams.
Security must be designed in, not patched on. Valasek’s move from offensive research to defensive engineering at Uber and Cruise embodied his conviction that real security comes from architecture, not from patching. You cannot secure a vehicle by adding a firewall to a fundamentally insecure design. You have to redesign the communication architecture so that safety-critical systems are isolated, authenticated, and monitored from the ground up.
Legacy and Impact
Chris Valasek’s impact on automotive cybersecurity is difficult to overstate. Before his research with Charlie Miller, the automotive industry treated cybersecurity as an afterthought — something that might matter in the future but was not a present concern. After the Jeep Cherokee hack, it became an existential priority. The research directly led to the first automotive cybersecurity recall in history, influenced federal legislation, prompted the creation of industry-wide security standards, and established vehicle security research as a legitimate and critical field within the broader cybersecurity community.
The regulatory impact continues to grow. The UNECE WP.29 regulation, which became mandatory for new vehicle types in the European Union in July 2022 and will apply to all new vehicles by July 2024, requires manufacturers to implement a certified Cyber Security Management System (CSMS) covering the entire vehicle lifecycle. ISO/SAE 21434, published in 2021, provides the engineering framework for automotive cybersecurity risk assessment and management. Both standards trace their intellectual lineage, in part, to the awareness that Valasek and Miller’s research created.
On a cultural level, Valasek helped establish the principle that independent security research — even when it embarrasses powerful companies — serves the public interest. The automotive industry’s initial reaction to his work was defensive and hostile, with some manufacturers attempting to discredit the research rather than address the underlying problems. Over time, the industry came to recognize that external researchers are a critical part of the security ecosystem, a recognition reflected in the proliferation of automotive bug bounty programs and the growing number of vehicle security talks at major conferences. This shift mirrors the broader evolution of the security industry from an adversarial relationship between researchers and vendors to one of grudging but productive collaboration — a transformation that figures like Dan Kaminsky championed in the software world.
Valasek’s career arc — from Windows kernel exploitation to vehicle hacking to building defensive security for autonomous vehicles — also illustrates a broader truth about cybersecurity: the best defenders are those who understand offense deeply. By spending years learning how to break vehicle systems, Valasek developed an intuition for defensive architecture that no amount of theoretical study could provide. His work at Cruise, building security into autonomous vehicles from the ground up, represents the practical application of everything he learned as a researcher. It is a reminder that in security, as in engineering more broadly, the people who understand failure modes most deeply are the ones best equipped to prevent them.
Key Facts
| Detail | Information |
|---|---|
| Full Name | Chris Valasek |
| Known For | Remote Jeep Cherokee hack, automotive cybersecurity research |
| Key Collaborator | Charlie Miller (former NSA analyst) |
| Notable Roles | Director of Vehicle Security Research at Cruise (GM); Uber ATG |
| Landmark Research | 2015 remote exploitation of Jeep Cherokee via cellular modem |
| Industry Impact | 1.4 million vehicle recall; SPY Car Act legislation; UNECE WP.29 / ISO/SAE 21434 standards |
| Conference Presence | DEF CON, Black Hat, SyScan, CanSecWest |
| Previous Focus | Windows heap exploitation, memory corruption research |
| Location | Pittsburgh, Pennsylvania, USA |
| Research Approach | Responsible disclosure with working proof-of-concept demonstrations |
Frequently Asked Questions
What exactly did Chris Valasek and Charlie Miller do to the Jeep Cherokee?
In 2015, Valasek and Miller demonstrated a complete remote attack chain against a Jeep Cherokee. They exploited a vulnerability in the vehicle’s Uconnect infotainment system, which was connected to the internet via a Sprint cellular modem. By gaining remote code execution on the head unit, they were able to reflash its firmware and then send crafted CAN bus messages through an unfiltered bridge chip to control the vehicle’s physical systems — including the transmission, brakes, steering, air conditioning, and radio. The attack required no physical access to the vehicle and could be executed from anywhere with an internet connection. The demonstration, conducted with journalist Andy Greenberg on a real highway, led Chrysler to recall 1.4 million vehicles.
How did the Jeep hack change automotive cybersecurity regulations?
The research had profound regulatory consequences. In the United States, it prompted NHTSA to issue formal cybersecurity guidance for automakers and inspired the proposed SPY Car Act in Congress. Internationally, it contributed to the development of UNECE WP.29 Regulation 155, which became mandatory for new vehicle types in the EU in 2022 and requires manufacturers to implement certified cybersecurity management systems. It also accelerated the creation of ISO/SAE 21434, the engineering standard for automotive cybersecurity risk management. Before Valasek and Miller’s research, there were essentially no binding regulations for vehicle cybersecurity. After it, the regulatory landscape was fundamentally transformed.
Why is CAN bus considered insecure, and has it been fixed?
The Controller Area Network (CAN) bus protocol, designed by Bosch in the 1980s, was engineered for reliable real-time communication between electronic control units inside a vehicle. It was designed in an era when the only people with access to a car’s internal network were trusted engineers. As a result, CAN has no authentication (any device on the bus can send messages claiming to be any other device), no encryption (all messages are broadcast in plaintext), and no access control (there is no concept of which ECUs are authorized to send which messages). While newer protocols like CAN FD and automotive Ethernet offer some improvements, and additional security layers like SecOC (Secure Onboard Communication) have been standardized, the fundamental challenge of securing legacy vehicle architectures remains. Millions of vehicles on the road today still rely on unprotected CAN bus for safety-critical functions.
What is Chris Valasek doing now in autonomous vehicle security?
After leaving his offensive research career, Valasek joined Uber’s Advanced Technologies Group to work on security for autonomous vehicles, and later became Director of Vehicle Security Research at Cruise, General Motors’ self-driving car subsidiary. His work focuses on building security into autonomous vehicle systems from the architecture level — implementing hardware security modules, designing network segmentation between safety-critical and non-critical systems, and developing intrusion detection systems tailored to vehicle networks. This represents a natural evolution from his earlier work: having spent years demonstrating how vehicles could be attacked, he now applies that deep offensive knowledge to building vehicles that can resist those attacks.
