UC San Diego computer scientist Stefan Savage and his colleagues first gave the automotive industry a wake-up call when they published research demonstrating the ability to hack a car’s computer system in 2010.
This research, and the resulting academic paper, was honored with the Test of Time Award at this year’s IEEE Symposium on Security and Privacy for its broad and lasting impact.
“This effort alerted the automotive sector that security needed to become a top priority,” Savage said. “When we showed up it was not considered a critical function by any automaker or the U.S. Department of Transportation. All of that changed remarkably quickly as a result of our work.”
In the decade since the paper was first published, it has spawned new automotive security standards and organizations, government programs focused on vehicular cybersecurity, dozens of automotive security startups, countless follow-on research efforts and, most importantly, a pervasive focus on product security by major automakers around the globe.
Identifying Security Risks in Cars
In the 2010 paper, titled Experimental Security Analysis of a Modern Automobile, Savage and colleagues at UC San Diego and the University of Washington demonstrated the ability to hack
With their eye-opening results in hand, and prior to publishing them, one of the first things the researchers did was reach out directly to the automotive industry. Their goal was to alert industry to the vulnerabilities and form lasting partnerships that would ultimately enhance the safety, security, and privacy of millions of cars on the road.
“We observed that this was an industry-wide issue and not specific to a particular manufacturer,” said Tadayoshi Kohno, a paper coauthor who is now a professor at the University of Washington.
Collaboration Spawns Change
The idea for the project began percolating when Kohno, who was completing his doctorate degree at UC San Diego at the time, and Savage struck up a casual conversation about potential security threats after seeing an OnStar advertisement. After Kohno moved to the University of Washington, he and Savage decided the time was ripe to explore the issue further.
From there the team, which included several students and faculty, came together. They soon purchased two cars and started investigating. For many of the team members who were students at the time, the collaborative nature of the project still influences their research philosophy and style.
Stephen Checkoway, now an assistant professor at Oberlin College, was the lead graduate student researcher from UC San Diego on the project. He was involved in most of the technical aspects, from reverse-engineering the automotive computers’ firmware to building tools to developing and testing exploits. His experience is one he remembers fondly.
“This was an extremely collaborative effort. No task was performed by an individual researcher alone. This was the key to our success. I count myself lucky to have had the opportunity to be on the team. Collaborative research has been my preferred method of research ever since,” Checkoway said.
Karl Koscher, now a research scientist with the University of Washington’s Security and Privacy Research Lab, was the lead graduate student on the project from the university. “It’s extremely gratifying to see lessons learned from our work are now baked into car manufacturers’ next-generation platforms, just now rolling off the assembly line."
The team also included Brian Kantor, a longtime staff member in the Department of Computer Science and Engineering at UC San Diego who died unexpectedly in November 2019. Kantor played an important role, mentoring and teaching the students the basics of hardware engineering. Hovav Shacham, Shwetak Patel, Alexei Czeskis, Franziska Roesner, Damon McCoy and Danny Anderson rounded out the team.
Research that Stands the Test of Time
Many of Savage’s collaborative research efforts have had lasting impacts that are recognized by the field. Last year, he and his colleagues were honored with another Test of Time Award from the ACM Conference on Computer and Communications Security for a 2009 paper titled "Hey You Get Off of My Cloud: Exploring Information Leakage in Third-party Compute Clouds." In 2017, Savage was part of a team that won yet another Test of Time Award from the USENIX Security Symposium for their 2001 "Inferring Internet Denial of Service” paper.
“All three of these papers reflect a notion of being open to investigating interesting problems and working as a team,” Savage said, “UC San Diego has always been a place that’s very welcoming to people who work well on teams – and I am one of those.”
The 2020 award was presented at the 41st annual IEEE Symposium on Security and Privacy, which is an all-digital conference this year. The symposium is the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field.
For more information about this collaboration between UC San Diego and the University of Washington, please read a recent blog posted by the university’s Paul G. Allen School of Computer Science and Engineering.