McConnell Trapp has a special set of skills.

He can hack into cars and control aspects of them from his computer.

Trapp, 39, who has a law degree and speaks Japanese fluently, started hacking cars about 16 years ago. He used a computer, some various vehicle spare parts, a turbocharger and the help of few good friends to increase the 120 horsepower normally found in a 1995 Honda Civic sedan to almost 300 hp.

“It was a lot of trial and error,” said Trapp, who admitted he “blew up a lot of engines.”

Today, Trapp is director of Speed Trapp Consulting to infiltrate car computer systems and uncover potentially dangerous flaws that would make them vulnerable to someone with malicious intentions. He works as a legal “techno” consultant. He is one of the good guys. But if he were a bad guy, he knows how he could compromise several cars at once. Cars in operation today.

“I’d walk into a dealership. I would see if they have a WiFi router designated for customers and gain access into that first,” he said.

Then, if the dealership’s service department server is hooked into the main system, he’d infiltrate the service department’s storage database that the technicians use for vehicle diagnostics. From there it’s as easy as inserting a “fake” update resembling other files for vehicles and infecting multiple cars there for service.

“Hypothetically, I could make a running engine turn off, or render other aspects of the car either useless, or just make it appear as though the vehicle constantly needs service or recalls when it actually doesn’t,” he said. “That’s the danger, that’s the scary part.”

It’s that threat associated with vehicle technology that is driving many auto companies and other industries to increasingly look to hire hackers with ethics like Trapp, called “white hat” researchers. Those hackers can identify cybersecurity flaws and thwart nefarious actions of “black hat” hackers.

But finding white hat hackers to hire is incredibly hard, personnel experts said. First, few people have those skills. Then, they must be vetted to make sure they have both the technological acumen and the moral compass for the job. The need for them is outpacing the thin supply.

Typically, computer hacking is associated with a person or a group with malevolent intentions. The hacker gains unauthorized access to a computer and a technology-dependent system to do harm.

In the 2017 movie, “The Fate of the Furious,” for example, actress Charlize Theron’s character hacks into every self-driving car in New York City, takes remote control of them and causes mass chaos and destruction.

Depending on which hacker you talk to, some, such as Trapp, say such a movie scenario is unlikely in real life, especially if a human is still needed to turn on a car. Others say, though, that we are almost to a point where that could happen.

General Motors is leading the way in developing autonomous cars. It has promised to bring them to market in urban areas in a taxi-like platform next year. But the fear of scenarios such as the one in the movie, as well as a desire to keep customers’ information protected in regular cars, is ratcheting up the need for the company to hire white hat researchers.

GM launched a new program this summer called Bug Bounty. It took GM years of forming relationships with white hat hackers. GM will now bring those hackers to Detroit and pay them a hefty bounty or cash payment for each “bug” they uncover in any of GM vehicles’ computer systems.

Fiat Chrysler has had a Bug Bounty program in place since 2016. It pays white hat hackers up to $1,500 each time they discover a previously unknown vulnerability in vehicle software.

Last year, GM’s self-driving unit, Cruise, hired famous car hackers Charlie Miller and Chris Valasek. The two, dubbed the “Cherokee Brothers” by Trapp and others in the hacking community, gained fame in 2015 when they proved they could remotely stop a Jeep Cherokee.

GM conducts its cybersecurity using a three-prong approach: It hires third-party companies that employ white hat hackers, it has its own hackers on staff and it has the Bug Bounty program.

GM and Cruise employ 25 to 30 white hat hackers on staff today compared with five to 10 in 2013, said Jeff Massimilla, GM’s vice president of Global Cybersecurity. GM has about 450 people dedicated to all other aspects of cybersecurity across the company, he said.

“As we continue to get more connected and into AV, we will want to increase that number of white hat researchers,” Massimilla said.

Massimilla declined to say how much GM is investing to hire cybersecurity personnel, but he said, “It’s an extremely high priority, we’re well-funded and well-resourced.”

GM relies on its three-prong approach because of the shortage of white hat hackers, he said. Plus, many don’t want to work for one company.

“Hacking a Camaro is pretty darn exciting, hacking an autonomous vehicle is pretty darn exciting – but it’s tough to attract that talent because they’re just not there or they want to do it through bounty programs where they can work from home and have flexibility,” Massimilla said.

More than half of employer demand related to connected and self-driving cars is for workers in data management, cybersecurity and information technology, said the 2017 Connected and Automated Vehicles (CAV) Skills Gap Analysis by the Workforce Intelligence Network.

In 2015-16, there were 10,344 total job ads placed for CAV-related employment, and 5,400 of those ads were for jobs in data management and cybersecurity, the report said.

And, as demand rises for such skilled workers, the supply remains flat, thus inflating salaries. The average salary for CAV jobs in 2014-15 was $89,616. In 2015-16 that rose to $94,733, the WIN report said, citing data from Burning Glass Technologies.

There’s a gap in demand for cybersecurity personnel, especially white hat hackers, versus the supply cuts across many industries.

There also is in health care and insurance, said Bob Zhang, CIO of Strategic Staffing Solutions in Detroit, which works to find contract workers to fill such roles for its clients.

“The supply is really low right now. By 2020, the job gap will be 2 million jobs. That means 2 million unfilled openings in cybersecurity,” Zhang said.

“You can’t just teach hacking. It requires a whole lot of knowledge from IT and computer science … you have to be the jack-of-all-trades with a deep interest in systems networking,” Zhang said.

« Previous

Next »

Related Stories