McConnell Trapp has a special set of skills.
He can hack into cars and control aspects of them from his computer.
Trapp, 39, who has a law degree and speaks Japanese fluently, started hacking cars about 16 years ago. He used a computer, some various vehicle spare parts, a turbocharger and the help of few good friends to increase the 120 horsepower normally found in a 1995 Honda Civic sedan to almost 300 hp.
“It was a lot of trial and error,” said Trapp, who admitted he “blew up a lot of engines.”
Today, Trapp is director of Speed Trapp Consulting in Troy. He works as a legal “techno” consultant. He is one of the good guys who uses his ability to infiltrate car computer systems and uncover potentially dangerous flaws that would make them vulnerable to someone with malicious intentions. But if he were a bad guy, he knows how he could compromise several cars at once. Cars in operation today.
“I’d walk into a dealership. I would see if they have a WiFi router designated for customers and gain access into that first,” he said.
Then, if the dealership’s service department server is hooked into the main system, he’d infiltrate the service department’s storage database that the technicians use for vehicle diagnostics. From there it’s as easy as inserting a “fake” update resembling other files for vehicles and infecting multiple cars there for service.
“Hypothetically, I could make a running engine turn off, or render other aspects of the car either useless, or just make it appear as though the vehicle constantly needs service or recalls when it actually doesn’t,” he said. “That’s the danger, that’s the scary part.”
It’s that threat associated with vehicle technology that is driving many auto companies and other industries to increasingly look to hire hackers with ethics like Trapp, called “white hat” researchers. Those hackers can identify cybersecurity flaws and thwart nefarious actions of “black hat” hackers.
But finding white hat hackers to hire is incredibly hard, personnel experts said. First, few people have those skills. Then, they must be vetted to make sure they have both the technological acumen and the moral compass for the job. The need for them is outpacing the thin supply.
Hackers for hire
Typically, computer hacking is associated with a person or a group with malevolent intentions. The hacker gains unauthorized access to a computer and a technology dependent system to do harm.
In the 2017 movie, “The Fate of the Furious,” for example, actress Charlize Theron’s character hacks into every self-driving car in New York City, takes remote control of them and causes mass chaos and destruction.
Depending on which hacker you talk to, some, such as Trapp, say such a movie scenario is unlikely in real life, especially if a human is still needed to turn on a car. Others say, though, that we are almost to a point where that could happen.
General Motors is leading the way in developing autonomous cars. It has promised to bring them to market in urban areas in a taxi-like platform next year. But the fear of scenarios such as the one in the movie, as well as a desire to keep customers’ information protected in regular cars, is ratcheting up the need for the company to hire white hat researchers.
GM launched a new program this summer called Bug Bounty. It took GM years of forming relationships with white hat hackers. GM will now bring those hackers to Detroit and pay them a hefty bounty or cash payment for each “bug” they uncover in any of GM vehicles’ computer systems.
Fiat Chrysler has had a Bug Bounty program in place since 2016. It pays white hat hackers up to $1,500 each time they discover a previously unknown vulnerability in vehicle software.
Last year, GM’s self-driving unit, Cruise, hired famous car hackers Charlie Miller and Chris Valasek. The two, dubbed the “Cherokee Brothers” by Trapp and others in the hacking community, gained fame in 2015 when they proved they could remotely stop a Jeep Cherokee.
GM conducts its cybersecurity using a three-prong approach: It hires third-party companies that employ white hat hackers, it has its own hackers on staff and it has the Bug Bounty program.
GM and Cruise employ 25 to 30 white hat hackers on staff today compared with five to 10 in 2013, said Jeff Massimilla, GM’s vice president of Global Cybersecurity. GM has about 450 people dedicated to all other aspects of cybersecurity across the company, he said.
“As we continue to get more connected and into AV, we will want to increase that number of white hat researchers,” said Massimilla.
Massimilla declined to say how much GM is investing to hire cybersecurity personnel, but he said, “It’s an extremely high priority, we’re well funded and well resourced.”
GM relies on its three-prong approach because of the shortage of white hat hackers, he said. Plus, many don’t want to work for one company.
“Hacking a Camaro is pretty darn exciting, hacking an autonomous vehicle is pretty darn exciting — but it’s tough to attract that talent because they’re just not there or they want to do it through bounty programs where they can work from home and have flexibility,” said Massimilla.
More than half of employer demand related to connected and self-driving cars is for workers in data management, cybersecurity and information technology, said the 2017 Connected and Automated Vehicles (CAV) Skills Gap Analysis by the Workforce Intelligence Network.
In 2015-16, there were 10,344 total job ads placed for CAV-related employment, and 5,400 of those ads were for jobs in data management and cybersecurity, the report said.
And, as demand rises for such skilled workers, the supply remains flat, thus inflating salaries. The average salary for CAV jobs in 2014-15 was $89,616. In 2015-16 that rose to $94,733, the WIN report said, citing data from Burning Glass Technologies.
There’s a gap in demand for cybersecurity personnel, especially white hat hackers, versus the supply cuts across many industries. There also is in health care and insurance, said Bob Zhang, CIO of Strategic Staffing Solutions in Detroit, which works to find contract workers to fill such roles for its clients.
“The supply is really low right now. By 2020, the job gap will be 2 million jobs. That means 2 million unfilled openings in cybersecurity,” Zhang said. “You can’t just teach hacking. It requires a whole lot of knowledge from IT and computer science … you have to be the jack of all trades with a deep interest in systems networking.”
Some organizations offer training courses to verify a hacker as a “certified ethical hacker,” he said.
But most large corporations find it beneficial to hire third parties staffed with white hat hackers for specific projects.
“If I’m an IT manager, do I really want to hand-pick somebody and say, ‘I’m going to put all of this multibillion-dollar company in the hands of the people I hire?’ Or outsource it to a company that focuses on this type of service? Many do both.”
The gap in cybersecurity job demand versus supply is probably the largest gap in the IT industry’s history, Zhang said.
“Once the security world matures and the amount of security providers increase, the demand will even out,” he said.
Creating the next generation
Some colleges and universities offer courses in cybersecurity, but expanding that curriculum and recruiting younger people into vocational hacking courses to grow the talent pool can’t happen fast enough to meet the soaring demand, said Jennifer Tisdale, director of connected mobility and infrastructure for Grimm.
Grimm is a technology consulting company with a new “car hacking lab” in Sparta, Michigan. It uses white hat researchers for automotive clients as well as other industries.
“We need to hire 20-plus researchers in the next two years,” said Tisdale. “I don’t have time to wait for a college to structure a program for cybersecurity.”
College programs might not be the full answer anyway, said Brian Demuth, Grimm’s CEO.
“There’s not a degree that should be created to do all of this, but there are things like extended learning that can help,” he said.
Grimm, which has 46 employees scattered across the country, looks for people who have a “fundamental view of computer science” and then trains, teaches and grows them from there, said Demuth.
Demuth, 38, is a hacker himself with a computer science background and a passion for tinkering with cars.
“I was always interested in how things worked. I grew up the son of a Marine, and he was in the intelligence field, so there were always computers and amateur radios around,” said Demuth. “My father was into mechanics and working on vehicles and making them start faster or stop faster. That’s what drove my passion into this.”
The hacker stigma
Part of the difficulty in recruiting hackers lies in the stigma surrounding the pursuit.
Matt Carpenter, 44, is Grimm’s lead researcher dedicated to automotive, aerospace and energy businesses. Carpenter works with four other white hat researchers in Grimm’s car hacking lab.
“What I do and my team does is everything that can be done by an attacker,” Carpenter said. “We do this so that we can benefit the community and identify problems before someone with bad motives can do it.”
When asked if he calls himself a hacker, he said, “I like to be called a good guy, but there’s no way to be considered a good guy by everybody and do what I do. There’s a great stigma around being a hacker.”
Many people misunderstand the work white hat hackers do, which Carpenter said is “vital” to secure every car on the road.
“It takes a lot of deep knowledge and deep work,” said Carpenter. “You can’t pull me off for an hour or I will lose ground. I will do four hours, take a short break, and go back for four hours more. But it’s very interesting work.”
The work can help automakers, for example, develop security initiatives such as over-the-air updates for firmware, said Carpenter. Those updates would allow a carmaker to fix a bug via a secure update across thousands of cars without having to do a recall.
Carpenter and Trapp are adept at reverse engineering a car’s system to find bugs or develop security points. But in doing so, Trapp reluctantly admits, he is a hacker.
“As I look for that problem in a vehicle or system and find vulnerabilities, I try to see if I can re-create it,” said Trapp. “And, that’s hacking.”
Many hackers have hesitations about applying for jobs.
For one thing, there is the fear of the legality of it, said Jennifer Dukarski, head of the connected and autonomous vehicle group at law firm Butzel Long in Ann Arbor.
“There are blurred and unclear computer laws,” said Dukarski. “Even if you have authorized access, do you have full access? And a lot of hackers don’t want their employers to know that they have poked around and have experience.”
Ironically, most hackers also enjoy the notoriety when they do hack into something, so they eschew contracts that demand confidentiality, Dukarski said. They also dislike exclusivity.
“Most hackers want to go into various vehicles and find flaws. They want to go into Fords and find fault, or GM or hack into their own toaster,” Dukarski said. “Working for one automaker limits them.”
GM’s Massimilla understands this mentality. He said any hackers to whom GM pays a bounty are free to do bounty work for other automakers. “We don’t view cybersecurity as a competitive advantage; we see it as an industry problem,” he said.
But if a hacker proves talented, joining a company can be lucrative. For example, the Cherokee brothers likely command north of six figures, Dukarski said.
GM declined a request by the Free Press to interview Miller and Valasek. But Massimilla said the two have been great ambassadors for white hat hacking.
“Hiring Chris and Charlie was excellent, not just in their capabilities, but it shows the research community that we are really open and forward looking and focused on the safety of our customers,” Massimilla said. “It gets the word out that cybersecurity is a top priority for the company.”
The need for white hat hackers will only grow, industry leaders said, making it one of the hottest professions.
Carmakers “are always going to be chasing the next best hacker,” said Dukarski. “No matter how good our security is, we’re always one step behind.”
Contact Jamie L. LaReau: 313-222-2149 or firstname.lastname@example.org