Fiat Chrysler to pay hackers as auto firms pushed to make cars digitally safer

By Jacob Bogage

Fiat Chrysler Automobiles will award hackers up to $2077 for reporting vulnerabilities in its so-called "bug bounty" program.  Photo / Supplied
Fiat Chrysler Automobiles will award hackers up to $2077 for reporting vulnerabilities in its so-called "bug bounty" program. Photo / Supplied

Fiat Chrysler Automobiles will begin to reward hackers who expose deficiencies in the software of its cars.

Using BugCrowd, a platform that connects researchers to firms looking to eliminate technical defects, Fiat Chrysler Automobiles (FCA) will award hackers up to US$1,500 ($2077) for reporting vulnerabilities in its so-called "bug bounty" program.

"This is really the next level of automotive cyber safety," BugCrowd chief executive Casey Ellis said, when he also called the move "historic" because of Chrysler's worldwide scale.

The move comes almost a year after security researchers Chris Valasek and Charlie Miller remotely hacked into a 2014 Jeep Grand Cherokee, a vehicle made by Fiat Chrysler, from their keyboards while the vehicle was being driven 113 km/h on the highway. Their hack turned the steering wheel, briefly disabled the brakes and shut down the engine.

Now, security advocates are pushing automakers to make their cars digitally safer.

FCA is the third car maker to use a bug bounty program. Tesla began a program in 2015. The company will pay security researchers up to US$10,000 for finding software flaws, and has doled out at least 135 rewards so far, according to BugCrowd.

In January, General Motors launched a security disclosure program that offers researchers a way to tell the company about problems in its software. The program doesn't pay out bounties, although chief product cybersecurity officer Jeffrey Massimilla last year suggested some sort of reward system was being considered.

"No organisation in the world has an excuse not to do bug bounties at this point," said Jordan Wiens, founder of software research firm Vector 35. He won 1.25 million frequent flyer miles from United Airlines last year after exposing flaws in a bug bounty program. There are "very few car companies that realise how much trouble they're in."

Auto manufacturers in recent years have been racing to dub themselves software companies as the industry looks toward creating interconnected and autonomous vehicles, and as such have been programming modern cars with hundreds of millions of lines of code.

That software controls everything in a vehicle from the radio and climate control consoles, to the power steering system and tire pressure gauges. As drivers steer their cars, for example, they're not physically turning the wheels, but instead instructing a computer to turn the wheels for them.

You have companies that have been making vehicles for 100 years wake up one day and they're software companies and they don't yet have the habits and culture to do it safely.
Joshua Corman, Cyber Statecraft Initiative

And researchers have shown themselves capable of compromising the security of that software and wresting control of the car from an active driver.

"A failure in any part of the system can potentially get you unfettered access to any other part of the system," said Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council think tank and founder of security advocacy website iamthecavalry.org.

Tesla pays security researchers up to US$10,000 for finding software flaws, and has doled out at least 135 rewards so far, according to BugCrowd. Photo / AP
Tesla pays security researchers up to US$10,000 for finding software flaws, and has doled out at least 135 rewards so far, according to BugCrowd. Photo / AP

The modern car is basically a two-tonne rolling computer, Ellis said, and is subject to the same vulnerabilities of a bad guy trying to reach through his keyboard and steal information for an individual or a business.

Bug bounty programs incentivise "white hat" hackers - the good guys - to expose weaknesses before anyone else can get to them. That way, companies can fix the problems before they're exploited.

"A lot of the hackers we have on the platform, they like thinking like a criminal, but they don't necessarily want to be one," Ellis said.

And in cars, problems can be big, easy to spot and dangerous if not addressed. GM received more than 100 defect reports in the first 48 hours of its bug bounty program, according to industry insiders.

A lot of the hackers we have on the platform, they like thinking like a criminal, but they don't necessarily want to be one.
Casey Ellis, CEO BugCrowd

Corman created a five-star safety rating, similar to widely accepted crash test ratings, for software safety to give car makers a baseline for safety standards.

"Where the rubber meets the road in this area is that you have companies that have been making vehicles for 100 years wake up one day and they're software companies and they don't yet have the habits and culture to do it safely," he said. "It's encouraging to see another auto company see they are a software company and start taking that seriously."

- Washington Post

Get the news delivered straight to your inbox

Receive the day’s news, sport and entertainment in our daily email newsletter

SIGN UP NOW

© Copyright 2017, NZME. Publishing Limited

Assembled by: (static) on production bpcf03 at 25 Feb 2017 10:55:20 Processing Time: 898ms