Chrysler Launches Detroit’s First ‘Bug Bounty’ for Hackers
When a pair of hackers exposed security flaws a year ago in a Jeep Cherokee, Fiat Chrysler could have responded by trying to keep other hackers away from its products with intimidation or lawsuits. The demo led to a 1.4-million-vehicle recall, after all. But instead, the company is trying a smarter approach: offering to pay for hacks.
On Wednesday the Italian-owned Detroit automaker announced that it will pay “bounties” of as much as $1,500 to security researchers who alert the company to hackable flaws in its software. That makes the company the first major carmaker to officially shell out dollars in exchange for security vulnerability information, a sign of Detroit’s growing awareness of the looming threat of digital attacks on vehicles. “It’s a very big move,” says Casey Ellis, the CEO of Bugcrowd, the firm running Fiat Chrysler’s bug bounty program. “This is basically creating normalcy around the dialogue between hackers and vehicle manufacturers for the purposes of making vehicles safer.”
Though it may be the first of Detroit’s “Big Three” companies to launch a bug bounty program, Fiat Chrysler isn’t actually the first carmaker to offer those hacker rewards. Tesla already runs a bounty program through Bugcrowd and has paid as much as $10,000 to hackers who reported flaws, like two researchers who presented vulnerabilities in a Model S at Defcon last year. GM launched its own “vulnerability disclosure program” in January, but offered hackers no payments, only an official channel to report bugs without facing a lawsuit.
Fiat Chrysler’s page on Bugcrowd’s site strangely lists the targets of the bug bounty program as its Uconnect infotainment system apps and Eco-Drive driving efficiency apps, not explicitly including the vehicles themselves. But Bugcrowd’s Ellis confirms that even attacks that directly target vehicles, rather than that software, are eligible for rewards. He says that would include the sort of attack developed by hackers Charlie Miller and Chris Valasek, who were able to compromise a Jeep Cherokee over the Internet to disable its transmission and control its steering and brakes. (Even without a bug bounty, Miller and Valasek warned Chrysler about their work months in advance of publicizing it last year. But the company only released a quiet software update, and was later pressured by the National Highway and Traffic Safety Administration to block the attack on the cars’ cellular network and alert customers with an official recall.)
But Fiat Chrysler’s focus seems targeted at rooting out the more common sort of vulnerability revealed by security researcher Samy Kamkar just a few weeks after last year’s Jeep attack. Kamkar built a device that could take advantage of authentication flaws in Fiat Chrysler’s Uconnect iPhone and Android apps, as well as similar apps from BMW, Mercedes Benz and GM, to intercept signals sent from a phone to a nearby car. Using stolen credentials from that interception, he showed he could locate vehicles over the Internet, unlock them and even start their engines.
Fiat Chrysler’s $1,500 maximum payout hardly matches the rewards offered by tech companies for hacker exploits—Google has paid as much as $150,000 for information about vulnerabilities in its Chrome browser, for instance.
But even a limited bounty program represents progress for the auto industry, as it wakes up to the threat of hackers playing havoc with its increasingly Internet-connected vehicles. And it also shows how the notion of bug bounties is slowly being adopted outside of Silicon Valley. Even the Department of Defense launched its own bug bounty pilot program in March. If an organization as stodgy as the Pentagon can bolster its security by rewarding friendly hackers, so can the companies selling multi-ton, potentially vulnerable computers on wheels.
Bugcrowd’s Ellis says he’s in conversations with “several” more carmakers who are considering their own bug bounty programs—discussions that he says were largely catalyzed by last year’s Jeep hack and recall. “That was the ‘oh shit’ moment in the market,” he says. “The conversation since then has been how do we get as much smarts, intelligence, and creativity to help as addressing this issue as we possibly can. Crowdsourced vulnerability discovery is the most effective way right now.”