FCA offering hackers cash to identify security risks

Michael Wayland
The Detroit News

Fiat Chrysler Automobiles NV is becoming the most recent automaker to turn to hackers and other software gurus outside the company to identify potential security issues with their vehicles and software systems.

The automaker on Wednesday will begin offering up to $1,500 bounties for the information through a new partnership with Bugcrowd Inc., a crowdsourced security testing company that has about 32,000 users who attempt to identify critical software vulnerabilities for companies.

“It’s critical that the response happens quickly,” said Titus Melnyk, FCA US senior manager of security architecture. “If we get any information from this program that’s valuable for us in protecting the vehicle, then it’s paid for itself, in my opinion.”

The program is focused on systems and services, including mobile apps, for Fiat Chrysler’s 3G-connected vehicles beginning with model-year 2013.

Cyber security of vehicles is an extremely important issue that automakers worldwide are attempting to address — from keeping driver data and personal information secure to the vehicles themselves.

The “bug bounty” program comes a year after the most publicized, yet controlled, hack of a vehicle: Security researchers Chris Valasek and Charlie Miller remotely took control of a 2014 Jeep Cherokee.

Melnyk declined to directly comment how much that event — which was detailed last July by Wired magazine after months of research and testing — played into the new partnership.

Fiat Chrysler joins Tesla Motors Inc. as the only automakers to publicly partner with the company at www.Bugcrowd.com, where users can report a security bug for cash. FCA US is offering $150 to $1,500 based on the bug reported. That’s far less than the up to $10,000 being offered by the California electric vehicle manufacturer.

“By going with a financial reward, I think it’s going to encourage people to look for these vulnerabilities,” said Melnyk, adding the automaker may up the rewards depending on how the launch of the program grows and what’s found.

Bugcrowd manages all reward payouts, which are scaled based upon the critical nature of the product security vulnerability identified and the scope of impacted users.

The future for hackers and car companies

Hackers have long worked with the software industry, providing them information about threats and potential hacking methods.

Casey Ellis, Bugcrowd CEO and founder, said Fiat Chrysler and Tesla have “fairly similar” bounty programs, aside from the size and scope of the companies. He expects more automakers to begin offering similar programs.

“I do see a time in the not-so-distant future where it will be a minimum duty of care,” Ellis said. “Hopefully at that point it will be something that’s actually differentiated for the consumer.”

General Motors Co. earlier this year partnered with HackerOne Inc. for crowdsourced security testing, but the company does not offer cash incentives. To date, according to the HackerOne website, the company has “resolved” more than 200 reports from users.

“It’s working very well,” said GM spokeswoman Rebecca White. “We’re very happy with where we are in the program.”

White said GM could “definitely” be open to offering cash incentives in addition to recognizing users — but not at this point in the program.

The GM-HackerOne partnership came after a hacker was able to remotely unlock a Chevrolet Volt’s doors and start the engine. The incident prompted GM to make fixes in its popular OnStar RemoteLink system and smartphone app and increase its cyber security workforce.

Ford Motor Co. spokesman Alan Hall said the automaker doesn’t offer bounties, but does work with the so-called “white-hat” community. He did not rule out future rewards.

Recent FCA thefts ‘not a new vulnerability’

Melnyk said Fiat Chrysler’s partnership with Bugcrowd is not connected to reports of thieves using laptops to steal vehicles — particularly Jeep Wranglers — in Texas.

The company believes those thieves are not hacking into the vehicle. They’re instead using a computer and a key programming tool with PIN numbers used by dealers to code a blank key fob to steal the vehicles.

“We’re working with law enforcement on how they may be getting their hands on those PINs, but there’s no hacking involved,” Melnyk said. “This is like a locksmith that is breaking the rules. It’s not a new vulnerability.”

Bill Mazzara, FCA US hardware cyber security strategist, said while “it’s not really a hack and not really the scope” of the partnership with Bugcrowd, the company wouldn’t “want to limit people in what they report to Bugcrowd.”

The deal also is separate from the Auto-ISAC (Information Sharing and Analysis Centers), which is composed of several automakers with the goal of best practices for cyber security.

Mazzara said information from the partnership could be shared with the Auto-ISAC.

“This is a public-facing program,” he said. “Anyone is allowed to sign up and agree to our arrangement and provide us information. We then would decide if this is information the Auto-ISAC may or may not be interested in.”