Fiat Chrysler Automobiles will begin to reward hackers who expose deficiencies in its car’s software, the company announced Wednesday.
Using Bugcrowd, a platform that connects researchers to firms looking to eliminate technical defects, FCA will award hackers up to $1,500 for reporting vulnerabilities in its so-called “bug bounty” program.
“This is really the next level of automotive cyber safety,” Bugcrowd chief executive Casey Ellis said in an interview, when he also called the move “historic” because of Chrysler’s worldwide scale.
The move comes almost a year after security researchers Chris Valasek and Charlie Miller remotely hacked into a 2014 Jeep Grand Cherokee, a vehicle made by Fiat Chrysler, from their keyboards while the vehicle was being driven 70 mph on the highway. Their hack turned the steering wheel, briefly disabled the brakes and shut down the engine.
Now, security advocates are pushing automakers to make their cars digitally safer.
FCA is the third carmaker to use a bug bounty program. Tesla began a program in 2015. The company will pay security researchers up to $10,000 for finding software flaws, and has doled out at least 135 rewards so far, according to Bugcrowd.
In January, General Motors launched a security disclosure program that offers researchers a way to tell the company about problems in its software. The program doesn't pay out bounties, although in an interview with The Washington Post last year, chief product cybersecurity officer Jeffrey Massimilla suggested some sort of reward system was being considered.
“No organization in the world has an excuse not to do bug bounties at this point,” said Jordan Wiens, founder of software research firm Vector 35. He won 1.25 million frequent flyer miles from United Airlines last year after exposing flaws in a bug bounty program. There are “very few car companies that realize how much trouble they’re in.”
Auto manufacturers in recent years have been racing to dub themselves software companies as the industry looks toward creating interconnected and autonomous vehicles, and as such have been programming modern cars with hundreds of millions of lines of code.
That software controls everything in a vehicle from the radio and climate control consoles, to the power steering system and tire pressure gauges. As drivers steer their cars, for example, they’re not physically turning the wheels, but instead instructing a computer to turn the wheels for them.
And researchers have shown themselves capable of compromising the security of that software and wresting control of the car from an active driver.
“A failure in any part of the system can potentially get you unfettered access to any other part of the system,” said Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council think tank and founder of security advocacy website iamthecavalry.org.
The modern car is basically a two-ton rolling computer, Ellis said, and is subject to the same vulnerabilities of a bad guy trying to reach through his keyboard and steal information for an individual or a business.
Bug bounty programs incentivize “white hat” hackers, the good guys, to expose weaknesses before anyone else can get to them. That way, companies can fix the problems before they’re exploited.
“A lot of the hackers we have on the platform, they like thinking like a criminal, but they don’t necessarily want to be one,” Ellis said.
And in cars, problems can be big, easy to spot and dangerous if not addressed. GM received more than 100 defect reports in the first 48 hours of its bug bounty program, according to industry insiders.
Corman created a five-star safety rating, similar to widely accepted crash test ratings, for software safety to give carmakers a baseline for safety standards.
“Where the rubber meets the road in this area is that you have companies that have been making vehicles for 100 years wake up one day and they’re software companies and they don’t yet have the habits and culture to do it safely,” he said. “It’s encouraging to see another auto company see they are a software company and start taking that seriously.”
Andrea Peterson contributed to this report.