Fiat Chrysler Launching Bug Bounty Program To Improve Car Cybersecurity

Chrysler Jeep Cherokee

As “connected cars” become more popular with car makers and buyers alike, and with more recent reports of cars being hacked, even wirelessly, car companies need to focus just as much on digital security as they do on other buyer-facing features. Fiat Chrysler is the first major auto maker to create a bug bounty program to encourage security researchers to find vulnerabilities in its cars and fix them before attackers have a chance to act.

Higher Risk With Internet Connectivity

Last year, a couple of security researchers managed to remotely hack a Chrysler Jeep--while the car was speeding on the highway. The researchers said they could’ve toyed with anything from the wipers to the air conditioning unit to disabling the accelerator and even hijacking the wheel if the car was in reverse. This could all be done wirelessly through the car’s internet connection.

Left unfixed, these sort of issues could put people’s lives at risk, once more malicious hackers learn how to take advantage of the software weaknesses in connected car systems.

Until recently, car makers haven’t had to worry too much about software security in their cars, mainly because not too many cars had an internet connection. Even if they were thusly equipped, it was usually enabled only for certain specific features such as navigation. As more cars become connected and offer features that allow the owner to control the car over the internet, the same capabilities could more easily expose the cars to hacking.

Chrysler’s Bug Bounty Program

Chrysler had to recall 1.4 million vehicles to fix this flaw, which made it quite a costly mistake. Now the U.S. branch of Chrysler (FCA US) wants to stay ahead of these sort of issues by creating a bug bounty program to encourage security researchers to discover these sort of issues early.

Tesla was the first to offer a bug bounty program among car makers, but Chrysler is now the first large car maker to offer one. The company will offer up to $1,500 per bug, depending on the severity of the issue. (Considering the stakes involved, that amount seems quite low.)

It’s not clear whether Chrysler expects researchers to find a large number of bugs, or whether the company is just testing the waters to see how researchers respond before increasing the amount. In comparison, Tesla gives up to $10,000 for the more severe bugs. Both companies use the Bugcrowd bug bounty crowdsourcing platform.

“FCA US believes that the program is one of the best ways to address the cybersecurity challenges created by the convergence of technology and the automotive industry,” said Titus Melnyk, senior manager - security architecture, FCA US LLC.“The Bugcrowd program gives FCA US the ability to: identify potential product security vulnerabilities; implement fixes and/or mitigating controls after sufficient testing has occurred; improve the safety and security of FCA US vehicles and connected services; and foster a spirit of transparency and cooperation within the cybersecurity community,” added Melnyk.

Chrysler seems to reserve the right to only make some of the bug reports public based on the scope of the severity of the bug and the impact on drivers.

Sometimes it takes a major hacking disaster for companies to become more serious about the security of their software, and Chrysler seems to have learned its lesson the easy way. It’s now up to other car makers to realize that as they move towards making electric vehicles (that are mostly controlled by software) and self-driving cars, software security needs to play a much bigger role than it has so far in their companies. Unlike with most other software-based products, digital security in cars is directly tied to the safety of the drivers and passengers of those cars, and in some cases it could mean the difference between life and death.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • maxwellmelon
    In my views they should undo a lot of the computer control on cars, safer and more reliable.
  • targetdrone
    Disconnect the cars from the internet. Cyber security problem solved.

    Now send me my $250,000 consulting fee.
  • anbello262
    I completely support connected cars. "Disconnect them" is an incorrect reaction, from my point of view. We shiuld try to connect more and more, as it's clear that's where society and technology is heading.

    But I will NOT drive/ride a heavily connected car for at least 10-15 years, depending on how these issues evolve.
  • Nuckles_56
    I feel that a halfway stage is needed, you can have connected cars, but the important controls for the car should be isolated from the connected part, so that the hacker could only take control of things like the radio, rather than everything
  • trifler
    The best solution is to have the entertainment/navigation system with the LCD, etc. have wi-fi access, and have the engine and driving electronics isolated ("air-gapped" in IT lingo).
  • chicofehr
    Most of the connected stuff in cars is just gimmick and a distraction making them less safe. Most people use their cell phones for everything making the functions connected cars have redundant. Also connected cars and their GPS will allow governments to spy on you at all times.

    The other option would be to physically disconnect the wifi antenna cable to be 100% certain you are safe :P
  • anbello262
    I think that safe connected cars will be a useful step towards mainstream self-driving cars, so I'd rather improve the security than disconnect them. That's just my opinion, though.
  • memadmax
    Ugg. This is why I haven't bought any cars newer than 1994... YES 1994... Why? OBDII. OBDII was the beginning of the downhill slippery slope. However, I still have all the gee wiz bang internet connection for all my portable devices via hotspot built into the dash. And I have a touchscreen gauge cluster as well.
    Anyways, I prefer complete control of my vehicle. Keep the internet out of ma ECM!
  • memadmax
    Not to mention the older cars are cheaper and more reliable as well, less over engineered crap to break, if well taken cared of course...
  • falchard
    One of the major advancements in car safety is electronic braking over hydraulic braking. Now instead of a single brake fluid source going from the master cylinder to each brake caliper, there is a separate control per caliper. Although there is a greater risk of failure to 1 brake caliper, failure is not catastrophic as there are still 3 working calipers. Passengers are also a lot more likely today to survive an accident than 10 years ago.
    I don't think manufacturers will separate the drive-train from the technology packages for a simple reason. Remote start. Customers are getting accustomed to turning on their car and setting their temperature controls from their phone before they even get close to their vehicle.
    It is possible to secure this with only local area type connections like Blue-tooth/wifi, or with disconnecting these technology features when the vehicle is in gear.