As “connected cars” become more popular with car makers and buyers alike, and with more recent reports of cars being hacked, even wirelessly, car companies need to focus just as much on digital security as they do on other buyer-facing features. Fiat Chrysler is the first major auto maker to create a bug bounty program to encourage security researchers to find vulnerabilities in its cars and fix them before attackers have a chance to act.
Higher Risk With Internet Connectivity
Last year, a couple of security researchers managed to remotely hack a Chrysler Jeep--while the car was speeding on the highway. The researchers said they could’ve toyed with anything from the wipers to the air conditioning unit to disabling the accelerator and even hijacking the wheel if the car was in reverse. This could all be done wirelessly through the car’s internet connection.
Left unfixed, these sort of issues could put people’s lives at risk, once more malicious hackers learn how to take advantage of the software weaknesses in connected car systems.
Until recently, car makers haven’t had to worry too much about software security in their cars, mainly because not too many cars had an internet connection. Even if they were thusly equipped, it was usually enabled only for certain specific features such as navigation. As more cars become connected and offer features that allow the owner to control the car over the internet, the same capabilities could more easily expose the cars to hacking.
Chrysler’s Bug Bounty Program
Chrysler had to recall 1.4 million vehicles to fix this flaw, which made it quite a costly mistake. Now the U.S. branch of Chrysler (FCA US) wants to stay ahead of these sort of issues by creating a bug bounty program to encourage security researchers to discover these sort of issues early.
Tesla was the first to offer a bug bounty program among car makers, but Chrysler is now the first large car maker to offer one. The company will offer up to $1,500 per bug, depending on the severity of the issue. (Considering the stakes involved, that amount seems quite low.)
It’s not clear whether Chrysler expects researchers to find a large number of bugs, or whether the company is just testing the waters to see how researchers respond before increasing the amount. In comparison, Tesla gives up to $10,000 for the more severe bugs. Both companies use the Bugcrowd bug bounty crowdsourcing platform.
“FCA US believes that the program is one of the best ways to address the cybersecurity challenges created by the convergence of technology and the automotive industry,” said Titus Melnyk, senior manager - security architecture, FCA US LLC.“The Bugcrowd program gives FCA US the ability to: identify potential product security vulnerabilities; implement fixes and/or mitigating controls after sufficient testing has occurred; improve the safety and security of FCA US vehicles and connected services; and foster a spirit of transparency and cooperation within the cybersecurity community,” added Melnyk.
Chrysler seems to reserve the right to only make some of the bug reports public based on the scope of the severity of the bug and the impact on drivers.
Sometimes it takes a major hacking disaster for companies to become more serious about the security of their software, and Chrysler seems to have learned its lesson the easy way. It’s now up to other car makers to realize that as they move towards making electric vehicles (that are mostly controlled by software) and self-driving cars, software security needs to play a much bigger role than it has so far in their companies. Unlike with most other software-based products, digital security in cars is directly tied to the safety of the drivers and passengers of those cars, and in some cases it could mean the difference between life and death.
Now send me my $250,000 consulting fee.
But I will NOT drive/ride a heavily connected car for at least 10-15 years, depending on how these issues evolve.
The other option would be to physically disconnect the wifi antenna cable to be 100% certain you are safe :P
Anyways, I prefer complete control of my vehicle. Keep the internet out of ma ECM!
I don't think manufacturers will separate the drive-train from the technology packages for a simple reason. Remote start. Customers are getting accustomed to turning on their car and setting their temperature controls from their phone before they even get close to their vehicle.
It is possible to secure this with only local area type connections like Blue-tooth/wifi, or with disconnecting these technology features when the vehicle is in gear.