Skip to content
Naked Security Naked Security

Fiat Chrysler launches Detroit’s first bug bounty program for car hackers

It's the first of the big three US auto makers to grab the steering wheel on this whole find-vulnerabilities, steer-a-car-into-a-ditch endeavor.

A year ago, car-security researchers Charlie Miller and Chris Valasek must have driven Fiat Chrysler into fits: they wirelessly took control of a Jeep Cherokee from 10 miles away, including its brakes, accelerator, radio, horn and windshield wipers.

Fiat Chrysler went on to say that 10 of its vehicles were vulnerable to the hack, which had been carried out via a cellular network that leveraged the vehicles’ UConnect entertainment system.

The researchers’ demo led to the recall of a whopping 1.4 million vehicles.

Now, a year later, Fiat has grabbed the steering wheel on this whole find-vulnerabilities, steer-a-car-into-a-ditch endeavor.

It eschewed threats to send its lawyers after Miller and Valasek, though. Rather than burying its head in the sand and hoping security researchers would just go away, the Italian-owned Detroit car maker has now joined the ranks of companies offering bug bounty programs.

On Wednesday, it announced that it would pay out bounties up to $1,500 for hackable software flaws. Here are the details on the program.

Casey Ellis, the CEO of Bugcrowd, which is running the Fiat Chrysler’s bug bounty, hailed the program.

Wired quotes him:

It’s a very big move. This is basically creating normalcy around the dialogue between hackers and vehicle manufacturers for the purposes of making vehicles safer.

Fiat Chrysler isn’t the first car company to offer rewards for software vulnerabilities: Tesla got in on the act after security researchers found six vulnerabilities in the Tesla Model S.

Tesla launched a bug bounty program with a max payout of $10,000, but it was restricted to bugs in websites and apps, not onboard systems.

As far as Fiat Chrysler’s bug bounty hit list goes, the public-facing web apps associated with the onboard system that got hacked last year, UConnect, are fair game.

Here’s the full list of allowable targets:

  • Vehicle Head Units, TPMS sensors, remote keyless entry, and any other system that is present in a hardware product that you own or are authorized to test against (vehicle/smartphone app/etc.)
  • UConnect public facing web application
  • *.driveuconnect.com and all regional derivatives
  • UConnect Access Mobile Application for iOS and Android
  • Moparownerconnect.com

Before doing any testing that requires a UConnect account, Fiat Chrysler is requiring researchers to create a test account that ends in @bugcrowdninja.com so that it knows your activities are part of the bug bounty program.

While Fiat Chrysler isn’t the first car maker to offer bug bounties, it’s the first of the big three US automakers to do so, beating competitors General Motors and Ford to put itself at the forefront of companies that are dealing with the looming threat of attacks on increasingly connected vehicles.

As it is, technological advances in car systems have far outstripped the industry’s speed in finding and securing the security holes they usher in.

Last year was the year of hackers taking over newer model cars. But this is the year that we’re supposed to see automotive cybersecurity issues addressed: at least, that’s what the US’s top auto safety regulator pledged in January.

Some progress has indeed been made: for one, auto industry trade groups are now working on best practices for safely introducing new technologies.

There’s also now a way to share information on cyberthreats and cybercrime prevention technologies: created by the Alliance of Automobile Manufacturers and the Global Automakers Association, it’s called the Auto-Information Sharing and Analysis Center (Auto-ISAC).

Also, next week ushers in the inaugural Global Auto Cybersecurity Summit in Detroit, at which you’ll be able to find auto industry bigwigs including Toyota Motor Sales CISO Bently Au and Mary Barra, Chairman and CEO of General Motors Company.

Keep your eye out for more announcements coming out of that show: maybe we’ll see roll outs of more bug bounty programs or other security announcements to keep our rides from getting hijacked.

Image of Chrysler HQ courtesy of Shutterstock.com

2 Comments

What sort of time delay do Fiat Chrysler want before they will allow security researchers in this program go public with their findings? 90 days? 6 months? many years?

The reason I ask, is because I read about a similar bug bounty program from a lesser known car manufacturer, who wanted security researchers in the program to keep any bugs they found secret for 5 years. There reasoning was that older cars don’t have a remote update system, and in some cases bugs can only be fixed by replacing an ECU with a new one requiring an expensive visit to a dealer, so the manufacturer was not actually planning to fix any security bugs in the majority of cars already sold. They only wanted the bug reports to fix the software that would go into new cars.

While I understand the reasoning, I think it creates a considerable tension and might make overall security worse, as researchers are now motivated to find a bug, but cannot gain any kudos from doing so, and as they are kept secret and unfixed for so long, they could still sell the bug to some bad guys long after they have found it.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?