Squashing Car Bugs: What Chrysler’s new bounty program means for vulnerabilities research

Blog Post
pexels.com
July 18, 2016

Automotive companies have always been at the forefront of incorporating cutting edge technology into their cars. From steering to brakes to music players, cars have used rudimentary computers for decades. While the newest cars have music streaming programs embedded in the steering wheel and GPS that talks to you when you turn on the car, they also run on dozens of complex microprocessors to monitor engine temperature, engage antilock brakes, and control an automatic transition. But these companies are facing the same challenge as other computer-dependent industries - any product with a computer in it is hackable.

Last Wednesday, Fiat Chrysler, one of Detroit’s “big three” car companies, announced that it will pay “bounties” of as much as $1,500 to security researchers who alert the company to hackable flaws in its software. Companies ranging from Microsoft to Uber have introduced formalized bounty programs that they use to attract researchers who find flaws in their soft- and hardware, and then pay out cash bonuses to incentivize disclosure of those vulnerabilities. Called “Vulnerability Rewards Programs,” or the more catchy “Bug Bounty Programs,” some of these schemes pay out hundreds of thousands of dollars to experts outside of the formal information security market.

Chrysler’s announcement is different in that aside from Tesla (the small Silicon Valley electric car company that has always been an outlier on issues of policy) they are the first automotive company to offer cash to hackers. Early companies that flocked toward the bounty model included technology giants like Google and Microsoft, in an attempt to secure their consumer and corporate products. Even now, most of the companies who offer bounties are trying to fix something that runs on your laptop or phone - not in the car you drive to work. However, in 2015, security researchers Charlie Miller and Chris Valasek shocked the industry by cutting the engine of a Jeep Cherokee, on the highway, from 10 miles away. This was no longer a display of technical prowess, but a demonstration of how car hacking is a dangerous reality facing the automotive industry.

Although the Jeep hack was dramatic, interference by malicious actors isn’t the only thing that car makers have to worry about. Most payouts through bounty programs are for the discovery of simple glitches in software that could cause it to malfunction on its own. In the past few months there have been three examples of computer automation being a factor in road accidents - all three with Tesla’s Autopilot feature. This partially self-driving system steers, accelerates and brakes Tesla vehicles automatically on lane-marked highways - except in these cases, the cars didn’t stop. Although it is unclear whether a researcher could’ve caught a potential flaw in Autopilot, between this and the Jeep hack (Jeep is a subsidiary of Fiat Chrysler) it is pretty clear that Chrysler may be part of a trend of companies looking for new and innovative ways to address safety concerns with the computers that control their products.

Technically General Motors introduced the first bounty program from a traditional automotive company back in January. However, there are two important features of a bug bounty program, one of which GM failed to deliver - actually paying experts for their findings. General Motors committed not to pursue legal claims against researchers who report flaws using their specified framework, which is a common concern of security experts and their advocates. Research into software vulnerabilities is often hampered by a fear of lawsuits or even criminal charges for those who practice it. But other than not getting sued, GM isn’t providing any sort of incentive for researchers to help them. It’s a bounty program without a bounty. The $1,500 offered by Chrysler is on the low end of bounties for flaws in complex systems, with some security researchers, including Charlie Miller, noting that this type of testing is quite expensive. However, in comparison to their competitors they are at least recognizing that the hard work of these experts is worth rewarding them for.

Malfunctioning software in automobiles, whether maliciously hacked or simply improperly operating, puts the lives of many people at risk —  in the car, on the highway, or in residential neighborhoods. Car makers that create these vulnerabilities reward programs are adding an additional layer of safety research and recognizing that these experts are a valuable asset as their industry becomes ever more dependent on technology. Hopefully Chrysler’s new bug bounty program represents a trend toward safer and more secure vehicles for everyone, created by inviting the best and the brightest to the table, and asking for their help.