Last year, security experts managed to hack into a Jeep Cherokee and remotely drive it into a ditch.
“Help Wanted. Hackers.” That’s the message sent out by Fiat Chrysler Automobiles today as it searches for help enhancing the cybersecurity of its vehicles.
The announcement comes shortly after police in Texas began investigating a series of stolen Jeeps that may have involved the use of laptop computers to start the vehicles’ computerized ignition systems. And it’s been just a year since a pair of security specialists showed how they could remotely take control of another Jeep, sending it into a ditch.
Cybersecurity, in general, has become one of the auto industry’s biggest concerns, experts worried that hackers will not only be able to break into vehicles – physically or remotely – but also access drivers’ personal data. So, manufacturers are turning to so-called “white hat” hackers for help.
“There are a lot of people that like to tinker with their vehicles or tinker with IT systems,” said Titus Melnyk, FCA’s senior manager of security architecture. “We want to encourage independent security researchers to reach out to us and share what they’ve found so that we can fix potential vulnerabilities before they’re an issue for our consumers.”
"Lots of people like to tinker," and could uncover problems, said FCA's Titus Melnyk.
(Texas car theft ring may be run by hackers. Click Here for the story.)
In keeping with the nature of the hacker community, Fiat Chrysler has turned to Bugcrowd, a San Francisco-based tech firm that relies, it says, “on a crowdsourced community of security researchers” to help probe for vulnerabilities in the software used by its corporate clients. In all, about 32,000 of those freelance “white hat” hackers regularly assist Bugcrowd.
Under the program announced today by FCA, it will pay a “bug bounty” of anywhere from $150 to $1,500 for reporting a vulnerability.
“Automotive cybersafety is real, critical, and here to stay,” said Casey Ellis, CEO and founder of Bugcrowd. “Car manufacturers have the opportunity to engage the community of hackers that is already at the table and ready to help, and FCA US is the first full-line automaker to optimize that relationship through its paid bounty program.”
Today’s automobile is rapidly becoming a computer on wheels, with more microprocessing power than can be found in a typical home or office. It’s not uncommon for a modern vehicle to use more than 100 million lines of code to control everything from the engine management system to the onboard infotainment technology. By comparison, there are about 8 million lines of code on the latest F-35 fighter jet.
Until recently, hackers tended to focus on desktop and laptop computers and, more recently, smartphones and tablets. But there are growing indications the “black hat” world of what’s known as the “dark Internet” is shifting attention to automotive targets. So far, most of the reported incidents have been the result of security experts uncovering vehicle vulnerabilities. That has led to recalls by a number of manufacturers including FCA and BMW, with Nissan shutting down a smartphone app used to control the Leaf battery-car because of potential problems.
Bugcrowd can tap into a network of 32,000 white hat hackers, said CEO Casey Ellis.
(Hacked Mitsubishi spotlights cybersecurity concerns. Click Here for the story.)
But the Texas thefts have escalated the level of concern about cyber threats. And the situation is only getting worse, said Roger Ordman, a marketing manager with Harman International, the multinational electronics firm that recently acquired TowerSec, an Israeli firm considered a leader in vehicle electronic security.
In the past, a hacker would have needed direct, physical access to a vehicle. But manufacturers are now adding numerous wireless paths. Chevrolet, Audi and several other brands now offer onboard 4G LTE WiFi hotspots, for example. Tesla has added a wireless system to its Models S and X battery-cars so it can automatically upload software updates, much like a smartphone or desktop computer. Even the federally mandated remote tire pressure monitoring system can give hackers an access point.
The security issue could become even more significant going forward for several reasons. First, a number of other manufacturers plan to follow Tesla and begin using over-the-air, or OTA, updates to fix software problems and add new features and functions. Then there’s the push to semi- and fully autonomous vehicles which could double or even triple the amount of software used in a vehicle.
Bugcrowd’s Ellis said his company is already working with Tesla and other carmakers he wouldn’t name.
General Motors, meanwhile, has its own internal team of experts while also working with Hackerone, another San Francisco security firm.
Fiat Chrysler says it will share what it discovers with other automakers, the industry being pressed by regulators at the National Highway Traffic Safety Administration to put aside competitive issues in the effort to enhance cybersecurity.
(FBI warns motor vehicles increasingly vulnerable to hacking. For more, Click Here.)