Chrysler Puts the Gas on Connected Car Security with Bug Bounties

Chrysler Puts the Gas on Connected Car Security with Bug Bounties

As the hacking of connected cars continues to roll on, so to speak, automotive giant Fiat-Chrysler is hitting the gas on cybersecurity.

The car-maker is launching a bug-bounty program with Bugcrowd, with the goal of paying up to $1,500 per bug, depending on impact and severity.

“There are a lot of people that like to tinker with their vehicles or tinker with IT systems,” said Titus Melnyk, senior manager of security architecture, Fiat-Chrysler US (FCA US). “We want to encourage independent security researchers to reach out to us and share what they’ve found so that we can fix it before it becomes an issue for our consumers.”

The FCA US bug bounty program leverages Bugcrowd’s crowdsourced community of cybersecurity researchers to promote a public channel for responsible disclosure of potential vulnerabilities. FCA US will use the program to identify product security vulnerabilities; implement fixes and/or mitigating controls after sufficient testing has occurred; improve the safety and security of FCA US vehicles and connected services; and foster a spirit of transparency and cooperation within the cybersecurity community.

“Exposing or publicizing vulnerabilities for the singular purpose of grabbing headlines or fame does little to protect the consumer,” added Melnyk. “Rather, we want to reward security researchers for the time and effort, which ultimately benefits us all.”

A reported vulnerability could earn a bug bounty of $150 to $1,500 – based upon the nature criticality of the vulnerability identified, and the scope of impacted users.

“Automotive cybersafety is real, critical, and here to stay. Car manufacturers have the opportunity to engage the community of hackers that is already at the table and ready to help, and FCA US is the first full-line automaker to optimize that relationship through its paid bounty program,” said Casey Ellis, CEO and founder of Bugcrowd.  “The consumer is starting to understand that these days the car is basically a two-ton computer. FCA US customers are the real winners of this bounty program; they're receiving an even safer and more secure product both now and into the future.”

Depending on the nature of the findings the company learns through the Bugcrowd program, FCA US may make researchers’ findings public.

Chrysler Jeeps were famously the subject of not one but two recalls last year. One hack sparked a recall of 1.4 million cars: Security researchers Charlie Miller and Chris Valasek were able to exploit—with an unsuspecting journalist driving 70 mph on the freeway. In time for last month’s Black Hat conference, they showed that they could take over a car’s air-conditioning, in-dash system and windshield wipers remotely. Miller and Valasek also said that they could take control of the vehicle’s brakes and steering. The vehicles covered by the first recall include the 2015 model of the Dodge Ram pickup, Dodge’s Challenger and Viper, and the Jeep Cherokee and Grand Cherokee SUVs.

A month later, Chrysler has ordered a second recall of its vehicles, to once again address unauthorized access thanks to a radio flaw. That recall updated software in about 7,810 of its new 2015 Jeep Renegade cars, which featured 6.5-inch touchscreens.

“The safety and security of our consumers and their vehicles is our highest priority,” said Sandra Hosler, cybersecurity system specialist, FCA US. “Building on a culture of safety, FCA US has developed a cross-functional team comprised of engineering, safety, regulatory affairs, and connected vehicle specialists who are dedicated to collaboration and engagement with a wide range of industry professionals to build security into our vehicles and products by design.”

Photo © Boykov/ 

Source: Information Security Magazine