Automakers should work with hackers
US and foreign automakers have two primary options for obtaining data and insight into securing the digital systems of their vehicles. These are the workers of the respective automaker and third parties outside of the manufacturer. The staff members within the organizations are entrenched in the business, aware of the architecture, and how it is supposed to work. Due to their familiarity and comfort with their system, they may not have the curiosity and mental focus on different aspects of the vehicle to analyze areas susceptible to cyber breaches of the digital systems.
The alternative is to work with third party persons focused on reviewing insecure communications and locating weak points in the architecture. These persons use various call signs for themselves or may use their actual names. The business entities have tended to use their corporate names. This group tends to analyze the areas of the vehicle and its communication to look for weak areas and oversights. Due to a lack of familiarity and the professional distance, this group tends to probe more and look at different areas. This contractual relationship has been known as a bug bounty program.
This is not a new procedure for the auto manufacturers. GM has been working with hackers to improve their vehicles, including the vehicle’s firewall (Nagesh, 2016). This work flow includes, but is not limited to a “coordinated disclosure” program. This specific bug bounty program was engineered to analyze potential cybersecurity gaps in the individual GM vehicles, website, and software. With the GM bug bounty program, GM does not offer cash rewards, but does state GM would not pursue legal action. With this particular case, the attacker is allowed to work at breaching their system, if a weakness is found the person is able to report this and substantially increase their credibility in the industry in a legal manner without incurring significant legal or civil liability. These individuals or organizations that conduct these penetration tests are known as ‘white hats’ as opposed to those with malicious intent who are know appropriately as ‘black hats’.
Tesla Motors Inc. has their bug bounty program in place. With their program the corporate entity pays researchers to find the vulnerabilities. The focus here is for the weakness to be noted, researched, and patched well before an attacker exploits the vulnerability.
As of March 2016, FCA (aka Chrysler) did not have a bug bounty program in place.
Overall, bug bounty programs have worked out well for the vehicle manufacturers that have utilized these over time. They have directly assisted in securing the vehicle and increasing consumer confidence. Researchers may be paid a few thousand or tens of thousands of dollars, however in comparison to the overall costs of a breach, the former is incredibly less costly than the publication of the breach, the patching or changing of mechanical parts, and loss of vehicle sales, the loss of public confidence, lawsuits, or tragically loss of life due to a hack. Learn more ways to protect your business at The National Cybersecurity Institute
Nagesh, G. (2016, March 11). GM invites hackers to uncover cybersecurity gaps. Retrieved from http://www.nasdaq.com/article/gm-invites-hackers-to-uncover-cybersecurity-gaps-20160311-00216
Charles Parker, II, has been coding since the mid-1980’s, and has been working in the finance, auto manufacturer, and health industries seeking secure solutions for issues for over 17 years. Charles has an MBA, MSA, JD, LLM, and is a doctoral candidate for a PhD in Information Assurance and Security.