FCA and Automakers Turn to Hackers for Help

FCA and Automakers Turn to Hackers for Help

man using laptop computer in car

Here on ShopTalk we talk a lot about the latest advancements in automotive technology. One of the biggest developments in recent years were new on board computers coming standard on some vehicles. Unfortunately this has lead to new vulnerabilities. Worst of all, it also means new problems and bugs that are in great need of fixing. It seems that automakers, chief among them being FCA (Fiat-Chrysler Automobiles) have sought to take care of both issues simultaneously. Their method is actually quite unorthodox:

The automaker is putting out a to $1,500 bounty to hackers who find bugs in its software and can fix them.

Fiat Chrysler Automobiles is putting out public rewards, cash rewards for anyone with the courage and know-how regarding finding any vulnerabilities and security bugs in their new vehicle software. This latest development comes in a mere year  after two hackers showed the world anyone could remotely take control of a Jeep Cherokee. Now FCA is more than willing to pay you to hack its cars and hopefully find solutions, but that is only as long as you tell the company how you did it beyond simply proving that you did the work. In a concentrated effort to enhance and increase their cyber-security and prevent future incidents like the infamous Jeep Cherokee hack last year, FCA announced it’s working with Bugcrowd to find vulnerabilities in its vehicle software.


What is Bugcrowd?

Bugcrowd is what is known as a crowd-sourced application security testing company. Bugcrowd calls their users “independent security researchers” and they specialize in finding exploits or vulnerabilities in systems. After doing so regarding FCA vehicles they would then submit the information to Bugcrowd, before a final report is sent to FCA. The goal of these “white hat hackers”—a term coined relating to  people who use hacking for positive purposes, not nefarious ones—will be to help FCA in efforts to update systems and close any possible security breaches.

The hackers are to be paid between $150 and $1,500 for each and every legitimate security flaw through Bugcrowd’s bug bounty program managed by Bugcrowd. Bugcrowd themselves are which is backed by several well-known venture capital and private equity firms, and they have raised a total$15 million in a Series B funding round in April.

What is FCA primarily worried about?

FCA wants hackers to focus specifically on their UConnect website and the company’s iOS and Android apps. As of this write up there are no bounties for anything outside the scope of those three things. Bugcrowd themselves have publicly gone on record to say that they will not take any legal action against anyone who submits an exploit.

FCA isn’t alone in this.

Right now beyond FCA, Tesla has begun their own bug bounty program, which is also run by Bugcrowd, pays up to $10,000 to hackers who find credible vulnerabilities. Meanwhile General Motors  GM quietly launched a program in January 2016 to help connect the company with white hat hackers. Those  hackers who find security bugs or vulnerabilities will be able to GM through a secure website portal hosted by Bugcrowd’s competitor, HackerOne, a venture-backed security startup based in San Francisco that originally part of Facebook. As of their launch, GM was not yet paying hackers, which could change.

Screenshot taken from FCAGroup.com

Today we have millions of so-called connected cars on roads today, no longer relegated to auto shows. And since then there has been a massive cyber-security hole if hackers find weaknesses and choose to exploit them. We would hope these recent developments is a good step to closing that up.

A Vehicle Service Contract (VSC) is often referred to as an "auto warranty" or an "extended car warranty," but it is not a warranty. A VSC does, however, provide repair coverage for your vehicle after the manufacturer’s car warranty expires. A VSC is a contract between you and a VSC provider or administrator that states what is a covered repair and what is not.