Auto industry turns to 'bug bounties' to find security holes
Skip to main content
Sister Publication Links
  • Automotive News Canada
  • Automotive News Europe
  • Automotive News China
  • Automobilwoche
AN-LOGO-BLUE
Subscribe
  • Subscribe
  • Account
  • login
  • HOME
  • NEWS
    • Dealers
    • Automakers & Suppliers
    • News by Brand
    • Cars & Concepts
    • Final Assembly
    • China
    • Shift
    • Mobility Report
    • Special Reports
    • Digital Edition Archive
    • This Week's Issue
    • The course was planned for a Vermont ski resort, until neighbors shouted the idea down.
      Off-road course for Broncos? Not in my backyard
      The 1965 Mustang Shelby GT350 reigned supreme in the Ford Frenzy tournament.
      Shelby GT350 gets its one shining moment
      Dan Parker will pilot his Chevrolet Corvette with a custom guidance system that provides audible feedback.
      Blind racer gets Cruise support, but he'll drive
      You may have won! But no
    • Hyundai logo
      Hyundai Group to launch EVs every year starting in 2022
      The Ford Mustang Mach-E assembled at Ford's joint venture with Changan Automobile Co.
      Ford starts preorders for locally built Mustang Mach-E
      Geely targets Apple, Big Tech with upstart EV unit
      Used light-vehicle sales in Q1 top pre-pandemic level
    • 3D-printing a Porsche: Making concepts matter
      The industry is racing to modernize the way in which EVs are built
      As EV output explodes in China, e-axle drive assembly automates
      Plus to roll big rigs on a ‘continuum' toward self-driving future
    • Hyundai logo
      Hyundai Motor Group names chief for new mobility division
      Tesla Autopilot web.jpg
      Tesla, ex-engineer settle lawsuit over Autopilot source code
      Cruise self-driving vehicle
      Cruise raises $2.75 billion from Walmart, others
      TuSimple
      TuSimple raises $1.35 billion in U.S. IPO; company valued at nearly $8.5 billion
    • Elon Musk interview
      Tesla’s Model Y, on sale since March, is a showcase of EV technologies competitors will benchmark.
      Technologies of Electrification
      Cadillac’s Lyriq EV will be unveiled Aug. 6.
      Future Product Pipeline
      A CALL TO ACTION
    • 2021 PACE Awards
      Here are the finalists for the 2021 PACE and PACEpilot Awards
      Ad process evolves with pandemic
      Pandemic adds resonance to Garff effort
      Microchip illustration
      The latest numbers on the microchip shortage: GM production pummeled
    • Access F&I
    • Fixed Ops Journal
    • Marketing
    • Used Cars
    • Retail Technology
    • Sales
    • Best Practices
    • Dealership Buy/Sell
    • NADA
    • NADA Show
    • Automakers
    • Manufacturing
    • Suppliers
    • Regulations & Safety
    • Executives
    • Talk From The Top
    • Leading Women Network
    • Guide to Economic Development
    • PACE Awards
    • Management Briefing Seminars
    • World Congress
    • Aston Martin
    • BMW
      • Mini
      • Rolls-Royce
    • Daimler
      • Mercedes Benz
      • Smart
    • Ford
      • Lincoln
    • General Motors
      • Buick
      • Cadillac
      • Chevrolet
      • GMC
    • Honda
      • Acura
    • Hyundai
      • Genesis
      • Kia
    • Mazda
    • McLaren
    • Mitsubishi
    • Nissan
      • Infiniti
    • Stellantis
      • Alfa Romeo
      • Citroen
      • Chrysler
      • Dodge
      • Ferrari
      • Fiat
      • Jeep
      • Lancia
      • Maserati
      • Opel
      • Peugeot
      • Ram
      • Vauxhall
    • Renault
    • Subaru
    • Suzuki
    • Tata
      • Jaguar
      • Land Rover
    • Tesla
    • Toyota
      • Lexus
    • Volkswagen
      • Audi
      • Bentley
      • Bugatti
      • Lamborghini
      • Porsche
      • Seat
      • Skoda
    • Volvo
    • (Discontinued Brands)
    • Virtual reveals (Sponsored)
      • MITSUBISHI: 2022 Outlander
      • NISSAN: 2022 Pathfinder and 2022 Frontier
      • GENESIS: 2021 GV80
      • KIA: 2021 K5
      • LEXUS: 2021 IS
      • NISSAN: 2021 Rogue
      • TOYOTA: 2021 Venza and 2021 Sienna
    • Auto Shows
    • Future Product Pipeline
    • Photo Galleries
    • Car Cutaways
    • Design
  • OPINION
    • Blogs
    • Cartoons
    • Keith Crain
    • Automotive Views with Jason Stein
    • Columnists
    • China Commentary
    • Editorials
    • Letters to the Editor
    • Send us a Letter
    • Mach-E
      For Ford, 3rd-party charging network must improve to reap Mustang Mach-E potential
      VW logo with reflection
      VW lied to sell diesels; now it lied to sell EVs
      265725_XC90_Inscription_in_Birch_Light.jpg
      Volvo targets top talent in U.S., China with generous parental leave policy
      The new Stellantis pickup: Schrödinger's Dakota
    • In case of supply chain woes, break glass
      Quick! The Biden phone
      VW's Joke Is On You
      Joke Is On You
      view gallery
      4 photos
      Leo Michael Cartoons - Q2 2021
      Leo Michael: There's Nothing You Can Do!
      Nothing You Can Do
    • Shifting gears away from the stick shift
      SEMA still a wonderful circus
      Penske still has plenty of races to win
      Ford's turn in the hot seat
    • April 13, 2021 | GM shows it’s serious about electric
      April 6, 2021 | For Volkswagen, authenticity is the only path forward
      March 30, 2021 | Tesla “changes” car industry
      March 23, 2021 | Remote work will continue after the pandemic
    • Jamie Butters
      EV rebates must work at retail
      Tracy Fred
      Dealers deserve access to their data
      Ford's Blue Advantage tool shows it's ‘listening' to dealers
      Dan Shine
      Service drive can lift dealerships as source of used-vehicle inventory
    • Why Xiaomi holds promise of becoming formidable EV player
      Geely’s new EV push is decidedly new age
      Charging poles installed outside a Tesla store in downtown Shanghai.
      Unreliable public EV charging sites prompt automakers to take wheel
      VW Group's playbook to dominate EV market
    • A step in right direction for Nissan dealers
      ‘Voltswagen' April Fools' gag far from funny
      Less is more in lineups as well as on lots
      Electric vehicle charger
      Electric vehicle hype opens door to short sellers
    • With EVs, bias for traditional carmakers
      ‘Voltswagen' was clever and fun
      Mixed-use plan a winner
      EV adoption in U.S. shouldn't be forced
  • DATA CENTER
  • VIDEO
    • AutoNews Now
    • First Shift
    • Special Video Reports
    • Weekend Drive
    • AutoNews Now: Ram output said to be slowing as COVID cases surge
      AutoNews Now: Stellantis outlines electrification targets for U.S., Europe
      AutoNews Now: Audi targets EV mass market with Q4 e-tron
      AutoNews Now: Another threat to supply chain: Rubber shortage
    • First Shift: Indicted ex-Nissan exec Kelly 'blameless,' U.S. senator says
      First Shift: Ford, Nissan plan more downtime amid chip crisis
      First Shift: Ford to launch 'BlueCruise' hands-free driver-assist system in Q3
      First Shift: Lithia tops AutoNation in U.S. store count with Suburban deal
    • Toyota store's in-house training program retains more techs
      Virtual sales manager Jay Barger
      'Glued to a phone': Acura store's virtual sales boss lifts deliveries, efficiency
      One man’s journey from homelessness to thriving dealer
      Bert Ogden Auto Group
      How a Texas group is cutting costs, saving millions
    • Why the pickup is the auto industry's 'battleground'
      Carlos Ghosn's quest to restore his reputation
      Why Ford must execute to avoid 'deep trouble'
      Why Honda is 'locked and loaded' for 2020
  • EVENTS & AWARDS
    • Events
    • Awards
    • Congress Conversations
    • Retail Forum: NADA
    • Canada Congress
    • Europe Congress Conversations
    • Fixed Ops Journal Forum
    • Shift: Mobility at a Crossroads
    • 100 Leading Women
    • 40 Under 40 Retail
    • All-Stars
    • Best Dealerships To Work For
      • Register for the 2021 Best Dealership To Work For
    • PACE Program
    • Rising Stars
    • Europe Rising Stars
  • JOBS
  • AN Solutions
  • +MORE
    • Leading Women Network
    • Podcasts
    • Webinars
    • In the Driver's Seat
    • Publishing Partners
    • Classifieds
    • Companies on the Move
    • People on the Move
    • Newsletters
    • Contact Us
    • Media Kit
    • RSS Feeds
    • Shift: A Podcast About Mobility
    • Special Reports Podcasts
    • Daily Drive Podcasts
    • AAM
    • Cars.com
    • DealerPolicy
    • Gentex
    • IHS Markit
    • Remember Group
    • Reputation.com
    • Ricardo: Dave Shemmans
    • Ricardo: Marques McCammon
    • Allstate: Want more from your F&I?
    • Ally: Navigating the future of automotive retailing
    • Amazon Web Services: Any place, any time, any channel
    • Amazon Web Services: The power of the cloud
    • Amazon Web Services: Universal translator: Harnessing sensor data to build better automotive software
    • Capital One Auto: Dealerships remain vital to an increasingly digital car shopping journey
    • DealerSocket: 5 steps to modernizing the buyer's journey
    • Epic Games: Real-time tech is the next frontier of automotive
    • Epic Games: Transforming the auto industry with digital assets
    • FTI Consulting: Crisis as a catalyst for change
    • Google: 5 trends shaping the auto industry's approach to a new normal
    • Google: Google's dealer guidebook helps dealers navigate today's digital landscape
    • IHS Markit: Automotive loyalty in the wake of the COVID-19 recession
    • IHS Markit: COVID-19: The future mobility delusion
    • Level5: 2020 Automotive E-Commerce Report
    • Motormindz: Toward hyperconnectivity: 5 ways to position your business to profit from connected car
    • Naked Lime: Bring social reputation together as part of big-picture marketing
    • Wells Fargo Auto: Switching gears from LIBOR to SOFR
    • Ally: Do It Right
    • DealerSocket
    • Deloitte: Cyber everywhere: Preparing for automotive safety in the face of cyber threats
    • Facebook: The road to a zero-friction future
    • Guide To Economic Development
    • PayPal Credit: How consumer financing helps drive sales for online auto parts retailers
MENU
Breadcrumb
  1. Home
  2. Technology
March 21, 2016 01:00 AM

Auto industry turns to 'bug bounties' to find security holes

  • Tweet
  • Share
  • Share
  • Email
  • More
    Print
    Cybersecurity researchers Charlie Miller, left, and Chris Valasek helped Jeep identify security weaknesses in its software.

    "Bug bounty" reward programs, for hackers to responsibly identify and help correct automotive software weaknesses, may be on their way for the top automakers, much as they have been adopted already in other industries.

    General Motors has had an internal "Collaborative Disclosures" program running since January to interact with software researchers, or "white hat" hackers, and could soon expand the program to offer financial rewards or incentives for finding vulnerabilities before they create problems.

    Tesla Motors Inc., the California-based electric car maker headed by CEO Elon Musk, has sponsored a bug bounty program since last June offering rewards of $100 to $10,000 per error or software flaw. That program has issued 106 awards as of March, according to Tesla's website.

    Ford Motor Co. and Fiat Chrysler Automobiles have yet to announce any internal collaboration with hackers, but both companies are part of a new automotive Information Sharing and Analysis Center, or a collaborative industry program to share intelligence on software attacks and bolster cybersecurity, also launched in January.

    Ford spokesman Alan Hall said the automaker "routinely monitors the security environment" and is reviewing possible strategies like a software bug disclosure program in the future, to mitigate threats. FCA spokesman Michael Palese said the automaker would not discuss its future plans for software disclosures.

    But industry experts told Crain's Detroit Business, an affiliate of Automotive News, that other automakers are likely to follow GM and Tesla, with new cybersecurity initiatives of their own.

    Automotive security executives and others are expected to attend the third annual Automotive Cyber Security Summit this week at the Baronette Renaissance Detroit-Novi Hotel, hosted by New York-based Penton Learning Systems LLC or International Quality & Productivity Center.

    GM program

    Jeff Massimilla, chief product cybersecurity officer at GM who sits on the board of directors at the new ISAC, said earlier this month that the internal GM program has been primarily vetting and talking with researchers for sharing findings on auto vulnerabilities, since it launched at the start of the year.

    A rewards program is likely to follow, but he declined to estimate when that might be.

    "I don't think it is ready for that yet, because right now we're in a "crawl' program phase. That would be more of a "run' phase -- to have a bug bounty, or be sponsoring a participatory and reward program for researchers," he said.

    But Scott McCormick, president of the Connected Vehicle Trade Association, said he expects bug bounties and open collaboration with white hat hackers to become a standard industry practice.

    Saving millions

    If FCA had already had a bug bounty or collaborative program up in place when researchers hacked a Jeep Cherokee using Uconnect software in its entertainment system last summer, it likely could have saved millions in software fixes, he said.

    Tesla's program was pretty restrictive on researchers, and GM will probably work in a similar way, McCormick said. "There are often ground rules like the research can't harm GM or its customers, you can't risk the safety of others, and researchers have to keep private the details of their findings until an automakers has a period of time to review and confirm it. I'm expecting the other companies will model that," he added.

    Barbara Ciaramitaro, professor of information technology and cybersecurity and director of the newly-formed Decision Science program at Walsh College, said administrators at the school have been meeting with Ford and other local automakers in recent months about possible ways to collaborate on training new professionals in cybersecurity. But those talks are still preliminary.

    The college added a new cybersecurity concentration within its master of science in information technology degree program, also in January.

    "The automotive engineer community has to interact with the hacker and software engineer community to understand the whole mindset that goes into cyber attacks, and building your program to withstand attacks. There are cultural differences between" the software and auto industries, she said.

    "It's a learning process for everyone, and even though there's progress this is still going to take a couple more years."

    Talent competition

    Even when automakers do understand the world of hackers and cyber threats, they are often competing for the top software talent with Silicon Valley firms and other industries, so collaborating with specialists outside the industry might be more convenient than building and training a workforce to tackle the challenges of cybersecurity, she said.

    The new ISAC for auto cyber defense is one of about two dozen such centers nationwide, some industry-specific and others that cross industries but focus on specific infrastructure or threats that various businesses have in common, as part of the National Council of ISACs.

    President Barack Obama three years ago signed new executive orders to direct the U.S. Department of Homeland Security to encourage and cooperate with ISACs to address cyber threats affecting critical infrastructure.

    Experts expect automotive cyber defense is going to be a priority focus for at least the next year or two. Ciaramitaro and McCormick both said connected vehicles can have as much as 100 million lines of code across their various systems -- more than some airplanes -- and if even one in 4,000 lines contains a code error or vulnerability that could be 25,000 points of potential access.

    Legislation and executive orders to facilitate ISACs or information exchange can be vital for automakers and suppliers, who might otherwise run afoul of federal antitrust laws on collusion or conspiracy by sharing too much, said Claudia Rast, an attorney at Detroit law firm Butzel Long. She also said ground rules can be important in working with white hats.

    She said: "In a sense, working with one is not too dissimilar from hiring an external consultant or an expert, they would all be an outside party, and there are a couple of entrance legal issues to settle like confidentiality, and the aspect of whether there's an existing agreement in procurement for the service."

    RECOMMENDED FOR YOU
    GM to launch new in-vehicle navigation system
    Letter
    to the
    Editor

     

     

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    GM to launch new in-vehicle navigation system
    GM to launch new in-vehicle navigation system
    Auto tech startups are hot targets for investors
    Self-driving startup TuSimple targets over $8B valuation in IPO
    Self-driving startup TuSimple targets over $8B valuation in IPO
    Being face-to-face when not in the same place
    Sponsored Content: Being face-to-face when not in the same place
    Sign up for free newsletters
    EMAIL ADDRESS

    Please enter a valid email address.

    Please enter your email address.

    Please verify captcha.

    Please select at least one newsletter to subscribe.

    See more newsletter options at autonews.com/newsletters.

    You can unsubscribe at any time through links in these emails. For more information, see our Privacy Policy.

    Digital Edition
    Automotive News 4-12-21
    THIS WEEK'S EDITION
    See our archive
    Fixed Ops Journal
    Fixed Ops Journal 4-12-21
    Read the issue
    See our archive
    MOBILITY REPORT NEWSLETTER: Sign up for our Thursday afternoon Mobility Report newsletter, your one-stop shop for the latest developments at the intersection of transportation and technology.
    DAILY NEWSLETTER: Sign up to get the top stories of the day in your inbox every business weekday afternoon.
    Get Free Newsletters

    Sign up and get the best of Automotive News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.

    Subscribe Today

    Get 24/7 access to in-depth, authoritative coverage of the auto industry from a global team of reporters and editors covering the news that’s vital to your business.

    Subscribe Now
    Connect With Us
    • Facebook
    • Instagram
    • LinkedIn
    • Twitter

    Our mission

    The Automotive News mission is to be the primary source of industry news, data and understanding for the industry's decision-makers interested in North America.

    AN-LOGO-BLUE
    Contact Us

    1155 Gratiot Avenue
    Detroit, Michigan
    48207-2997

    (877) 812-1584

    Email us

    Automotive News
    ISSN 0005-1551 (print)
    ISSN 1557-7686 (online)

    Fixed Ops Journal
    ISSN 2576-1064 (print)
    ISSN 2576-1072 (online)

    Resources
    • About us
    • Contact Us
    • Media Kit
    • Subscribe
    • Manage your account
    • Reprints
    • Ad Choices Ad Choices
    • Sitemap
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Automotive News
    Copyright © 1996-2021. Crain Communications, Inc. All Rights Reserved.
    • HOME
    • NEWS
      • Dealers
        • Access F&I
        • Fixed Ops Journal
        • Marketing
        • Used Cars
        • Retail Technology
        • Sales
        • Best Practices
        • Dealership Buy/Sell
        • NADA
        • NADA Show
      • Automakers & Suppliers
        • Automakers
        • Manufacturing
        • Suppliers
        • Regulations & Safety
        • Executives
        • Talk From The Top
        • Leading Women Network
        • Guide to Economic Development
        • PACE Awards
        • Management Briefing Seminars
        • World Congress
      • News by Brand
        • Aston Martin
        • BMW
          • Mini
          • Rolls-Royce
        • Daimler
          • Mercedes Benz
          • Smart
        • Ford
          • Lincoln
        • General Motors
          • Buick
          • Cadillac
          • Chevrolet
          • GMC
        • Honda
          • Acura
        • Hyundai
          • Genesis
          • Kia
        • Mazda
        • McLaren
        • Mitsubishi
        • Nissan
          • Infiniti
        • Stellantis
          • Alfa Romeo
          • Citroen
          • Chrysler
          • Dodge
          • Ferrari
          • Fiat
          • Jeep
          • Lancia
          • Maserati
          • Opel
          • Peugeot
          • Ram
          • Vauxhall
        • Renault
        • Subaru
        • Suzuki
        • Tata
          • Jaguar
          • Land Rover
        • Tesla
        • Toyota
          • Lexus
        • Volkswagen
          • Audi
          • Bentley
          • Bugatti
          • Lamborghini
          • Porsche
          • Seat
          • Skoda
        • Volvo
        • (Discontinued Brands)
      • Cars & Concepts
        • Virtual reveals (Sponsored)
          • MITSUBISHI: 2022 Outlander
          • NISSAN: 2022 Pathfinder and 2022 Frontier
          • GENESIS: 2021 GV80
          • KIA: 2021 K5
          • LEXUS: 2021 IS
          • NISSAN: 2021 Rogue
          • TOYOTA: 2021 Venza and 2021 Sienna
        • Auto Shows
        • Future Product Pipeline
        • Photo Galleries
        • Car Cutaways
        • Design
      • Final Assembly
      • China
      • Shift
      • Mobility Report
      • Special Reports
      • Digital Edition Archive
      • This Week's Issue
    • OPINION
      • Blogs
      • Cartoons
      • Keith Crain
      • Automotive Views with Jason Stein
      • Columnists
      • China Commentary
      • Editorials
      • Letters to the Editor
      • Send us a Letter
    • DATA CENTER
    • VIDEO
      • AutoNews Now
      • First Shift
      • Special Video Reports
      • Weekend Drive
    • EVENTS & AWARDS
      • Events
        • Congress Conversations
        • Retail Forum: NADA
        • Canada Congress
        • Europe Congress Conversations
        • Fixed Ops Journal Forum
        • Shift: Mobility at a Crossroads
      • Awards
        • 100 Leading Women
        • 40 Under 40 Retail
        • All-Stars
        • Best Dealerships To Work For
          • Register for the 2021 Best Dealership To Work For
        • PACE Program
        • Rising Stars
        • Europe Rising Stars
    • JOBS
    • AN Solutions
    • +MORE
      • Leading Women Network
      • Podcasts
        • Shift: A Podcast About Mobility
        • Special Reports Podcasts
        • Daily Drive Podcasts
      • Webinars
      • In the Driver's Seat
        • AAM
        • Cars.com
        • DealerPolicy
        • Gentex
        • IHS Markit
        • Remember Group
        • Reputation.com
        • Ricardo: Dave Shemmans
        • Ricardo: Marques McCammon
      • Publishing Partners
        • Allstate: Want more from your F&I?
        • Ally: Navigating the future of automotive retailing
        • Amazon Web Services: Any place, any time, any channel
        • Amazon Web Services: The power of the cloud
        • Amazon Web Services: Universal translator: Harnessing sensor data to build better automotive software
        • Capital One Auto: Dealerships remain vital to an increasingly digital car shopping journey
        • DealerSocket: 5 steps to modernizing the buyer's journey
        • Epic Games: Real-time tech is the next frontier of automotive
        • Epic Games: Transforming the auto industry with digital assets
        • FTI Consulting: Crisis as a catalyst for change
        • Google: 5 trends shaping the auto industry's approach to a new normal
        • Google: Google's dealer guidebook helps dealers navigate today's digital landscape
        • IHS Markit: Automotive loyalty in the wake of the COVID-19 recession
        • IHS Markit: COVID-19: The future mobility delusion
        • Level5: 2020 Automotive E-Commerce Report
        • Motormindz: Toward hyperconnectivity: 5 ways to position your business to profit from connected car
        • Naked Lime: Bring social reputation together as part of big-picture marketing
        • Wells Fargo Auto: Switching gears from LIBOR to SOFR
        • Ally: Do It Right
        • DealerSocket
        • Deloitte: Cyber everywhere: Preparing for automotive safety in the face of cyber threats
        • Facebook: The road to a zero-friction future
        • Guide To Economic Development
        • PayPal Credit: How consumer financing helps drive sales for online auto parts retailers
      • Classifieds
      • Companies on the Move
      • People on the Move
      • Newsletters
      • Contact Us
      • Media Kit
      • RSS Feeds