Automakers hire hackers to search for bugs that might be exploited
Skip to main content
Sister Publication Links
  • Automotive News Canada
  • Automotive News Europe
  • Automotive News China
  • Automobilwoche
AN-LOGO-BLUE
Subscribe
  • Subscribe
  • Account
  • login
  • HOME
  • NEWS
    • Dealers
    • Automakers & Suppliers
    • News by Brand
    • Cars & Concepts
    • Final Assembly
    • China
    • Shift
    • Mobility Report
    • Special Reports
    • Digital Edition Archive
    • This Week's Issue
    • The course was planned for a Vermont ski resort, until neighbors shouted the idea down.
      Off-road course for Broncos? Not in my backyard
      The 1965 Mustang Shelby GT350 reigned supreme in the Ford Frenzy tournament.
      Shelby GT350 gets its one shining moment
      Dan Parker will pilot his Chevrolet Corvette with a custom guidance system that provides audible feedback.
      Blind racer gets Cruise support, but he'll drive
      You may have won! But no
    • Huawei
      Huawei to invest $1 billion on auto technology
      GAC Motor Co. launched sales of a new full electric crossover, the Aion Y, in March.
      New-vehicle sales rebound 75% in March from virus-hit 2020
      Wuling launched sales of its first pickup, the Zhengtu, on March 18.
      GM Q1 sales rebound but fall short of pre-COVID level
      The Ford Equator SUV arrived in the Chinese market on March 28
      Ford Q1 sales surge 73% over virus-hit 2020
    • The industry is racing to modernize the way in which EVs are built
      As EV output explodes in China, e-axle drive assembly automates
      Plus to roll big rigs on a ‘continuum' toward self-driving future
      Lidar moves beyond vehicles to underpin a reimagined logistics chain
    • WeRide China.jpg
      Nissan-backed startup gets OK to test driverless vehicles in U.S.
      Mobileye Udelv
      Intel's Mobileye teams with startup Udelv on automated delivery
      Nuro Domino's
      Domino's, Nuro to start robot pizza delivery in Houston
      Cruise Origin
      Cruise to deploy robotaxis in Dubai from 2023
    • Elon Musk interview
      Tesla’s Model Y, on sale since March, is a showcase of EV technologies competitors will benchmark.
      Technologies of Electrification
      Cadillac’s Lyriq EV will be unveiled Aug. 6.
      Future Product Pipeline
      A CALL TO ACTION
    • Ad process evolves with pandemic
      Pandemic adds resonance to Garff effort
      Microchip illustration
      The latest numbers on the microchip shortage: GM production pummeled
      Moreno sets sights on Washington
    • Access F&I
    • Fixed Ops Journal
    • Marketing
    • Used Cars
    • Retail Technology
    • Sales
    • Best Practices
    • Dealership Buy/Sell
    • NADA
    • NADA Show
    • Automakers
    • Manufacturing
    • Suppliers
    • Regulations & Safety
    • Executives
    • Talk From The Top
    • Leading Women Network
    • Guide to Economic Development
    • PACE Awards
    • Management Briefing Seminars
    • World Congress
    • Aston Martin
    • BMW
      • Mini
      • Rolls-Royce
    • Daimler
      • Mercedes Benz
      • Smart
    • Ford
      • Lincoln
    • General Motors
      • Buick
      • Cadillac
      • Chevrolet
      • GMC
    • Honda
      • Acura
    • Hyundai
      • Genesis
      • Kia
    • Mazda
    • McLaren
    • Mitsubishi
    • Nissan
      • Infiniti
    • Stellantis
      • Alfa Romeo
      • Citroen
      • Chrysler
      • Dodge
      • Ferrari
      • Fiat
      • Jeep
      • Lancia
      • Maserati
      • Opel
      • Peugeot
      • Ram
      • Vauxhall
    • Renault
    • Subaru
    • Suzuki
    • Tata
      • Jaguar
      • Land Rover
    • Tesla
    • Toyota
      • Lexus
    • Volkswagen
      • Audi
      • Bentley
      • Bugatti
      • Lamborghini
      • Porsche
      • Seat
      • Skoda
    • Volvo
    • (Discontinued Brands)
    • Virtual reveals (Sponsored)
      • MITSUBISHI: 2022 Outlander
      • NISSAN: 2022 Pathfinder and 2022 Frontier
      • GENESIS: 2021 GV80
      • KIA: 2021 K5
      • LEXUS: 2021 IS
      • NISSAN: 2021 Rogue
      • TOYOTA: 2021 Venza and 2021 Sienna
    • Auto Shows
    • Future Product Pipeline
    • Photo Galleries
    • Car Cutaways
    • Design
  • OPINION
    • Blogs
    • Cartoons
    • Keith Crain
    • Automotive Views with Jason Stein
    • Columnists
    • China Commentary
    • Editorials
    • Letters to the Editor
    • Send us a Letter
    • Mach-E
      For Ford, 3rd-party charging network must improve to reap Mustang Mach-E potential
      VW logo with reflection
      VW lied to sell diesels; now it lied to sell EVs
      265725_XC90_Inscription_in_Birch_Light.jpg
      Volvo targets top talent in U.S., China with generous parental leave policy
      Fisker gets a rare second chance to build his own car company
    • In case of supply chain woes, break glass
      Quick! The Biden phone
      VW's Joke Is On You
      Joke Is On You
      In case of supply chain woes, break glass
      view gallery
      3 photos
      Leo Michael Cartoons - Q2 2021
      Leo Michael: There's Nothing You Can Do!
      Nothing You Can Do
    • Shifting gears away from the stick shift
      SEMA still a wonderful circus
      Penske still has plenty of races to win
      Ford's turn in the hot seat
    • April 6, 2021 | For Volkswagen, authenticity is the only path forward
      March 30, 2021 | Tesla “changes” car industry
      March 23, 2021 | Remote work will continue after the pandemic
      March 16, 2021 | Industry offers warning to Apple
    • Tracy Fred
      Dealers deserve access to their data
      Ford's Blue Advantage tool shows it's ‘listening' to dealers
      Jamie Butters
      EV rebates must work at retail
      Dan Shine
      Service drive can lift dealerships as source of used-vehicle inventory
    • Why Xiaomi holds promise of becoming formidable EV player
      Geely’s new EV push is decidedly new age
      Charging poles installed outside a Tesla store in downtown Shanghai.
      Unreliable public EV charging sites prompt automakers to take wheel
      VW Group's playbook to dominate EV market
    • A step in right direction for Nissan dealers
      ‘Voltswagen' April Fools' gag far from funny
      Less is more in lineups as well as on lots
      Electric vehicle charger
      Electric vehicle hype opens door to short sellers
    • ‘Voltswagen' was clever and fun
      With EVs, bias for traditional carmakers
      EV adoption in U.S. shouldn't be forced
      There goes VW recycling again
  • DATA CENTER
  • VIDEO
    • AutoNews Now
    • First Shift
    • Special Video Reports
    • Weekend Drive
    • AutoNews Now: Biden eyes $50B for chip production, research
      AutoNews Now: EV battery decision looms for SK Innovation, LG Chem
      AutoNews Now: Ford skipping summer shutdown at many U.S. plants
      Mercedes leads Lexus, BMW in tight luxury race
    • First Shift: Ford dealers plan standalone Bronco stores
      First Shift: Hyundai to idle more output due to chip shortage
      First Shift: Biden's EV plan said to include $100B for consumer rebates
      First Shift: Stronger auto emissions rules coming by July, EPA head says
    • How a Seattle-area dealer is teaching, retaining auto techs 
      Virtual sales manager Jay Barger
      'Glued to a phone': Acura store's virtual sales boss lifts deliveries, efficiency
      One man’s journey from homelessness to thriving dealer
      Bert Ogden Auto Group
      How a Texas group is cutting costs, saving millions
    • Why the pickup is the auto industry's 'battleground'
      Carlos Ghosn's quest to restore his reputation
      Why Ford must execute to avoid 'deep trouble'
      Why Honda is 'locked and loaded' for 2020
  • EVENTS & AWARDS
    • Events
    • Awards
    • Congress Conversations
    • Retail Forum: NADA
    • Canada Congress
    • Europe Congress Conversations
    • Fixed Ops Journal Forum
    • Shift: Mobility at a Crossroads
    • 100 Leading Women
    • 40 Under 40 Retail
    • All-Stars
    • Best Dealerships To Work For
      • Register for the 2021 Best Dealership To Work For
    • PACE Program
    • Rising Stars
    • Europe Rising Stars
  • JOBS
  • AN Solutions
  • +MORE
    • Leading Women Network
    • Podcasts
    • Webinars
    • In the Driver's Seat
    • Publishing Partners
    • Classifieds
    • Companies on the Move
    • People on the Move
    • Newsletters
    • Contact Us
    • Media Kit
    • RSS Feeds
    • Shift: A Podcast About Mobility
    • Special Reports Podcasts
    • Daily Drive Podcasts
    • AAM
    • Cars.com
    • DealerPolicy
    • Gentex
    • IHS Markit
    • Remember Group
    • Reputation.com
    • Ricardo: Dave Shemmans
    • Ricardo: Marques McCammon
    • Allstate: Want more from your F&I?
    • Ally: Navigating the future of automotive retailing
    • Amazon Web Services: Any place, any time, any channel
    • Amazon Web Services: The power of the cloud
    • Amazon Web Services: Universal translator: Harnessing sensor data to build better automotive software
    • Capital One Auto: Dealerships remain vital to an increasingly digital car shopping journey
    • DealerSocket: 5 steps to modernizing the buyer's journey
    • Epic Games: Real-time tech is the next frontier of automotive
    • Epic Games: Transforming the auto industry with digital assets
    • FTI Consulting: Crisis as a catalyst for change
    • Google: 5 trends shaping the auto industry's approach to a new normal
    • Google: Google's dealer guidebook helps dealers navigate today's digital landscape
    • IHS Markit: Automotive loyalty in the wake of the COVID-19 recession
    • IHS Markit: COVID-19: The future mobility delusion
    • Level5: 2020 Automotive E-Commerce Report
    • Motormindz: Toward hyperconnectivity: 5 ways to position your business to profit from connected car
    • Naked Lime: Bring social reputation together as part of big-picture marketing
    • Wells Fargo Auto: Switching gears from LIBOR to SOFR
    • Ally: Do It Right
    • DealerSocket
    • Deloitte: Cyber everywhere: Preparing for automotive safety in the face of cyber threats
    • Facebook: The road to a zero-friction future
    • Guide To Economic Development
    • PayPal Credit: How consumer financing helps drive sales for online auto parts retailers
MENU
Breadcrumb
  1. Home
  2. SHIFT
October 01, 2018 01:00 AM

Sleeping with the enemy

Automakers hire hackers to search for bugs that might be exploited

Edward Niedermeyer
  • Tweet
  • Share
  • Share
  • Email
  • More
    Print

    Jasmin Landry, or JR0ch17, has an unusual hobby. In his spare time, he is a hacker.

    "For me, it's mostly about the challenge of finding bugs," he says. "It's like a puzzle. It's just fun. I love it."

    Landry, 26, has broken into servers belonging to a major automaker where he found sensitive data concerning factory operations.

    But unlike the stereotypes of ill-intentioned hackers that haunt boardrooms and popular culture, Landry isn't a criminal. He only hacks into systems that have invited him to try to break in, through programs called "bug bounties."

    As cybersecurity becomes an ever-more pressing concern for automakers, the auto industry is embracing bug bounty programs such as the ones that Landry uses to earn extra money. The automakers invite hackers to test certain systems, and offer cash incentives if the hackers find holes. By opening their systems to so-called "white hat hackers" automakers and suppliers harness the power of a community of security experts like Landry in the hunt for bugs that might otherwise be exploited by bad actors.

    Landry has a day job as a certified cybersecurity professional and works on bounty programs for five to 10 hours a week and makes $50,0000 to $60,000 per year doing it. Other researchers who dedicate more time make far more, he says.

    Though the thought of engaging with hackers can be off-putting to automakers and suppliers, bug bounties are increasingly becoming standard even for companies with large cybersecurity teams. That shift has required automotive software developers to reach across a significant cultural divide.

    "There are people who have a 'breaker mindset' and there are people who have a 'builder mindset,' " said Casey Ellis, chief technical officer of Bugcrowd, a firm that manages bug bounty programs for automakers such as Ford, Tesla and Fiat Chrysler. "The hackers we work with are wired to want to tear things apart, see how they work and put them back together in new ways."

    This can be disconcerting to the engineers who built these systems.

    "If you work on building products, the first question you'll have is 'Why are these people trying to destroy my stuff?' " Ellis said. "Bug bounties are about creating a security feedback loop between people with different mindsets that ultimately results in a smarter team that builds better products."

    Don't resist

    This divide is not unique to the auto industry. The concept of bug bounties came out of the antipathy between the rebellious hacker culture and the software giant Microsoft in the 1990s, says Warren Ahner, an early member of Ford's automotive cybersecurity team and now CEO of the simulation company RightHook. "Microsoft learned the hard way that resisting and antagonizing hackers only resulted in more hacking," he said. "They didn't start offering bug bounties because they wanted to; they did it because treating all hackers like enemies simply made the problem worse."

    Ellis says that the auto industry finally woke up to the need to engage the hacker community about three years ago, when security researchers Charlie Miller and Chris Valasek hacked a Jeep Cherokee through its connected infotainment system. Their hack, which triggered a wave of media attention, showed that a malicious actor could remotely access vehicle controls and put a vehicle and its occupants into extreme danger.

    "We were already starting to speak with automotive vendors," Ellis says, but the Valasek-Miller hack make the conversations suddenly a lot more relevant. "It also showed that there was this wealth of talent that could actually help make their products more secure."

    Miller and Valasek's hack demonstrated that working with security researchers wasn't always easy. The two researchers communicated with FCA for nearly nine months in advance and helped the automaker develop a patch for the vulnerability they found within five days of their disclosure, but FCA initially didn't believe how widespread the vulnerability was and resisted Valasek and Miller's public release of vehicle code at the Black Hat hacker convention.

    Miller and Valasek eventually released parts of the code in a white paper and Black Hat presentation, explaining that they did so to allow peer review of their work and to hold automakers accountable.

    "If consumers don't realize this is an issue, they should, and they should start complaining to carmakers," Miller told Wired at the time. "This might be the kind of software bug most likely to kill someone."

    There were also less altruistic motivations at play: Hackers' egos.

    "I'm not going to brag," Miller told IEEE Spectrum magazine. "But we made the stock go down."

    This desire for attention and peer respect is a real motivation for hackers, says Ahner.

    "Even as security research becomes professionalized, there's this braggadocio that carries over from traditional hacker culture," he says. "It's just part of the hacker DNA."

    But, says Ellis, the cultural divide that made early relationships between automakers and security researchers so fraught is becoming less of an issue as the two sides work together. "The community in general is getting more comfortable with the fact that hackers aren't necessarily evil people who want to hurt you," he says.

    locksmiths

    Ellis likens white-hat hackers to locksmiths. "If you think about it, a locksmith would be a pretty effective burglar, but they are good people who don't want to cause harm," he says. "The people we work with are the digital equivalent of that, but it's still kind of a new concept so people are still kind of freaked out by it."

    Landry says another factor motivates bug bounty hunters: helping secure products they use themselves.

    "If I use Facebook, as an example, I want my data to be safe so I might hack them to make sure their product is secure," Landry says. "Same thing for cars, or anything else. It feels good to know you are helping make a product safer."

    Platforms such as Bugcrowd make it easier to pitch in, he says, while ensuring that researchers like him don't get sued by the companies they are trying to help.

    building bridges

    FCA works with Bugcrowd to bridge the gap between "builders" and "breakers" and generally manage its relationship with the security research community. Ellis says his firm can help make sure that "safe harbors are in place so that hackers who are acting in good faith can help without any kind of legal threat," as well as standardizing language to facilitate clear communication. "Even if automakers aren't ready to start a full-on bug bounty program, there are steps they can take to encourage good-faith research by the hacker community."

    By opening up to ethical security research, and particularly by offering bounties, Ellis says, automakers can create a mutually beneficial dynamic.

    "Not everyone wants to be a drug dealer," he says, quoting the famed security researcher Dan Kaminsky. "When you think about it, everyone could be. People make a lot of money doing it, but not everyone wants to do it. People want to be able to have a career and operate within their own moral code. What I love about bounties is that we're giving people who traditionally only had a dark path to go down an opportunity at an interesting, exciting and legitimate career."

    RECOMMENDED FOR YOU
    The industry is racing to modernize the way in which EVs are built
    Letter
    to the
    Editor

     

     

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    The industry is racing to modernize the way in which EVs are built
    The industry is racing to modernize the way in which EVs are built
    As EV output explodes in China, e-axle drive assembly automates
    As EV output explodes in China, e-axle drive assembly automates
    Plus to roll big rigs on a ‘continuum' toward self-driving future
    Plus to roll big rigs on a ‘continuum' toward self-driving future
    Sponsored Content: 4 Steps Toward a Strong Digital Presence
    Sign up for free newsletters
    EMAIL ADDRESS

    Please enter a valid email address.

    Please enter your email address.

    Please verify captcha.

    Please select at least one newsletter to subscribe.

    See more newsletter options at autonews.com/newsletters.

    You can unsubscribe at any time through links in these emails. For more information, see our Privacy Policy.

    Digital Edition
    Automotive News 4-12-21
    THIS WEEK'S EDITION
    See our archive
    Fixed Ops Journal
    Fixed Ops Journal 4-12-21
    Read the issue
    See our archive
    Get Free Newsletters

    Sign up and get the best of Automotive News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.

    Subscribe Today

    Get 24/7 access to in-depth, authoritative coverage of the auto industry from a global team of reporters and editors covering the news that’s vital to your business.

    Subscribe Now
    Connect With Us
    • Facebook
    • Instagram
    • LinkedIn
    • Twitter

    Our mission

    The Automotive News mission is to be the primary source of industry news, data and understanding for the industry's decision-makers interested in North America.

    AN-LOGO-BLUE
    Contact Us

    1155 Gratiot Avenue
    Detroit, Michigan
    48207-2997

    (877) 812-1584

    Email us

    Automotive News
    ISSN 0005-1551 (print)
    ISSN 1557-7686 (online)

    Fixed Ops Journal
    ISSN 2576-1064 (print)
    ISSN 2576-1072 (online)

    Resources
    • About us
    • Contact Us
    • Media Kit
    • Subscribe
    • Manage your account
    • Reprints
    • Ad Choices Ad Choices
    • Sitemap
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Automotive News
    Copyright © 1996-2021. Crain Communications, Inc. All Rights Reserved.
    • HOME
    • NEWS
      • Dealers
        • Access F&I
        • Fixed Ops Journal
        • Marketing
        • Used Cars
        • Retail Technology
        • Sales
        • Best Practices
        • Dealership Buy/Sell
        • NADA
        • NADA Show
      • Automakers & Suppliers
        • Automakers
        • Manufacturing
        • Suppliers
        • Regulations & Safety
        • Executives
        • Talk From The Top
        • Leading Women Network
        • Guide to Economic Development
        • PACE Awards
        • Management Briefing Seminars
        • World Congress
      • News by Brand
        • Aston Martin
        • BMW
          • Mini
          • Rolls-Royce
        • Daimler
          • Mercedes Benz
          • Smart
        • Ford
          • Lincoln
        • General Motors
          • Buick
          • Cadillac
          • Chevrolet
          • GMC
        • Honda
          • Acura
        • Hyundai
          • Genesis
          • Kia
        • Mazda
        • McLaren
        • Mitsubishi
        • Nissan
          • Infiniti
        • Stellantis
          • Alfa Romeo
          • Citroen
          • Chrysler
          • Dodge
          • Ferrari
          • Fiat
          • Jeep
          • Lancia
          • Maserati
          • Opel
          • Peugeot
          • Ram
          • Vauxhall
        • Renault
        • Subaru
        • Suzuki
        • Tata
          • Jaguar
          • Land Rover
        • Tesla
        • Toyota
          • Lexus
        • Volkswagen
          • Audi
          • Bentley
          • Bugatti
          • Lamborghini
          • Porsche
          • Seat
          • Skoda
        • Volvo
        • (Discontinued Brands)
      • Cars & Concepts
        • Virtual reveals (Sponsored)
          • MITSUBISHI: 2022 Outlander
          • NISSAN: 2022 Pathfinder and 2022 Frontier
          • GENESIS: 2021 GV80
          • KIA: 2021 K5
          • LEXUS: 2021 IS
          • NISSAN: 2021 Rogue
          • TOYOTA: 2021 Venza and 2021 Sienna
        • Auto Shows
        • Future Product Pipeline
        • Photo Galleries
        • Car Cutaways
        • Design
      • Final Assembly
      • China
      • Shift
      • Mobility Report
      • Special Reports
      • Digital Edition Archive
      • This Week's Issue
    • OPINION
      • Blogs
      • Cartoons
      • Keith Crain
      • Automotive Views with Jason Stein
      • Columnists
      • China Commentary
      • Editorials
      • Letters to the Editor
      • Send us a Letter
    • DATA CENTER
    • VIDEO
      • AutoNews Now
      • First Shift
      • Special Video Reports
      • Weekend Drive
    • EVENTS & AWARDS
      • Events
        • Congress Conversations
        • Retail Forum: NADA
        • Canada Congress
        • Europe Congress Conversations
        • Fixed Ops Journal Forum
        • Shift: Mobility at a Crossroads
      • Awards
        • 100 Leading Women
        • 40 Under 40 Retail
        • All-Stars
        • Best Dealerships To Work For
          • Register for the 2021 Best Dealership To Work For
        • PACE Program
        • Rising Stars
        • Europe Rising Stars
    • JOBS
    • AN Solutions
    • +MORE
      • Leading Women Network
      • Podcasts
        • Shift: A Podcast About Mobility
        • Special Reports Podcasts
        • Daily Drive Podcasts
      • Webinars
      • In the Driver's Seat
        • AAM
        • Cars.com
        • DealerPolicy
        • Gentex
        • IHS Markit
        • Remember Group
        • Reputation.com
        • Ricardo: Dave Shemmans
        • Ricardo: Marques McCammon
      • Publishing Partners
        • Allstate: Want more from your F&I?
        • Ally: Navigating the future of automotive retailing
        • Amazon Web Services: Any place, any time, any channel
        • Amazon Web Services: The power of the cloud
        • Amazon Web Services: Universal translator: Harnessing sensor data to build better automotive software
        • Capital One Auto: Dealerships remain vital to an increasingly digital car shopping journey
        • DealerSocket: 5 steps to modernizing the buyer's journey
        • Epic Games: Real-time tech is the next frontier of automotive
        • Epic Games: Transforming the auto industry with digital assets
        • FTI Consulting: Crisis as a catalyst for change
        • Google: 5 trends shaping the auto industry's approach to a new normal
        • Google: Google's dealer guidebook helps dealers navigate today's digital landscape
        • IHS Markit: Automotive loyalty in the wake of the COVID-19 recession
        • IHS Markit: COVID-19: The future mobility delusion
        • Level5: 2020 Automotive E-Commerce Report
        • Motormindz: Toward hyperconnectivity: 5 ways to position your business to profit from connected car
        • Naked Lime: Bring social reputation together as part of big-picture marketing
        • Wells Fargo Auto: Switching gears from LIBOR to SOFR
        • Ally: Do It Right
        • DealerSocket
        • Deloitte: Cyber everywhere: Preparing for automotive safety in the face of cyber threats
        • Facebook: The road to a zero-friction future
        • Guide To Economic Development
        • PayPal Credit: How consumer financing helps drive sales for online auto parts retailers
      • Classifieds
      • Companies on the Move
      • People on the Move
      • Newsletters
      • Contact Us
      • Media Kit
      • RSS Feeds