Sleeping with the enemy

Jasmin Landry, or JR0ch17, has an unusual hobby. In his spare time, he is a hacker.

"For me, it's mostly about the challenge of finding bugs," he says. "It's like a puzzle. It's just fun. I love it."

Landry, 26, has broken into servers belonging to a major automaker where he found sensitive data concerning factory operations.

But unlike the stereotypes of ill-intentioned hackers that haunt boardrooms and popular culture, Landry isn't a criminal. He only hacks into systems that have invited him to try to break in, through programs called "bug bounties."

As cybersecurity becomes an ever-more pressing concern for automakers, the auto industry is embracing bug bounty programs such as the ones that Landry uses to earn extra money. The automakers invite hackers to test certain systems, and offer cash incentives if the hackers find holes. By opening their systems to so-called "white hat hackers" automakers and suppliers harness the power of a community of security experts like Landry in the hunt for bugs that might otherwise be exploited by bad actors.

Landry has a day job as a certified cybersecurity professional and works on bounty programs for five to 10 hours a week and makes $50,0000 to $60,000 per year doing it. Other researchers who dedicate more time make far more, he says.

Though the thought of engaging with hackers can be off-putting to automakers and suppliers, bug bounties are increasingly becoming standard even for companies with large cybersecurity teams. That shift has required automotive software developers to reach across a significant cultural divide.

"There are people who have a 'breaker mindset' and there are people who have a 'builder mindset,' " said Casey Ellis, chief technical officer of Bugcrowd, a firm that manages bug bounty programs for automakers such as Ford, Tesla and Fiat Chrysler. "The hackers we work with are wired to want to tear things apart, see how they work and put them back together in new ways."

This can be disconcerting to the engineers who built these systems.

"If you work on building products, the first question you'll have is 'Why are these people trying to destroy my stuff?' " Ellis said. "Bug bounties are about creating a security feedback loop between people with different mindsets that ultimately results in a smarter team that builds better products."

This divide is not unique to the auto industry. The concept of bug bounties came out of the antipathy between the rebellious hacker culture and the software giant Microsoft in the 1990s, says Warren Ahner, an early member of Ford's automotive cybersecurity team and now CEO of the simulation company RightHook. "Microsoft learned the hard way that resisting and antagonizing hackers only resulted in more hacking," he said. "They didn't start offering bug bounties because they wanted to; they did it because treating all hackers like enemies simply made the problem worse."

Ellis says that the auto industry finally woke up to the need to engage the hacker community about three years ago, when security researchers Charlie Miller and Chris Valasek hacked a Jeep Cherokee through its connected infotainment system. Their hack, which triggered a wave of media attention, showed that a malicious actor could remotely access vehicle controls and put a vehicle and its occupants into extreme danger.

"We were already starting to speak with automotive vendors," Ellis says, but the Valasek-Miller hack make the conversations suddenly a lot more relevant. "It also showed that there was this wealth of talent that could actually help make their products more secure."

Miller and Valasek's hack demonstrated that working with security researchers wasn't always easy. The two researchers communicated with FCA for nearly nine months in advance and helped the automaker develop a patch for the vulnerability they found within five days of their disclosure, but FCA initially didn't believe how widespread the vulnerability was and resisted Valasek and Miller's public release of vehicle code at the Black Hat hacker convention.

Miller and Valasek eventually released parts of the code in a white paper and Black Hat presentation, explaining that they did so to allow peer review of their work and to hold automakers accountable.

"If consumers don't realize this is an issue, they should, and they should start complaining to carmakers," Miller told Wired at the time. "This might be the kind of software bug most likely to kill someone."

There were also less altruistic motivations at play: Hackers' egos.

"I'm not going to brag," Miller told IEEE Spectrum magazine. "But we made the stock go down."

This desire for attention and peer respect is a real motivation for hackers, says Ahner.

"Even as security research becomes professionalized, there's this braggadocio that carries over from traditional hacker culture," he says. "It's just part of the hacker DNA."

But, says Ellis, the cultural divide that made early relationships between automakers and security researchers so fraught is becoming less of an issue as the two sides work together. "The community in general is getting more comfortable with the fact that hackers aren't necessarily evil people who want to hurt you," he says.

Ellis likens white-hat hackers to locksmiths. "If you think about it, a locksmith would be a pretty effective burglar, but they are good people who don't want to cause harm," he says. "The people we work with are the digital equivalent of that, but it's still kind of a new concept so people are still kind of freaked out by it."

Landry says another factor motivates bug bounty hunters: helping secure products they use themselves.

"If I use Facebook, as an example, I want my data to be safe so I might hack them to make sure their product is secure," Landry says. "Same thing for cars, or anything else. It feels good to know you are helping make a product safer."

Platforms such as Bugcrowd make it easier to pitch in, he says, while ensuring that researchers like him don't get sued by the companies they are trying to help.

FCA works with Bugcrowd to bridge the gap between "builders" and "breakers" and generally manage its relationship with the security research community. Ellis says his firm can help make sure that "safe harbors are in place so that hackers who are acting in good faith can help without any kind of legal threat," as well as standardizing language to facilitate clear communication. "Even if automakers aren't ready to start a full-on bug bounty program, there are steps they can take to encourage good-faith research by the hacker community."

By opening up to ethical security research, and particularly by offering bounties, Ellis says, automakers can create a mutually beneficial dynamic.

"Not everyone wants to be a drug dealer," he says, quoting the famed security researcher Dan Kaminsky. "When you think about it, everyone could be. People make a lot of money doing it, but not everyone wants to do it. People want to be able to have a career and operate within their own moral code. What I love about bounties is that we're giving people who traditionally only had a dark path to go down an opportunity at an interesting, exciting and legitimate career."