Auto industry risks security breaches by underpaying white hat hackers

Automakers are so worried about vehicle and software security gaps that they are paying hackers to uncover vulnerabilities.

These bug bounty programs reward friendly digital invaders, known as white hat hackers, who look for breaches and notify automakers and suppliers of the problems — although the auto industry pays them considerably less for their efforts than some other sectors do.

Cybersecurity has become a major issue for the industry as cars increasingly rely on software, sensors and computers for operation, infotainment, automated driving and safety systems. Moreover, automakers are loading connectivity and subscription features that add to the digital vulnerabilities.
The number of publicly reported auto cyberattacks jumped 239 percent in 2022 compared with 2018, according to Israeli cybersecurity firm Upstream.

Automakers want to find problems before hostile hackers uncover vulnerabilities they can exploit, which could allow them to gain access to a driver's personal information or even control a car for ransom.

Last year, white hat hackers notified automakers of security gaps in customer files, back-end operations or both in BMW, Ferrari, Ford, Jaguar Land Rover, Mercedes-Benz, Porsche and Toyota systems and models. They also discovered flaws in SiriusXM's telematics service that created breaches in Honda, Hyundai and Nissan vehicles.

Even more consumer data will be exposed in the coming years as automakers expand software-enabled services, said Andrea Amico, founder and CEO of Privacy4Cars, a company that helps dealerships clear personal data from vehicles. Hostile hackers will want that information, he said.

The auto industry lags others in cybersecurity, said Mohammed Ismail, chair of the Electrical and Computer Engineering Department at Wayne State University in Detroit.

"With any new technology, this is a very typical situation," he said. "When Wi-Fi and Bluetooth started 25 years ago, it took years for those technologies to be seamless and mature."

Ismail estimates the auto industry needs about five more years of R&D to produce millions of predominantly software-based vehicles that are very secure.

Friendly hackers will help the industry get there.

"Using a bug bounty platform has proven to be an effective way to bring on board the knowledge and expertise of the security community," Katja Liesenfeld, Mercedes-Benz Cars & Vans' manager for IT communications, said in an email. "We cannot give more details on any technical details as the programs are private."

Automakers are reluctant to talk about their reward programs and cybersecurity issues. Ford, Jaguar Land Rover, Nissan, Stellantis and Subaru declined to discuss their cybersecurity programs with Automotive News. BMW, Porsche and Volkswagen did not respond to queries. Honda said it doesn't have a bug bounty program.

Nonetheless, most of the auto industry is proactive about cybersecurity issues, said Kevin Tierney, General Motors' chief cybersecurity officer and vice chair of the Automotive Information Sharing and Analysis Center, known as Auto-ISAC. The group of automakers shares information about potential cyberthreats, vulnerabilities and incidents.

"Everyone's making big moves and big investments," Tierney said. "It's not always obvious to the end consumer with everything that's happening."

GM started its bug bounty program in 2016. It is administered by HackerOne, of San Francisco, which also runs programs for BMW, Ford, Rivian and Toyota.

HackerOne's automotive business jumped 400 percent from 2021 to 2022 as clients added services to their contracts. In addition to bug bounty management, HackerOne provides vulnerability disclosure programs, penetration testing of online systems and other services.

The auto industry paid out $483,809 in bug bounties last year, the least of the eight sectors HackerOne tracks. The average auto bug bounty paid out a little over $2,000, according to HackerOne's 2022 Hacker-Powered Security Report. The Internet sector paid out $13.1 million last year. Telecoms gave friendly hackers $4.7 million. Government entities rewarded them with $703,084.
Stellantis, which uses Bugcrowd, another San Francisco cybersecurity management company, pays $150 to $7,500 per vulnerability discovered, with an average payout of $737.50 over the past three months. Yet hackers at a February conference in Miami exploring industrial cyber vulnerabilities earned $5,000 to $40,000 per breach, news site SecurityWeek reported.

Bounties paid out by Google in 2022 included a record $605,000, company spokesman Ed Fernandez said in an email. Since 2017, Intel has paid $4.1 million through its bug bounty program, said Jennifer Foss, a company spokeswoman.

Some friendly hackers want to see the auto industry step up payment.

Late last year, Eaton Zveare, a hacking hobbyist in Sarasota, Fla., breached Toyota's global supplier management web portal, gaining read-and-write access to 14,000 corporate email accounts, associated confidential documents, projects, supplier rankings, comments and other information. He informed Toyota, and the breach was quickly closed.

Zveare said he appreciated Toyota's prompt response and recognition but was dismayed by the lack of monetary compensation.

"Given how much profit they make per year, I think they should definitely allocate some to the security teams that they can use to reward researchers," Zveare said.

Automakers need to offer ample rewards if they want the help of security researchers looking for flaws, said Roger Grimes, cybersecurity consultant at KnowBe4, a Clearwater, Fla., cybersecurity consultancy and training company.

"Not paying smart people to help you find and eradicate your bugs is just foolish," Grimes said.

White hat hackers may get discouraged and turn their efforts to industries that have higher rewards. Or worse, they could sell their skills to nefarious actors targeting the auto sector, he said.

Grimes said he expected hacking to be a "forever" problem for automakers, forcing them to ensure safety and theft prevention systems are as secure as possible.

"Vehicles are a critical component of daily life, and if security isn't built in from the ground up and tested, then tested, and tested once more, the consequences could be catastrophic," Kayla Underkoffler, HackerOne's lead security technologist, said in an email. "For something as critical as our personal safety, we need the best minds working on solutions."