Fiat Chrysler's U.S. operations sets precedent with bug bounty program for connected cars
The American subsidiary of Fiat Chrysler will now reward security researchers up to $1,500 for finding vulnerabilities in its connected car technologies.
FCA US LLC, the American subsidiary of Fiat Chrysler Automobiles, launched its own bug bounty program at 12:01 a.m. this morning, making it the first full-line vehicle manufacturer to offer financial rewards to security researchers for finding vulnerabilities in connected cars and related technologies.
According to a press release, FCA US will pay between $150 and $1,500 to anyone who discovers a zero-day vulnerability in its connected vehicle systems, its Uconnect infotainment and vehicle connectivity system, and the related Uconnect website and phone apps for Android and iOS. The size of the reward will be commensurate with the criticality of the identified vulnerability and the scope of an exploit's potential impact.
In August 2015, three U.S. Jeep owners filed a class-action lawsuit against FCA and Uconnect manufacturer Harman International over a security flaw in Uconnect that the plaintiffs claimed makes vehicles vulnerable to malicious computer hacks.
“Doing research in vehicles isn't easy. It requires a special knowledge and special tools,” said Titus Melnyk, senior manager, security architecture at FCA US, in a sound bite posted on YouTube. “If someone takes the time to experiment and find something and then discloses it to us in a responsible way, we want to have a reward for that.”
Auburn Hills, Mich.-based FCA US is not responding to individual media requests at this time. Its parent company is the seventh-largest automaker in the world.
Samy Kamkar, a security researcher who in 2015 was credited for discovering an exploitable vulnerability in GM's OnStar RemoteLink mobile application, told SCMagazine.com in an interview that “It's great to see more automobile manufacturers adding paid bounty programs to compensate security researchers who are finding and helping squash some pretty scary issues found in some vehicles.”
The bug bounty program operates via an online reporting platform provided by San Francisco-based crowdsourced security testing service Bugcrowd, which already has a similar arrangement with Tesla. As of 4:30 p.m. ET, there were already four reported bugs rewarded.
In an interview with SCMagazine,com, Bugcrowd CEO Casey Ellis called the arrangement with FCA US “historic and very exciting,” noting that car manufacturers are becoming more vigilant in light of recent demonstrations of car hackings by security researchers, including the hijacking of a Jeep using the aforementioned Uconnect vulnerability.
The fear, Ellis added, is that hackers can gain access to susceptible car electronics systems or head units in order to laterally move into the car's operational components, including braking and steering systems. “The weakest link can provide a stronghold that allows you to pivot around and get to an end goal” that may otherwise not be directly accessible, he added.
Melnyk said that because of the bug bounty program, FCA's customers will ultimately “find their products are going to be more stable, more secure,” and that their car systems are “going to act the way that they expect the vehicle to act.”