Hacking Jeeps is about to get a lot more competitive. That’s because Jeep maker Fiat Chrysler Automobiles has launched a bug bounty program in conjunction with Bugcrowd that will payout as much as $1,500 per bug.
Fiat Chrysler, the world’s No. 7 automaker, claims it will be the first Detroit automaker to introduce a bug bounty program. Last year, Fiat Chrysler was thrust unwittingly in to the hacker limelight when researchers Chris Valasek and Charlie Miller remotely hacked a Jeep and took control of the vehicle, research that led to a recall of 1.4 million Fiat Chrysler automobiles.
Bugcrowd, the facilitator of the bug bounty program, says bounties will range from $150 to $1,500. Fiat Chrysler joins automaker Tesla, which launched a bug bounty program in February, also in partnership with Bugcrowd.
Casey Ellis, CEO and founder of Bugcrowd, told Threatpost Fiat Chrysler says the focus of the bounty program will be on the car maker’s Uconnect connected car feature including the iOS and Android apps associated with the system. Bounty hunters will be asked to focus on elements of the Uconnect platform including Adobe Air, DoS attacks against the FCA infrastructure, cross site request forgery on non-authenticated pages, and certificate strength issues.
“The attack surface for FCA starts out extremely large. And for that reason we needed to start somewhere that made sense for Chrysler. The Uconnect is our first area of focus and where we see the hacker community helping FCA the most initially,” Ellis said. Uconnect was the point of weakness that gave Valasek and Miller the ability to gain control of a Jeep Cherokee.
The move comes as more scrutiny is placed on automated, connected and computerized features within cars. In March, the FBI in conjunction with the National Highway Traffic Safety Administration issued a warning regarding car hacking stating it’s becoming an increasingly serious threats to connected vehicles.
In February, researcher Troy Hunt was able to remotely hack a Nissan Leaf by exploiting insecure APIs inside a smartphone app that controlled the car. Last month, Security researcher Ken Munro with Pen Test Partners discovered a Mitsubishi Outlander Plug-In Hybrid Electric Vehicles vulnerability that allows him to disable the anti-theft system, manipulate the car’s climate control system, and turn on/off headlights.
“We have seen FCA signups spike and are already receiving submissions,” Ellis said. “The backdrop of all of this is that the products and services that we use day-to-day are becoming more connected. What that represents is a growing attack surface for the bad guy. We simply do not have enough people to help the companies building these products to protect themselves. Bounty programs like FCA are becoming table stakes for companies across the board. This is partly because these programs work, and partly because we are screwed if we don’t take advantage of them,” he said.
Fiat Chrysler is facing some criticism within security research circles for a perceived low bounty payouts. In comparison Tesla announced it will pay bounties as high as $10,000. Researchers have taken to Twitter to voice their criticism arguing non-life threatening bugs have been found in services such as Instagram and Uber have bounty programs that pay out $10,000 per bug. Still, others are applauding Fiat Chrysler for launching a bug bounty program.
https://twitter.com/DEYCrypt/status/753259054370349056
The researcher responses to this bug bounty are awful. They're not there to pay your salary, it's a thank you. https://t.co/LCWPMcUR4e
— Dan Guido (@dguido) July 13, 2016
Ellis said that $1,500 is not the hard payment ceiling on what FCA is willing to payout. But he argues the bug bounties are appropriate given the maturity of the program. “When you start a bounty program you need to make sure it’s sustainable on day one,” Ellis said. The first wave of any bug bounty program typically includes the easiest low hanging fruit when it comes to rooting out bugs. “As we move along with this program I’m sure Fiat Chrysler will be willing to spend more than $1,500 on a vulnerability,” Ellis said.
“There are a lot of bounty programs that start out with large and flashy numbers. But what you quickly realize it’s a lot easier to increase rewards than it is to shrink them,” Ellis said. “We need a sustainable bounty program and to control budgets so we can have this program scale over time,” he said.
Bugcrowd was founded in 2012, and relies on a community of approximately 32,000 researchers who crowdsource vulnerabilities. Researchers that sign up with Bugcrowd and can be invited to participate in public or private bug-hunts and can be rewarded for their findings.