- A Fiat Chrysler Jeep was hacked last year by some security experts
- It alarmed other car makers to update security options in their cars
- Car makers are giving out bounties to ethical hackers for nitpicking security flaws
Fiat Chrysler Automobiles NV will offer rewards of as much as $1,500 to ethical hackers who tell the auto maker about data security weaknesses in its vehicles, the company said.
FCA’s move comes a year after independent cyber-security researchers used a wireless connection to turn off a Jeep Cherokee’s engine. The hack, reported in Wired Magazine, alarmed auto makers and regulators, and it led FCA to recall 1.4 million vehicles to prevent the use of a wireless connection to gain control of the vehicle.
FCA officials said Bugcrowd Inc of San Francisco, which manages similar programs for a range of companies including Tesla Motors Inc will manage its “bug bounty” program.
Casey Ellis, Bugcrowd’s chief executive, said in a media briefing that his company has 32,000 researchers that work through its service. Bugcrowd rates researchers based on the quality of their work, he said.
Auto makers have stepped up efforts to address concerns that vehicles equipped with high-speed Internet connections could be vulnerable to cyber intruders and criminals who could seek to harvest personal data through vehicle systems, or perpetrate other mischief such as disabling a car and demanding a ransom to bring it back to life.
In July 2015, several major auto makers formed an Automotive Information Sharing and Analysis Center, or Auto-ISAC, to serve as a clearing house for information about cyber threats. The group said in a statement this week its members now account for 99 percent of light duty vehicles on the road in North America.
Titus Melnyk, FCA senior manager for security architecture, said FCA could share information generated by the Bugcrowd program with other automakers through the Auto-ISAC. “We’ll err on the side of what’s right for the industry,” he said in a briefing for reporters.
General Motors Co has a program managed by San Francisco cyber-security company Hackerone that offers recognition, but not cash, to researchers who identify and share cyber-security gaps with the company. The company has also begun hiring outside cyber-security experts and has a group of employees that test the company’s systems, Jeffrey Massimilla, GM’s chief product cyber-security officer, told Reuters.
Massimilla said GM may offer cash bounties to ethical hackers, but said, “If you put up a small bounty you aren’t going to get good research.”