Automakers Hire Hackers to Probe for Vulnerabilities in Onboard Systems

As connected cars become more sophisticated, collect more data and are more responsible for passenger and pedestrian safety, it’s natural to wonder if this makes vehicles more vulnerable to hackers. Technology systems have been hacked and weaponized before, and most vehicles haven’t traditionally been designed with data security in mind. (Disabling the ability to turn back the odometer was about the sum of it.) Smart automakers, however, are beginning to understand that they don’t want to be the first car company to have to report a system hack that kills or injures someone, or puts a driver in danger.

Electric vehicle company Tesla has gone further than most automakers. The company is now participating in an annual hackathon event called Pwn2Own, a component of the CanSecWest show that invites hackers to try and breach all manner of computer and network systems. In Tesla’s first Pwn2Own event, it offered $900,000 worth of prizes to hackers who could successfully break into the onboard systems of a Tesla Model 3. The largest single prize, $250,000, was reserved for anyone who was able to break in and execute code on the car’s gateway, autopilot, or VCSEC. The gateway connects the car’s powertrain, chassis, and other components, and transfers data between then. While no one took the big prize, one group of hackers was able to access the Model 3’s web browser, execute code on its firmware and display a message on the infotainment system. Tesla has since generated a software update to eliminate the vulnerability.

Tesla’s not the only automaker to hire hackers to probe weak spots in connected cars. Last year, GM announced it was assembling a team of experts – some of them “white hat” hackers – to hunt for bugs in GM vehicles’ computer systems that could be exploited.

“We’ll show them the products, programs and systems for which we plan to establish these bug bounties,” said GM’s President Dan Ammann at the time of the announcement. “Then we’ll put them in a comfortable environment, ply them with pizza and Red Bull or whatever they might need … and turn them loose.”

Many automakers are now offering what they call “bug bounties” in which in-house cybersecurity experts open the vehicles’ systems to groups of operatives and freelancers that include not only “white hat” hackers, but somewhat more nefarious characters, as well.

Casey Ellis, chief technical officer of Bugcrowd, a “bug bounty” firm, told Automotive News that in-house automaker employees can sometimes find the process disconcerting, though they understand the necessity of it.

“There are people who have a ‘breaker mindset’ and there are people who have a ‘builder mindset,’” he said. “If you work on building products, the first question you’ll have is ‘Why are these people trying to destroy my stuff?’ Bug bounties are about creating a security feedback loop between people with different mindsets that ultimately results in a smarter team that builds better products.”

In the meantime, there is a steady stream of news that reveals that most connected car systems aren’t as secure as they could be, and this could ultimately turn buyers off purchasing vehicles that are too automated. A recent study conducted by the Ponemon Institute entitled, “Securing the Connected Car: A Study of Automotive Industry Cybersecurity Practices,” found that software security is not keeping up with the connected car features the auto industry is selling.  Sixty-three percent of respondents from the connected car industry reported that they test less than half of their hardware, software and other technologies for vulnerabilities, and that only 10 percent have an established cybersecurity team.