Chrysler/Fiat Pays Bounty to find Connected Car Software Flaws/Bugs

fiatbutAfter being the first company to be remotely hacked while on the road, last July, Fiat Chrysler Automobiles is taking a a proactive approach offering public bug bounty program. Through the Bugcrowd platform FCA will pay through Bugcrowd rewards for criticial flaws found in software.

FCA claims that they US first full-line automaker to offer “bug bounty” financial reward for discovery of potential vehicle cybersecurity vulnerabilities. White hat hackers and researchers can be paid up from $150 to $1500 per bug depending upon the impact and severtity.

All developers have to do is go to bugcrowd website sign up and look for vulnerabilities. In a video about the program Casey Ellis from Bugcrowd notes that FCA is ahead of the crowd.

This program is focused on the FCA’s connected vehicles, including the systems within them; the external services and applications that interact with them.

Before doing any testing that requires a Uconnect account, developers should create a test account that ends in @bugcrowdninja.com so that Bugcrowd knows the activities are part of the Bug Bounty Program.

The software programs targeted are

  • Uconnect iOS
  • Uconnect Android
  • ecoDrive Android.
  • ecoDrive iPhone.
  • ecoDrive iPad.

So far four bugs have been rewarded and as of midnight 46 developers joined the bounty program.

FCA US may make research findings public, based upon the nature of the potential vulnerability identified and the scope of impacted users, if any. Last year, FCA US contacted customers about a potential vulnerability associated with certain radios; provided the software update and permanently closed remote access to the open port on the radio, eliminating the risk of any long-range remote hacking – all before issuing a recall.

“The safety and security of our consumers and their vehicles is our highest priority,” said Sandra Hosler, cybersecurity system responsible, FCA US LLC. “Building on a culture of safety, FCA US has developed a cross-functional team comprised of engineering, safety, regulatory affairs, and connected vehicle specialists who are dedicated to collaboration and engagement with a wide range of industry professionals to build security into our vehicles and products by design.”

The FCA US bug bounty program (https://bugcrowd.com/fca)crowd sources software testing to address the cybersecurity challenges. The Bugcrowd program will help find potential product security vulnerabilities; implement fixes; improve the safety and security and foster a spirit of transparency and cooperation within the cybersecurity community.