Automakers risk cyberattacks by paying white hat hackers less
The auto industry lags others in cybersecurity, said Mohammed Ismail, chair of the Electrical and Computer Engineering Department at Wayne State University in Detroit.
“With any new technology, this is a very typical situation,” he said. “When Wi-Fi and Bluetooth started 25 years ago, it took years for those technologies to be seamless and mature.”
Ismail estimates the auto industry needs about five more years of R&D to produce millions of predominantly software-based vehicles that are very secure.
Friendly hackers will help the industry get there.
“Using a bug bounty platform has proven to be an effective way to bring on board the knowledge and expertise of the security community,” Katja Liesenfeld, Mercedes-Benz Cars & Vans’ manager for IT communications, said in an email. “We cannot give more details on any technical details as the programs are private.”
Automakers are reluctant to talk about their reward programs and cybersecurity issues. Ford, Jaguar Land Rover, Nissan, Stellantis and Subaru declined to discuss their cybersecurity programs with Automotive News. BMW, Porsche and Volkswagen did not respond to queries. Honda said it doesn’t have a bug bounty program.
Nonetheless, most of the auto industry is proactive about cybersecurity issues, said Kevin Tierney, General Motors’ chief cybersecurity officer and vice chair of the Automotive Information Sharing and Analysis Center, known as Auto-ISAC. The group of automakers shares information about potential cyberthreats, vulnerabilities and incidents.
“Everyone’s making big moves and big investments,” Tierney said. “It’s not always obvious to the end consumer with everything that’s happening.”
GM started its bug bounty program in 2016. It is administered by HackerOne, of San Francisco, which also runs programs for BMW, Ford, Rivian and Toyota.
HackerOne’s automotive business jumped 400 percent from 2021 to 2022 as clients added services to their contracts. In addition to bug bounty management, HackerOne provides vulnerability disclosure programs, penetration testing of online systems and other services.
