Automakers are paying hackers… to hack their own cars to identify vulnerabilities in consumer and business data protection. But do they pay enough? – Photo: The Sun
Despite the tech hype, building a “smartphone on wheels” isn’t easy. Until 2023, when software becomes more and more important in cars, cars will still suffer from the same vulnerabilities as computers or phones.
In the tech industry there is a bounty program that uncovers cybersecurity vulnerabilities, called Bug Bounty, with the participation of white hat hackers.
This has also appeared in the automotive industry. But car manufacturers still seem hesitant in hanging awards.
Car companies ignore network security?
Theo Automotive News, the auto industry only paid out a total of $483,809 in bonuses last year. This is the lowest of the eight areas that cybersecurity firm HackerOne tracks. During the same period, Internet companies paid $13.1 million, carriers paid $4.7 million and government agencies $703,084.
According to HackerOne’s report, the average bug bounty in the auto industry pays a little more than $2,000. Stellantis, in partnership with cybersecurity firm Bugcrowd, pays $150-7,500 for each discovered vulnerability. The average payout was $737.5 over the past three months.
The amount of reward for the white hat hacker who finds a network flaw in the car is quite modest – Photo: Wired
However, in the technology sector, white hat hackers earn about 5,000 – 40,000 USD per vulnerability, according to SecurityWeek. Spokesperson Ed Fernandez said Google paid a record $605,000 for a vulnerability in 2022. Spokeswoman Jennifer Foss said that since 2017, Intel has paid $4.1 million for the program. bug hunting.
Late last year, Eaton Zveare, a hobbyist, breached Toyota’s web portal, gaining access to approximately 14,000 email accounts, confidential documents, projects, suppliers, feedback and many other information. He reported it to Toyota and the vulnerability was quickly patched.
However, the quick fix, but Toyota was accused of being quite “stingy” in paying. Zveare is disappointed that there is no bonus: “Given the amount of money they make every year, I think they should allocate a large portion to security issues.”
The more modern the car, the more “electrical damage”?
With what is going on, cars are not very resistant to intrusions. This is a dangerous problem because software, which controls many of the most important tasks, is increasingly becoming a major part of cars, as much as hardware.
Low rewards for hackers can lead to vulnerable cars – Photo: SecurityWeek
Mohammed Ismail, dean of the Department of Electrical and Computer Engineering at Wayne State University in Detroit, US, admits the auto industry lags behind other disciplines in cybersecurity. He told the page Automotive News: “This is a typical situation that happens with new technology. When Wi-Fi and Bluetooth were born 25 years ago, it took years for those technologies to mature.”
Ismail estimates the auto industry needs about five more years of research and development to produce millions of vehicles equipped with very secure software.
Another world behind the scenes
However, also follow Automotive Newsit is difficult to “measure” the level of concern of car manufacturers with security issues.
Some automakers are open to disclosure, but most manufacturers are not interested in talking about bug hunting or cybersecurity. Ford, Jaguar Land Rover, Nissan, Stellantis, Subaru, BMW, Porsche and Volkswagen all declined to be interviewed regarding the matter. Honda says it does not have a bug-hunting program.
And Katja Liesenfeld, communications director at Mercedes-Benz Cars & Vans, said: “Paying hackers to play with their own products has proven to be an effective way to enhance security. We can’t be more specific because it’s a confidential matter.”
Car manufacturers seem to care more about security holes than they show – Illustration: Lexus
Meanwhile, Kevin Tierney, director of cybersecurity at General Motors and vice president of the Automotive Information Sharing and Analysis Center (Auto-ISAC), asserts that, behind the scenes, most manufacturers have proactively on network security issues. They often share industry information with each other.
“People are actually pouring out huge sums of money,” Tierney said. The end consumer doesn’t always know what’s going on.”
According to Automotive News, General Motors launched a bug-hunting program in 2016, run by San Francisco-based cybersecurity company HackerOne. This is also the company that runs programs for BMW, Ford, Rivian and Toyota – Photo: The Star
One consolation is that, despite the “small” expenses, HackerOne’s auto business grew 400 percent in 2022 from a year earlier.