As automotive cybersecurity has become an increasingly heated concern, security researchers and auto giants have been locked in an uneasy standoff. Now one Detroit mega-carmaker has taken a first baby step toward cooperating with friendly car hackers, asking for their help in identifying and fixing its vehicles’ security bugs.
Earlier this week, General Motors quietly launched a vulnerability submission program that allows security researchers to submit information about hackable vulnerabilities in GM automobiles and rest assured that—as long as they follow a few guidelines—they’ll be thanked rather than hit with a lawsuit. In partnership with HackerOne, a security startup devoted to helping companies coordinate security vulnerability disclosure with independent researchers, GM has created a portal welcoming bug reports from benign hackers, which was first spotted by Ars Technica. “If you have information related to security vulnerabilities of General Motors products and services, we want to hear from you,” the page on HackerOne’s website reads. “We value the positive impact of your work and thank you in advance for your contribution.”
The first step in any vulnerability-handling program is to open the front door. Katie Moussouris
Promising not to sue a helpful hacker may seem like the least a company can offer when it’s given a free security audit. Unlike big tech companies such as Google and Facebook, GM won’t yet pay any monetary rewards for those reports, so called “bug bounties.” But even welcoming outside security research on GM vehicles puts the auto giant a step ahead of other major carmakers. “We’re thrilled that a major automotive manufacturer is stepping up to the plate in terms of providing a way for hackers to get in touch with them if they find a security vulnerability,” says Katie Moussouris, HackerOne’s chief policy officer. “The first step in any vulnerability-handling program is to open the front door.”
According to its terms, GM promises not to sue researchers who submit security-flaw reports as long as they’ve followed a few rules in their car hacking, such as not endangering GM customers, violating their privacy or breaking any law. The last of those may remain a sticking point, as the Digital Millenium Copyright Act has legally prevented hackers from reverse engineering even vehicles they own. But the DMCA’s ban on car hacking will lift later this year due to a ruling last year from the Library of Congress—no thanks to GM, which lobbied against the change. GM didn’t immediately respond to WIRED’s request for comment on its new vulnerability disclosure policy.
GM’s vulnerability disclosure rules also require hackers not to publicly disclose any flaw they report until GM fixes it. That non-disclosure clause could be another sticking point that prevents hackers from submitting. After all, as WIRED reported in September, GM took nearly five years to fully fix a vulnerability that allowed hackers to gain extensive access to its cars through a flaw in its OnStar system, including the ability to engage or disable vehicles’ brakes. GM received reports of that egregious security problem from researchers at the University of California at San Diego and the University of Washington in the spring of 2010, and yet failed to fully fix the problem until the company rolled out an over-the-air update starting in late 2014 through the first months of 2015.
GM has since committed to doing better. When hacker Samy Kamkar alerted the company to a flaw in its OnStar smartphone app that allowed vehicles to be geolocated, unlocked and remotely started, it fixed the problem in just days. “The auto industry as a whole, like many other industries, is focused on applying the appropriate emphasis on cybersecurity,” GM’s chief product cybersecurity officer Jeff Massimilla wrote to WIRED in September. “Five years ago, the organization was not structured optimally to fully address the concern. Today, that’s no longer the case.”
The issue of car hacking gained new urgency for both the security community and automakers over the past summer, starting with the revelation from hackers Charlie Miller and Chris Valasek that they’d found a vulnerability in 2014 Jeep Cherokees that allowed them to be remotely compromised for stunts like disabling transmissions and disabling brakes at low speeds. Chrysler responded with an official recall for 1.4 million vehicles.
With that kind of high-profile hack on their radar, HackerOne’s Katie Moussouris says GM is far from the only automaker considering a move to improve relations with the hacker community. “All of them are thinking about it,” she says. “Those who hadn’t will be thinking about it now.”
Moussouris says carmakers have been hesitant to invite bug disclosures for fear that the invitation would lead to more hacking of their vehicles without the ability to patch the reported flaws—a complicated process in an industry with a supply chain as long and tangled as Detroit’s. GM’s move, she says, shows that the auto industry is getting beyond those hurdles, and taking the threat of car hacking seriously. “It’s a great step for the auto industry in general,” she says. “Even giant corporations have to adapt—especially considering that they’re basically selling computers on wheels.”