Bug bounty programs, also known as vulnerability reward programs (VRPs), exist to help websites, organizations and software developers identify security vulnerabilities and potential exploits. White hat hackers can receive recognition and compensation for reporting bugs and in return threats to companies and consumers are reduced. As the use of connected vehicles becomes more prevalent and black hat hackers take advantage of every vulnerability they can in order to access and sell private data, steal vehicles and disrupt services, should fleet vehicle operators and leasing companies factor in whether their vehicle manufacturer has a bug bounty program?
Security researchers in 2019 found Teletrac Navman, Global Telemetrics and LoJack smart tracker app APIs had authorization vulnerabilities, allowing a hacker or thief to take over the account, track individual cars in real time, suppress theft alerts, and extract personal data. If a vehicle was alerted as stolen, the thief could also delete the alert and prevent any further action being taken. One tracking device could be remotely triggered to immobilize the vehicle, stopping it from being driven. Trucks in Belgium & the Netherlands were hacked to alter the driving time and speed meters. By hacking the tachographs, the time registration could be turned off completely. (Upstream 2020 report).
Whilst bug bounty programs are relatively new in the automotive industry, the use of them indicates a growing awareness of the vulnerabilities and potential damage should they be exploited. The Hackerone bug bounty platform hosts public vulnerability disclosure programs for both Ford and General Motors and shows the large number of vulnerabilities that exist to begin with. So if your vehicle fleet manufacturer has one, and it’s properly incentivised and managed, then white hat hackers are probably already working on trying to identify any potential exploits.That is a good thing: providing a route to safely disclose vulnerabilities that can cause harm. With more research being conducted, and numbers of cyber attacks increasing, we may see disruption to connected fleets due to safety-style recalls too.
There is clearly immense value in connected vehicle manufacturers having a bug bounty program as part of their cybersecurity strategy, yet it doesn’t eradicate the risk of cyber threats to the manufacturers or protect the users of connected fleets entirely. It raises significant questions around the impact to a fleet of vehicles if a vulnerability is exposed. Some fleet operators and leasing companies have recovery and remediation plans in place whilst others chose to invest in cybersecurity insurance policies.