Automakers should work with hackers
The automakers have two primary options for obtaining
data and insight into securing the vehicle. These are the workers of the
respective automaker and third parties outside of the manufacturer. The staff
members are entrenched in the business, are aware of the architecture, and how
it is supposed to work. Due to their familiarity and comfort with their system,
the staff members may not have the curiosity and mental focus on different
aspects of the vehicle to analyze areas susceptible to breaches or simply
sniffing packets with personal identifiable information (PII).
The alternative is to work with third party persons or
entities focused on reviewing insecure communications and weak points in the
architecture. These persons use various call signs for themselves or their
actual names. The business entities have tended to use their corporate names.
This group tends to analyze the areas of the vehicle and its communication to
look for weak areas and oversights. Due to a lack of familiarity and the
professional distance, this group tends to probe more look at different areas.
This contractual relationship has been known as a bug bounty program.
This is not a new procedure for the auto manufacturers.
GM has been working with hackers to improve their vehicles, including the
vehicle’s firewall (Nagesh, 2016). This work flow includes but is not limited
to a “coordinated disclosure” program. This specific bug bounty program was
engineered to analyze potential cybersecurity gaps in the individual GM
vehicles, website, and software. With the GM bug bounty program, GM does not
offer cash rewards, but does state GM would not pursue legal action. With this
case, the attacker is allowed to work at breaching their system, if a weakness
is found the person is able to report this and substantially increase their
credibility in the industry in a legal manner without incurring significant
legal or civil liability.
Tesla Motors Inc. has their bug bounty program in place.
With their program the corporate entity pays researchers to find the
vulnerabilities. The focus here is for the weakness to be noted, researched,
and patched well before an attacker exploits this.
As of March 2016, FCA fka Chrysler did not have a bug
bounty program in place.
Overall, bug bounty programs have worked out well for the
vehicle manufacturers that have utilized these over time. These have directly
assisted in securing the vehicle and increasing consumer confidence. There may
be paid to the researchers a few thousand or tens of thousands of dollars,
however in comparison to the overall costs of a breach, the former is
incredibly less costly than the publication of the breach, the patching or
changing of mechanical parts, and loss of vehicle sales.
References
Nagesh,
G. (2016, March 11). GM invites hackers to uncover cybersecurity gaps.
Retrieved from http://www.nasdaq.com/article/gm-invites-hackers-to-uncover-cybersecurity-gaps-20160311-00216
No comments:
Post a Comment