GM wants hackers to uncover cybersecurity weaknesses
Issue Date: 2016-03-31

General Motors is turning to hackers to strengthen car firewalls.

The nation's largest auto maker highlighted a "coordinated disclosure" program it launched earlier this year that invites computer researchers to search for cybersecurity gaps in GM vehicles, websites and software.

The effort is an offshoot of so-called bug bounty programs run by companies, including Silicon Valley electric-car maker Tesla, that pay researchers to spot software vulnerabilities before outside hackers exploit them. GM's program isn't offering hackers cash but promises not to take legal action against them so long as they don't disclose any vulnerabilities they uncover.

The program, launched in January, comes amid increased concerns over cybersecurity gaps in automobiles that have led to recalls and regulatory scrutiny. Researchers last year demonstrated an ability to commandeer controls of a moving Jeep from a laptop miles away, leading parent Fiat Chrysler to recall more than a million vehicles.

No one was injured and Fiat Chrysler quickly fixed the problem. Most vehicle hacks have involved researchers with extended access to vehicles, as opposed to those randomly driving in traffic. But such demonstrations are fueling concerns among safety advocates, regulators and Capitol Hill lawmakers that both controls and private information linked to a vehicle's technology could be vulnerable to cyberattacks.

Auto makers are trying to get a handle on potential problems before suffering worse attacks such as those already perpetrated on big retailers, banks and the U.S. government. "The most exciting thing is that the auto industry is addressing this before there is an issue," said Jeff Massimilla, GM's chief product cybersecurity officer.

GM suffered a mild attack last year when a researcher demonstrated an ability to remotely locate, unlock or start a car using the auto maker's OnStar smartphone system by installing a gadget underneath the vehicle. GM quickly addressed the problem and alerted consumers to the fix without a formal recall. Researchers have also hacked a Tesla car. The electric-car maker issued a security update.

The advent of driverless cars and vehicles with automated features is spurring additional work by auto makers to strengthen cybersecurity. Such security holes pose a growing threat to consumer safety as new cars increasingly include Internet connections and features like automatic emergency braking and adaptive cruise control that are controlled by software.

Mr. Massimilla said GM would eventually pay researchers for finding hacking vulnerabilities in the Detroit auto maker's vehicles. He said one of the biggest benefits of the current program is that it allows GM to develop relationships with cybersecurity researchers. The creation of an industrywide group to share information on cybersecurity threats has also helped auto makers stay ahead of the curve in an attempt to avoid catastrophic attacks, he said.

Dr. Dan Massey, a program manager with the Department of Homeland Security's cybersecurity division, said auto makers working together would help them avoid cyberattacks such as the one that hit the Office of Personnel Management.

"There have been some researcher demonstrations of vulnerabilities, which is always the case, but no attacks out in the wild," Mr. Massey said.