A security researcher recently notified General Motors that they had found a way to circumvent data limits on the OnStar Wi-Fi hotspot systems included in many of its vehicles, grabbing unlimited free Wi-Fi access. The flaw was reported through GM’s two-year-old vulnerability disclosure program and was patched within a few days, but it illustrates the complex security problems facing auto manufacturers.
Members of the news media examine the new 2019 Chevrolet Silverado 1500 at its official debut at the 2018 North American International Auto Show 13 January 2018 in Detroit, Michigan. Photo: Bill Pugliano (Getty)
GM has to confront security issues not only in its vehicles, but with suppliers, dealerships, and even classic car museums where their brand is represented. That exposure is a bit broader than that of software companies, where bug bounty and vulnerability disclosure programs first gained prominence, but it also means that researchers who participate in the program have much more room to hunt for bugs.
“That wasn’t necessarily a scenario where we had to take action directly at the vehicle, but that was something that we could actually remediate through the telecommunications channel and work back with our partners there,” GM’s chief product security officer, Kevin Tierney, explained of the OnStar bug. “It’s something we probably wouldn’t have seen or tested for, a great finding for us.”
GM launched its vulnerability disclosure program in 2016 on HackerOne, a platform that pairs companies with friendly hackers who hunt for vulnerabilities in their products. More than 500 researchers have participated in the program so far, discovering over 700 vulnerabilities.
So far, GM hasn’t paid hackers for their findings, as other companies often do. But that’s changing as GM expands its program – this winter, the automaker plans to launch a private bug bounty program and offer participating security researchers hands-on experience in GM’s offensive hacking lab.
Aside from its broad exposure across websites, dealerships and its supply chain, GM also stands out from other companies with vulnerability disclosure programs because it’s a bit harder for security researchers to work on cars in the same ways they might work on software. GM can’t ask researchers to go out and buy a new car every time they want to look into a potential vulnerability, so it wants to bring researchers to its headquarters and let them tinker with its infotainment systems, including radios and navigation tools like OnStar.
“This is really really cool because, if you think about it, there’s a lot of barriers to entry in our environment,” Jeff Massimilla, GM’s vice president of global cybersecurity, explained. “You have to have a car, you have to have the infotainment system, things like that.”
GM is starting its private bounty program with a focus on infotainment systems because they’re often an entry point for hackers. Three years ago, researcher Samy Kamkar demonstrated the importance of these systems with his OwnStar work, which allowed him to remotely locate, unlock, and even start the engine of cars equipped with OnStar.
“If you look at it from a risk-based approach, they’re the thing that you really want to understand the security posture of the most because they’re the entry point,” Tierney said. “The second thing is, they also employ very advanced software and operating systems that are very similar to the IT space, Linux and other Android operating systems that a lot of these security researchers already have a lot of background knowledge on, and so getting them involved in those systems to start makes a lot of sense.”