Menu

SMART TRANSPORT FEATURE NEWS

Fiat Chrysler Offers Bounty for White Hat Hackers

By Ken Briodagh July 20, 2016

Ever since last year’s high profile Jeep Cherokee hack, Fiat Chrysler America’s (FCA) been diligently working to prevent any such embarrassment or breach from happening again, or at least making it much more difficult. The latest step in that effort takes the form of a bounty of $150 to $1,500 per bug found in its vehicles.

The company said in its call for help that it “values engaging third party researchers to improve our products making them safer and more reliable.”

To that end, it has committed to formally recognize and pay for good guy hackers to find reproducible and legitimate vulnerabilities, with the caveat that the vulnerabilities be disclosed. (good guys, remember?) The company said that its goal with the Bug Bounty project is to “foster a collaborative relationship with researchers to participate in responsible disclosure of vulnerabilities in FCA’s vehicles and connected services.”

Once a report is made, FCA will investigate and patch up all vulnerabilities as quickly as possible. The company promises not to take any legal action against folks who make reports, nor will it give names to law enforcement, as long as everyone plays by the rules of the so-called

Responsible Disclosure Guidelines:
1) Provide full details of the vulnerability, including information needed to reproduce and validate the issue by producing Proof of Concept (code, technical demos of vulnerability, or necessary steps needed to demonstrate your finding);
2) Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services;
3) Do not modify, access, or retain data that does not belong to you

Allowed targets are only as follows: Vehicle Head Units, TPMS sensors, remote keyless entry, and any other system that is present in a hardware product that you own or are authorized to test against; the Driveuconnect.com and Moparownerconnect.com web portals; the UConnect Access Mobile Application for iOS and Android; https://itunes.apple.com/us/app/uconnect-access/id550295151?mt=8 (iOS); and https://play.google.com/store/apps/details?id=com.chrysler.UconnectAccess# (Android).

And that’s it. Any other domains and applications hacked are not included in the program and are considered out of scope, including any and all subdomains not explicitly listed.

There are also specific tactics that are excluded from the bounty. They are: Denial of Service attacks against any piece of FCA Infrastructure; Cross Site Request Forgery on non-authenticated pages; Certificate strength issues; Error messages (Descriptive or otherwise); HTTP Error pages; Public service disclosure, such as banner pages; Service Disruptions; Public files or directories, (e.g. robots.txt); Clickjacking and issues only exploitable through clickjacking; Web browser functionality controlled by the client, such as saved passwords and auto completion; Login or Forgot Password page brute force and account lockout not enforced; Vulnerabilities identified with automated tools (including web scanners) that do not include POC code or a demonstrated exploit; Physical, social engineering, and phishing attempts.

Kudos to FCA for taking this on directly and getting in the mix. I look forward to never hearing about another Jeepocalypse.  




Edited by Maurice Nagle
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Editorial Director

SHARE THIS ARTICLE
Related Articles

Zipline Announces 'Zip' Drones for Precise, Autonomous Deliveries

By: Alex Passett    3/31/2023

Zipline's "Zip" delivery drones are next-gen, virtually silent machines that are expected to deliver up to seven times faster than traditional automob…

Read More

Modeshift Partners with LTCA for Smart Ticketing

By: Stefania Viscusi    11/17/2022

Modeshift's smart transit solution has been adopted by Luzerne County Transportation Authority (LCTA) in the Wilkes-Barre, PA.

Read More

Video-Based Safety and AI Technology Can Reduce Truck Accidents

By: Tracey E. Schelmetic    11/15/2022

IoT solutions with video-based safety and AI technology can help reduce the likelihood of accidents by identifying distracted and aggressive driving.

Read More

Upward Mobility: Urban Movement Labs Joins Smart City Venture Studios as New Agency Partner

By: Matthew Vulpis    2/24/2022

The technology developed to create "smart cities" can make communities more effective and efficient in the use of resources, a necessity given the pro…

Read More

Up, Up, and Away - With Your IoT Data?

By: Special Guest    2/4/2021

Times have changed in the amazing world of the Internet of things (IoT). What once was a new and compelling idea has quickly worked its way into the h…

Read More