First major automaker (aside from Tesla) to issue guidelines promising not to sue researchers.
On January 5, General Motors quietly flipped the switch on Detroit’s first public security vulnerability disclosure program, launched in partnership with the bug bounty and disclosure portal provider HackerOne. General Motors Chief Cybersecurity Officer Jeff Massimilla told Ars the new portal was a first step in creating relationships with outside security researchers and increasing the speed with which GM discovers and addresses security issues.
“We very highly value third-party security research,” Massimilla said. He explained that under the program, those third parties can reveal vulnerabilities they find with the guarantee that GM will work with them and not take legal action—as long as they follow the fairly straightforward guidelines posted on the program’s portal.
The choice of HackerOne was a key part of the program strategy, Massimilla said, because of that company’s existing relationship with security researchers. “We don’t have a lot of experience with this sort of program,” Massimilla admitted. HackerOne is hosting the program’s Web portal, which handles much of the workflow of managing disclosures. “We also have e-mail addresses and other contact points where we can communicate,” he added.
HackerOne is currently hosting more than 400 vulnerability disclosure and bug bounty programs, of which about 100 are currently public. The remainder are “invitation only,” said HackerOne founder and CTO Alex Rice. With those, “the companies start testing their coordination with a few trusted hackers, working out the edge cases of coordination.”
GM’s effort isn’t a full-blown bug bounty program like the one announced by Tesla at last year’s Def Con conference in Las Vegas—at least not yet. “Right now, it’s a public coordinated disclosure program, so when vulnerabilities are discovered we can work with researchers to resolve them,” Massimilla said. “We’re going to continue to assess and modify the program as it goes forward.” Various forms of recognition and rewards will be considered, he added, as the program evolves.
Eight simple rules for hacking our cars
The GM program’s rules are mostly simple. GM has publicly declared that researchers are safe from legal action as long as they:
do not cause harm to GM, our customers, or others;
provide a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (the detailed summary will allow us to reproduce the vulnerability);
do not compromise the privacy or safety of our customers and the operation of our services;
do not violate any criminal law;
do not violate any other law (other than those that would result only in claims by GM), or disrupt or compromise any data or vehicle that is not their own;
publicly disclose vulnerability details only after GM confirms completed remediation of the vulnerability and not publicly disclose vulnerability details if there is no completion date or completion cannot be ascertained;
confirm that they are not currently located in or otherwise ordinarily reside in Cuba, Iran, North Korea, Sudan, Syria or Crimea; and
confirm that they are not on the US Department of the Treasury’s Specially Designated Nationals List.
The creation of a disclosure program may appear to be a small step in comparison to other bug bounty programs offered, like the Tesla initiative mentioned above. But Joshua Corman of the grassroots security advocacy organization I Am The Cavalry—a group that has lobbied automakers, medical device manufacturers and other industries to work with security researchers to build safer products—told Ars that GM’s move is “a huge” step. “This first of a kind disclosure program, if copied by rest of the auto industry, will really catalyze the maturity of their security practices,” he said.
Part of the reason for that is because of the massive work that GM has had to do (and will continue to have to do) in simply working the bugs out of the bug-killing process itself.
“There’s been a lot of tension around the bug bounty program,” said Rice. “But that’s obscuring the complexity that has to go into the underlying process. For a small company, it’s pretty straightforward. But for startups, it starts to get complicated pretty quickly. If there’s an open source project involved, for example, vulnerabilities need to be passed along. Take it up to a company the size of GM, and getting it right is a real problem, because many of the vulnerabilities that are going to be coming into the program aren’t their fault—but they’re still going to be stepping up to coordinate getting those bugs fixed.”
Beware of dog
Starting off with building a relationship with the security research community is, as Corman described it, the “crawling before the walking” of a bug program. But there’s a lot of relationship building to be done. Most automakers have private bug-hunting programs that involve internal staff or contract security researchers, Corman noted. Some accept bugs from external trusted researchers through private programs. But for independent security researchers who discover vulnerabilities, “Detroit currently has an implicit ‘beware of dog’ sign,” he said. “We’ve met people who say, ‘I found this bug but I’m not going to tell them, I don’t want a lawsuit.'”
There’s a reason for that defensiveness. Handling vulnerabilities in the automobile industry can be extremely complex, since the vulnerabilities are often (as demonstrated in the hack of a Jeep Cherokee last year by Charlie Miller and Chris Valasek) in systems provided by multiple tiers of suppliers. Those suppliers may or may not have vulnerability patching processes of their own. Additionally, some vulnerabilities in previous generations of vehicles may be impossible to patch without ripping and replacing components of the car wholesale. That’s an extremely expensive proposition, and one that will likely reach only a fraction of affected vehicles even in a recall.
“Most of the bugs found with bounty programs aren’t fixable,” Rice said. Before founding HackerOne, Rice was head of product security at Facebook. He sees how his new situation can be much more difficult.
“Facebook finds bugs that it takes responsibility for but has to pass downstream,” he said. And sometimes getting those bugs fixed takes a long time—even when working with outside researchers. GM is now stepping into a situation that may be even thornier than that at Facebook. “For a company like GM to step forward, they’re telling every supplier that they also need a vulnerability coordination program.”
The Jeep hack by Miller and Valasek is “the perfect example” of the problem automakers face in doing vulnerability management, Rice said. Fiat-Chrysler was “dealing with a dependency chain that is difficult to navigate.” The vulnerabilities exploited by Miller and Valasek were in software, hardware, and services provided largely by suppliers—most of whom don’t have vulnerability management processes in place.
All that means bug fixes can take a long time. A similar demonstrated “takeover” vulnerability found by University of California-San Diego researchers in GM’s OnStar service took five years to resolveafter it was privately disclosed to GM and the National Highway Traffic Safety Center. The processes to deal with resolving vulnerabilities simply didn’t exist at the time at GM, OnStar, or at suppliers, and most of the components involved weren’t necessarily designed with the idea of security updates in mind.
Building in security
That’s something GM has been working to resolve through the formation of Massimilla’s organization within the company, which began with his hiring in September of 2014. “We were one of the first automakers—I believe the first—to put a consolidated global group in place to deal with cybersecurity,” Massimilla said. “It’s a global organization, very well-funded, and it gets attention from senior management.”
Massimilla explained that the new security effort was having an impact on how GM develops its systems. “We’re taking a layered approach to security, designing our systems so we can understand what’s going on with them and so they can be updated over time.” Part of that involves building “detection and monitoring and response,” he said, for vulnerabilities and possible exploits of both GM’s back-office systems and those onboard GM vehicles.
GM also joined the auto industry’s new Auto ISAC, a cyber threat information sharing and analysis center under the umbrella of the Alliance of Automobile Manufacturers. Massimilla is the vice-chair of the ISAC. “The ISAC is the industry coming together to share threat intelligence and work to take a proactive approach cross-industry to address problems.” He added that GM is also communicating with defense and electronics industry cybersecurity groups as well.
Much of what Massimilla and GM are doing maps to the five “stars” proposed in I Am the Cavalry’s automotive safety program launched in August of 2014. It also follows emerging cybersecurity standards being developed by the ISO. “There are a lot of different groups that are looking at different programs that can be a comprehensive framework for security, and security vulnerability disclosure and the ability to work with outside researchers is key for any of them,” Massimilla acknowledged. Designing for security and enabling rapid responses to security problems are major parts of the puzzle—parts that many automakers have started to recognize with no small amount of pain over the past few years.
In combination with the Library of Congress’ recent ruling exempting vehicle software from the Digital Millennium Copyright Act (DMCA)—a ruling that will kick in later this year—Corman believes programs like GM’s will draw vulnerability reports that many researchers may have been sitting on for years. “Once people recognize that here’s a welcome mat, people will start reporting more things they’ve found,” he said. “It’s going to be really tough for the other automotive OEMs to not follow suit. Everybody will then start finding bugs faster. They’ll see bugs are dense, not sparse, and that will help them make better design choices in the future.” The result, Corman said, will see an “upward spiral” in automotive safety practices.
Automakers and their suppliers aren’t alone in being slow to adopt vulnerability coordination programs. In a survey HackerOne conducted of Forbes 2000 companies last year, 94 percent of the companies who participated said that they had “no identifiable process to respond” to vulnerability disclosures according to Rice. “There are vulnerabilities in every single one of those companies,” he asserted. “Having no process for dealing with them is doing everyone a disservice.”