Johan Postema: Tesla was “very fun” to work on.
After Johan Postema bought his Tesla Model S in 2013, he decided to connect it to his laptop just for kicks. After poking around in Tesla’s software code, he discovered a number of software bugs and ended up corresponding regularly with Tesla Motors about vulnerabilities he found and potential fixes.
“I didn’t know what to expect,” said Postema, an IT contractor based in the Netherlands. “I like to figure out how things work, and a Tesla was a very fun object to work on.”
Postema’s tinkering was just the beginning of what has become an industry practice relying on strangers around the world to identify and report software vulnerabilities in vehicles. Since mid-2015, automakers such as Tesla, General Motors and Fiat Chrysler Automobiles have launched “bug bounty” programs, inviting coders to find and report vulnerabilities in their vehicle software.
Both Tesla and FCA — which run their campaigns on Bugcrowd, an online hacking community — offer monetary rewards to hackers who find weaknesses that lead to software repairs. GM’s program is hosted on bug bounty site HackerOne, but it does not offer financial rewards. Ride-hailing company Uber also has a program, which rewards $ 5,000 for bugs that could result in defacing the webpage and $ 10,000 for discovering malicious bugs that could take over Uber accounts.
Hackers who participate in these programs must agree to nondisclosure terms to not publicize the vulnerabilities they found.
As of Sept. 23, Tesla has issued 151 rewards and FCA has issued 45, according to Bugcrowd. GM has resolved 267 reports submitted by participants in its campaign, according to its HackerOne page.
Tesla’s open-reporting system “protect[s] our systems against vulnerabilities by constantly stress-testing, validating, and updating our safeguards,” a company spokeswoman said in a statement. Spokespeople from GM and FCA did not respond to requests for comment.
Postema’s involvement with automotive cybersecurity was purely a coincidence of owning a Tesla, he said. “I’m not really interested in hacking cars specifically. If it’s a car, it’s a car; if it’s a lightbulb, it’s a lightbulb.”
Other coders, such as Nico-demo Gawronski, however, participate as a way to contribute to automakers they support.
“I like Tesla as a company, and I really like what Elon Musk is doing,” Gawronski said. “I wanted to see if I can help.”
Gawronski, who tests software security for a living in the U.K., doesn’t own a Tesla, but he has worked to identify vulnerabilities in the automaker’s mobile app. He has been able to earn between $ 200 and $ 1,000 participating in Tesla’s bug bounty program.
But other hackers are motivated by something other than charity: They want to beef up their resumes. Ahmad Ashraff, who is based in Kuala Lumpur, Malaysia, and transitioned to IT from a background in chemical engineering, says he joined FCA’s campaign to sharpen his automotive-coding skills.
“It’s an opportunity to get into a new field,” he said.
While automotive software has provided enough work to keep recreational hackers busy, coders don’t see it as a reason to panic over vehicles’ security.
“The design of the system is pretty good, and [automakers] have an efficient way of handling bug reports,” Postema said. “I’ve never been worried.”