General Motors just backpedaled its position on car hacking. The carmaker recently opened a pathway for non-malicious hackers to report security vulnerabilities in GM cars, reports Wired—this despite previously opposing efforts to legalize independent security research by hackers under US copyright law. “Earlier this week, General Motors quietly launched a vulnerability submission program that allows security researchers to submit information about hackable vulnerabilities in GM automobiles and rest assured that—as long as they follow a few guidelines—they’ll be thanked rather than hit with a lawsuit,” writes Wired’s Andy Greenberg. “In partnership with HackerOne, a security startup devoted to helping companies coordinate security vulnerability disclosure with independent researchers, GM has created a portal welcoming bug reports from benign hackers”.
The program is a smart move for GM. As carmakers integrate more Wi-Fi-enabled features into cars, they are transforming automobiles into giant, moving Internet-connected computers. Which means some cars are vulnerable to being hacked—just like phones and laptops. In soliciting help from hackers, GM is essentially crowdsourcing unpaid independent researchers to bolster its own internal security efforts.
The HackerOne partnership is a stark departure from the company’s previous position on independent car hacking. Last year, the carmaker vigorously opposed an exemption to US copyright law that would have protected independent security researchers from the threat of prosecution. (They also opposed a similar exemption for car repair.) At the time, GM argued that allowing more independent researchers to perform this kind of work outside of a GM-monitored ecosystem would make cars less safe, instead of more safe.
But recent history has borne out the importance of hacking for security purposes. Just last summer, two independent researchers uncovered a software bug that allowed them to take remote control of a Jeep while it was in use. The white hat hackers reported the vulnerability to Chrysler before it could be found and exploited by malicious hackers. In response, Chrysler released a patch to fix the issue.
Uncovering that vulnerability actually put those researchers in violation of copyright law—because examining a car’s code often necessitates breaking digital locks over copyrighted software. Which means independent researchers risk being sued or jailed for trying to make our cars more secure. Thankfully, the Copyright Office granted an exemption for independent automotive software research over GM’s objections, though the exemption doesn’t take effect until next year.
Now, it seems like GM has overcome some of its initial concerns. And they are clearing the way for friendly hackers to help make GM cars safer. With a few stipulations, of course.
“According to its terms, GM promises not to sue researchers who submit security-flaw reports as long as they’ve followed a few rules in their car hacking, such as not endangering GM customers, violating their privacy or breaking any law,” explains Greenberg.
Read the full story over at Wired.