As the need for automotive cybersecurity researchers grows, the supply is not keeping up with demand. Many of the sponsors of the “Car Hacking Village” sub-conference at the influential cybersecurity conference DEF CON have been the victims of automotive hacking — Fiat Chrysler, Volkswagen and Delphi Automotive.
“This year it`s definitely bigger in terms of industry support,” said Casey Ellis, founder of Bugcrowd, one of the sponsors of the Car Hacking Village.
Bugcrowd runs programs to offer researchers rewards for submitting security flaws in products back to the manufacturers for repair. Its clients include Fiat Chrysler. Ellis said the fastest growing sector in programs like his, known as bug bounties, is automotive.
The interest, said Ellis, is because automobile manufacturers recognize dangers of their products being breached “I like to say cars are two-ton, gas-powered mobile phones,” he said but are not able to find qualified candidates for the work.
“Hacking cars is hard. It requires specialized equipment and knowledge, not to mention the car. That`s part of the reason [manufacturers] jumped into this. It`s a good way to access talent they would otherwise be unable to hire.”
The gap between the number of needed and trained researchers will only grow, said Ellis, as car manufacturers move toward driverless cars.
For now, the industry is struggling to meet the needed security experts to work on automobiles specifically.
“We need to move researchers to automobiles,” said Tod Beardsley, director of research at Rapid7, another sponsor of the Car Hacking Village.
Rapid7 recently created a bridge letting researchers use its popular security testing tool Metasploit on automotive systems. Beardsley believes bringing familiar interfaces to automotive hacking will reduce the amount of learning time for a researcher to take up automobiles.
Ellis is approaching the issue from the other end. Bugcrowd is attempting to train automotive software designers and tweakers in security.