Automakers Don't Want to Pay Hacker Bounties And Your Car's More Vulnerable Because of It

The auto sector paid out just 10 percent of what telecoms spent on white-hat hackers to find and eliminate security threats in 2022.

A Getty photo of a person using satellite navigation in a Mercedes-Benz in 2015, with the Jalopnik "The Morning Shift" banner over top.
Photo: Harold Cunningham/Getty Images, Jalopnik

Car manufacturers aren’t paying helpful hackers what they deserve, Ferrari’s first SUV will soon begin deliveries and the Mustang Mach-E is a lot cheaper in China than it is here. All that and more in The Morning Shift for Wednesday, March 8, 2023.

1st Gear: Tech Hype, Tech Problems

Car companies fancy themselves as tech companies, because tech companies are hip and valuable, or used to be. Unfortunately, building a “smartphone on wheels” isn’t as easy as it might seem at the outset even in 2023, and as cars have become increasingly dependent on software, they’ve also been increasingly subjected to the same vulnerabilities as the computer in your pocket. White-hat hackers can help the industry get the problem under control, but automakers are reportedly hesitant to pay out the same bug bounties that real tech companies do, according to a new story from Automotive News:

The auto industry paid out $483,809 in bug bounties last year, the least of the eight sectors HackerOne tracks. The average auto bug bounty paid out a little over $2,000, according to HackerOne’s 2022 Hacker-Powered Security Report. The Internet sector paid out $13.1 million last year. Telecoms gave friendly hackers $4.7 million. Government entities rewarded them with $703,084.

Stellantis, which uses Bugcrowd, another San Francisco cybersecurity management company, pays $150 to $7,500 per vulnerability discovered, with an average payout of $737.50 over the past three months. Yet hackers at a February conference in Miami exploring industrial cyber vulnerabilities earned $5,000 to $40,000 per breach, news site SecurityWeek reported.

Bounties paid out by Google in 2022 included a record $605,000, company spokesman Ed Fernandez said in an email. Since 2017, Intel has paid $4.1 million through its bug bounty program, said Jennifer Foss, a company spokeswoman.

Advertisement

This specific example of a hacker alerting Toyota to a security gap that was a massive internal data breach waiting to happen is particularly damning:

Late last year, Eaton Zveare, a hacking hobbyist in Sarasota, Fla., breached Toyota’s global supplier management web portal, gaining read-and-write access to 14,000 corporate email accounts, associated confidential documents, projects, supplier rankings, comments and other information. He informed Toyota, and the breach was quickly closed.

Zveare said he appreciated Toyota’s prompt response and recognition but was dismayed by the lack of monetary compensation.

“Given how much profit they make per year, I think they should definitely allocate some to the security teams that they can use to reward researchers,” Zveare said.

Advertisement

The upshot of this is that if automakers continue to downplay the importance of cybersecurity by failing to compensate the people who are finding flaws in their products, their products will not only be vulnerable — they’ll be targets. This is the game the tech sector has to play, but the auto industry never signed up for that part. It just wanted people to run out and stand in line to buy EVs like they do the latest iPhone, and keep their credit cards on file for subscriptions. This wasn’t supposed to be work!

Advertisement

2nd Gear: Volkswagen’s Looking Elsewhere

A proposed eastern Europe battery plant is now on pause by the German automaker because the incentives are looking much better in the United States, per Financial Times:

Europe’s largest carmaker told EU officials last week that it expected to reap €9bn-€10bn in subsidies and loans from the US president’s Inflation Reduction Act and other US schemes over the lifetime of the factory, according to people at the meeting.

VW was “waiting” to see how the EU would respond to Washington’s incentives before pressing ahead with a plan to build a plant in eastern Europe, said one person with direct knowledge of the decision making at VW.

“Plans in North America have moved forward faster than expected and overtaken decision making in Europe,” the person said.

The IRA has sparked panic among European policymakers as high-tech industries such as batteries, which they have spent years nurturing, look across the Atlantic as competition from China intensifies.

The European Commission, which will next week publish a Net Zero Industry Act as part of its response to the US green scheme, is looking to loosen rules on state aid and is reassessing whether to deploy EU-level subsidies. But an early draft outlined last week has fallen short, according to industry executives.

A senior executive at another European battery maker present at last week’s meeting, which took place in Brussels and that competition commissioner Margrethe Vestager attended, said: “It looks pretty bad. There was an absence of concrete measures.”

Another executive said: “We’ve been contacted by many US states and they all highlight the IRA. When we put the figures together, the conditions they offer are much more interesting than the conditions they offer in Europe.”

Advertisement

Last week, Volkswagen’s chief financial officer Arno Antlitz said that a North American battery plant was likely to happen regardless of the Inflation Reduction Act’s existence, but the IRA has expedited those plans. It’s far from alone in that phenomenon.

3rd Gear: Purosangue Imminent

Those first on the Ferrari Purosangue order list should get their SUVs by midyear as the manufacturer has entered the ramp up stage of production, Automotive News reports:

Last September, Ferrari chief commercial and marketing officer, Enrico Galliera, told journalists that the company might need to close order books for the Purosangue after initial demand exceeded expectations. Galliera said that Ferrari began receiving a significant number of pre-orders in September 2018, when the company announced that the Purosangue (Italian for “thoroughbred”) would go into production.

Virgolin would not give precise order figures, but said that “the market has appreciated the Purosangue.” [...]

The development effort that led to the Purosangue started in 2018 as Project 175 under then-Chairman Sergio Marchionne, Virgolin said. The brief was to retain Ferrari performance while increasing room, comfort and practicality.

“We benchmarked competitors’ cars for interior roominess, but our benchmark for performance was other Ferraris,” he said.

Advertisement

Not that it matters, but, comparing the Purosangue against the Lamborghini Urus and Aston Martin DBX, the Urus is uncomfortably ugly and the DBX is fine, I guess, but notably lacks rear-hinged doors and a V12. The Aston also starts at approximately half the price of the Purosangue. Ferrari’s about to make a disgusting amount of money off this thing, aren’t they?

4th Gear: Here’s How the Mach-E’s Doing in China

Tesla’s rash of price cuts have had a knock-on effect in China’s electric vehicle market, and Ford’s the latest to jump in, per Reuters:

Ford Motor said on Wednesday it was offering a discount of 40,000 yuan ($5,700) on its Mustang Mach-E electric SUVs in China until the end of April.

Mustang Mach-E cars were now available in China at prices starting at 209,900 yuan ($30,214) in China after the discount, a company representative at Ford China said.

The U.S. automaker had already slashed Mach-E prices by as much as $5,900 in its home market following rival Tesla’s price cuts for the best-selling Model Y crossover.

Ford said in November it was accelerating Mustang Mach-E production and targeting a global annual output rate of 270,000 by the end of 2023, including its China production. It builds the Mach-E in Mexico and China.

Ford sold 39,458 Mach-Es in the U.S. last year, 45% more than in 2021.

However, Mach-E sales last year in China, the world’s largest auto market, were minimal - just 7,782 units. Tesla sold 455,091 Model Ys in China in the same year, according to data from China Association of Automobile Manufacturers (CAAM).

Advertisement

This is not the Mach-E’s first price drop in the territory. In October, it fell from the equivalent of about $38,000 to $34,200, and now it’s down to a shade over $30,000. And here, well, the electric SUV starts at $45,995 — a slight decrease in January to coincide with an increase in production, following a larger increase the prior August. EV prices are just going to do this forever, aren’t they?

5th Gear: BYD’s Getting Into Them Trucks

BYD believes its blade battery holds the key to unlocking the potential of electric commercial trucks, and will push into the space in the coming years, The Wall Street Journal reported Wednesday:

Over the next three years, BYD plans to introduce new commercial-vehicle models in markets including China, Europe and Japan, according to people familiar with the company’s plans. It has mapped out a budget of more than $20 billion for its commercial-vehicle unit through 2025, with major outlays planned for research, product development and expansion of production capacity, the people said.

A spokesperson for BYD declined to comment. The exact breakdown of the spending couldn’t be learned.

The push is part of an emerging shift in the industry’s thinking about next-generation trucks. Some companies see non-battery technologies such as hydrogen fuel cells as a better fit for big trucks, especially those traveling long distances, because they believe the batteries to power such trucks would be too heavy.

People at BYD believe its in-house battery, which it calls a blade battery, can address the issue. Blade batteries contain a number of long, flat blade-like cells slid into a battery pack, a structure that BYD says maximizes use of space and energy density, while minimizing overall vehicle weight.

Advertisement

BYD actually builds electric buses out of its Lancaster, California facility, and is the largest producer of such vehicles in the U.S. It currently claims about 20 percent of China’s consumer EV market, so there’s no reason to think it won’t run away with trucks, too.

Reverse: The Bus Is Born

On this day in 1950 — 73 years ago — another icon began rolling off Volkswagen’s production lines. From History.com:

Volkswagen, maker of the Beetle automobile, expands its product offerings to include a microbus, which goes into production on March 8, 1950. Known officially as the Volkswagen Type 2 (the Beetle was the Type 1) or the Transporter, the bus was a favorite mode of transportation for hippies in the U.S. during the 1960s and became an icon of the American counterculture movement.

The VW bus was reportedly the brainchild of Dutch businessman Ben Pon, an importer of Beetles to the Netherlands, who saw a market for a small bus and in 1947 sketched out his concept. Volkswagen engineers further developed the idea and in March 1950, the vehicle, with its boxy, utilitarian shape and rear engine, went into production. The bus eventually collected a number of nicknames, including the “Combi” (for combined-use vehicle) and the “Splittie” (for its split windshield); in Germany it was known as the “Bulli.” In the U.S., it was referred to by some as a hippie van or bus because it was used to transport groups of young people and their camping gear and other supplies to concerts and anti-war rallies. Some owners painted colorful murals on their buses and replaced the VW logo on the front with a peace symbol. According to “Bug” by Phil Patton, when Grateful Dead musician Jerry Garcia died in 1995, Volkswagen ran an ad featuring a drawing of the front of a bus with a tear streaming down it.

Advertisement

Neutral: Hornet Dodged

I was supposed to drive a Dodge Hornet this week, but a family emergency forced me to cancel. It’s no big deal — I’ll drive the Hornet someday, and some things (plenty of things) are more important than cars. I’ll remember your inquiries when I do eventually get behind the wheel of one. As Jalopnik’s resident Dart apologist, it’s kind of my duty.