Podcast: Craig Smith of OpenGarages on Vehicle Security and GM’s Bug Bounty


In-brief: In this podcast, Paul speaks with Craig Smith of Open Garages on GM’s bounty program, the state of connected vehicle security, and what the auto industry can learn from open source. 

General Motors became the first of the major, U.S. automakers to introduce a formal “bounty” program for collecting information about software vulnerabilities affecting the company’s products. (That would be: automobiles.) As we observed in this story, though, the program is just a first step towards more engagement with the information security community lacking (among other things) a real “bounty” in the form of financial payment for vulnerability information.

To help us analyze GM’s move and also talk about the bigger picture of vehicle security, we chatted early this week with Craig Smith, a founder of the group Open Garages. Smith has developed a reputation as one of the top experts on the workings of connected vehicles, and as a fierce champion of change within the auto industry.

Smith is the author of a book, The Car Hackers Handbook, which details the ins and outs of everything from in-car infotainment systems to ECUs (engine control units). Smith is also a founding member of I Am The Cavalry, which promotes safety and security in the automobile industry among others.

In this podcast, Smith talks about his impressions of the impact of GM’s bounty program and about the auto industry’s habit of “secrecy” and the need to embrace modern notions of improving product quality and reliability by borrowing ideas from the open source community. He also talks about his introduction to car hacking: as a vehicle owner looking to play music videos over his on-board infotainment system.