United Airlines Invites Hackers To Find Security Vulnerabilities

An anonymous reader writes: Following a recent spike of interest regarding the potential to hack planes, United Airlines has created the first rewards-for-exploits scheme in the aviation industry. The 'Bug-Bounty' program offers up to a million air miles for submitters who find a specific range of exploits in the company's websites and digital infrastructure. The scheme not only bans participants from probing on-board flight systems but threatens criminal prosecution for any such attempt.

Goodie !

[randalware]

I will make reservations to Paris for two.
Then go visit Dr. Falkin.

Re:

[Anonymous Coward]

help, my plane is moving by itself

Re:

[Joe_Dragon]

reservations are not tickets and don't drop the soap

bug bounty but no scanning

[Anonymous Coward]

sounds odd they place the rule of no scanning of their network.
how is anyone suppose to find out what the structure is without probing

Re:

[ArsenneLupin]

In simple words: It's a bounty on finding bugs in their terrestrial infrastructure (reservation web sites, etc.), not in their on-board systems.

Scanning of networks is allowed, but only their ground networks.

wtf

[Anonymous Coward]

They explicitly state brute-force attacks are not allowed and will "result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation"... then, the following section clearly states a 250,000 mile reward for discovering a brute-force attack. wtf.

Re:

[SeaFox]

/insert Admiral Ackbar image: IT'S A TRAP!

Re:wtf

[spiritplumber]

Heh. The problem with half these contests is that two weeks later they say "No, contest over and if you publish a vulnerability we'll sue you".

Re:

[TheRaven64]

It's hard to translate miles into actual value. 30K United miles + fees buys you a transatlantic flight. When I was looking a couple of weeks ago, it was the same going from LHR to EWR or SFO, with $188 for the UK leg and about $6 in the other direction (UK airport taxes are pretty huge). The round trip to SFO is about $1200 without the miles, so 60K miles works out to about $1K on that. That makes the value of 250K miles about $4000. This is a pretty low bug bounty.

On the other hand, the value depe

Re:

[Lehk228]

so publish it anonymously (don't forget your 7 proxies) as a fully functional metasploit plugin.

Screw That.

[TechyImmigrant]

I've got all the points and arse ache I need.
I want a status upgrade. PQMs or go away.

Since the rewards are _air_miles_...

[Ann O'Nymous-Coward]

...I would've thought that fact alone would be enough to discourage anyone (who's not actually suicidal) from stuffing around with onboard systems.

After all, if you win air miles, aren't you and/or friends & family that much more likely to be onboard when a hacked system goes titsup?

Or am I giving the average hacker too much credit for common sense?

Translation

[countSudoku()]

Translation: We can't afford (read: won't pay) for real security personnel, so we'll let strangers do it on a dare and not even to any interesting assets like a fucking plane! No, just hack our shitty web site and we'll offer you some "free miles" that will be highly restricted and next to worthless, but don't fear, wherever you end up going will be a horrible journey filled with ignorant TSA agents frisking your panties and smelling your shoes and then if your fucking pilot decides NOT to crash the plane into a building or a mountain you might end up killing yourself at your destination rather than face the social rape that is modern air travel.

Re:

[BarbaraHudson]

Does anyone still think "oh wow, airmiles!!!" ? What's a million airmiles worth? 3,000.00 [gizmodo.com] to $6,500.00 [cnn.com]

This is like the guy who says "I lost my wallet with $1,000.00 in it. I'll pay $100.00 to whoever finds it!" Someone else immediately says "I'll pay $200.00"

Re:

[rtb61]

Now is that a million first class air miles or cargo class in box. It kind of makes a big difference. If they are offering free trips in a aluminium death tube, they had better make them at least comfortable trips. Even better they could offer a million cruise ship miles, then the journey is the fun.

Re:

[magarity]

Translation: We can't afford (read: won't pay) for real security personnel

In all fairness, United is a huge company and like any huge company has tremendous inertia. Probably it's nearly impossible to get IT security bugs properly identified and fixed even if the CEO came to daily scrum meetings. A bounty for external parties is at least a realization they have this problem.

Re:

[TechyImmigrant]

I'm a united frequent flyer.

To get an upgrade on an international (atlantic or pacific crossing) flight will cost you 30,000 points and $500.
The points have no value without extra money.

Status is everything, points accumulate faster than you can spend them if you are a frequent flyer. With status you don't get a middle seat, you're first in line for upgrades, they don't bump you on overbooked flights. Status matters.

it's about taking control of the story/keywords

[SuperBanana]

> Translation: We can't afford (read: won't pay) for real security personnel,

Eh, not really. I guarantee you they have a lot of "real" security personnel.

This is about taking over control of the story; it's a sort of "pay no attention to the thing we don't want you to hear about" (ie the fact that their onboard infotainment/networking and satellite uplink systems are ludicrously insecure) and "pay attention to this other thing."

Now when you search for "united hacking", you'll get a billion stories about

Re:

[Skapare]

... and face the wrath of ignorant pilots [huffingtonpost.com]?

Re:

[nnull]

Pretty much. Worst of all, all those miles are pretty much worthless because they only let you fly on some of the worst possible flights with travel time in excess of 30 hours to get to your destination. I have over a million miles clocked up with Delta and I find it completely useless, even on upgrades. They never let me travel on the dates I want to travel and if by sheer luck they do have one on a date I want to travel, it's a flight with over 20 hours of travel. I would rather pay for a ticket that give

Following a recent spike ....

[PPH]

... of interest regarding the potential to hack planes, United offers rewards for finding vulnerabilities in their ground-based systems. But no trying to hack planes, or you'll be in trouble.

I see a certain logic fail here.

scam

[turkeydance]

they won't pay. not even in miles.

Re:

[R3d M3rcury]

Well, here's an interesting question...

If I hack their website such that I can give myself 93,000,000 air-miles, why should I tell United so that they'll give me "up to a million" air-miles?

in other news...

[zlives]

one billion dollar bounty for anyone who can pass through solid wall without looking for or making a door.

Re:

[Em Adespoton]

one billion dollar bounty for anyone who can pass through solid wall without looking for or making a door.

Are you allowed to look for Windows?

Re:

[zlives]

yes but then you have to pay a billion dollars or life in prison.

bugs

[JohnVanVliet]

" The scheme not only bans participants from probing on-board flight systems but threatens criminal prosecution for any such attempt. "

but THAT!!! is the easiest way IN!!!!

Head in the sand will never work out well !!!

Re:

[Em Adespoton]

I wonder what happens if you just exploit them without probing first? After testing with an off-board flight system first of course, so you know exactly what will happen.

Re:

[Skapare]

what if we hack into their simulators and simulate flying into the Alps?

First Rule of United Airlines Hack Club

[l0ungeb0y]

First Rule of United Airlines Hack Club is that you don't tweet about United Airlines Hack Club Second Rule of United Airlines Hack Club is that you don't tweet about United Airlines Hack Club If you tweet about it we're gonna call the FBI

Who else is tired of playing "win your paycheck" ?

[Anonymous Coward]

I'm sick of companies putting out prizes to get work done instead of actually hiring people.
What it amounts to is getting thousands of hours of labour for free.

If the winner got a high salaried contract of employment it would still be a little predatory, but at least you could get behind the idea that maybe someone with great skills who never got the opportunity will get a good position out of it. That would be far too reasonable though. I mean, why pay that guy at all when the person organizing this nons

Re:

[darkain]

Oh, so like Bitcoin!

Re:

[BarbaraHudson]

1. Find big valuable diamond.
2. Smash into 100 smaller diamonds.
3. ($500,000.00) PROFIT.

If I get into United's reward system....

[Glasswire]

and give myself a million miles, does that mean United will give a second million? Or just let me keep mine? So what do I need them for?

Re:

[TechyImmigrant]

Give yourself Global Services status instead. It's far more useful.

on-board flight systems?

[Skapare]

The scheme not only bans participants from probing on-board flight systems but threatens criminal prosecution for any such attempt.

... because those are not secured yet due to use of legacy software?

Re:

[suutar]

and hard to fix, because recertifying avionics is not fast. And if they do catch anyone scanning onboard systems, they don't have to consider "but I'm in this contest" as an excuse, they can just throw the book and be done with it.