Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck Transportation

United Airlines Invites Hackers To Find Security Vulnerabilities 54

An anonymous reader writes: Following a recent spike of interest regarding the potential to hack planes, United Airlines has created the first rewards-for-exploits scheme in the aviation industry. The 'Bug-Bounty' program offers up to a million air miles for submitters who find a specific range of exploits in the company's websites and digital infrastructure. The scheme not only bans participants from probing on-board flight systems but threatens criminal prosecution for any such attempt.
This discussion has been archived. No new comments can be posted.

United Airlines Invites Hackers To Find Security Vulnerabilities

Comments Filter:
  • Goodie ! (Score:5, Funny)

    by randalware ( 720317 ) on Thursday May 14, 2015 @04:03PM (#49693217) Journal

    I will make reservations to Paris for two.
    Then go visit Dr. Falkin.

  • by Anonymous Coward on Thursday May 14, 2015 @04:08PM (#49693257)

    sounds odd they place the rule of no scanning of their network.
    how is anyone suppose to find out what the structure is without probing

    • In simple words: It's a bounty on finding bugs in their terrestrial infrastructure (reservation web sites, etc.), not in their on-board systems.

      Scanning of networks is allowed, but only their ground networks.

  • by Anonymous Coward

    They explicitly state brute-force attacks are not allowed and will "result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation"... then, the following section clearly states a 250,000 mile reward for discovering a brute-force attack. wtf.

    • by SeaFox ( 739806 )

      /insert Admiral Ackbar image: IT'S A TRAP!

    • Re:wtf (Score:4, Insightful)

      by spiritplumber ( 1944222 ) on Thursday May 14, 2015 @04:12PM (#49693303) Homepage
      Heh. The problem with half these contests is that two weeks later they say "No, contest over and if you publish a vulnerability we'll sue you".
      • by Lehk228 ( 705449 )
        so publish it anonymously (don't forget your 7 proxies) as a fully functional metasploit plugin.
  • by TechyImmigrant ( 175943 ) on Thursday May 14, 2015 @04:09PM (#49693275) Homepage Journal

    I've got all the points and arse ache I need.
    I want a status upgrade. PQMs or go away.

  • ...I would've thought that fact alone would be enough to discourage anyone (who's not actually suicidal) from stuffing around with onboard systems.

    After all, if you win air miles, aren't you and/or friends & family that much more likely to be onboard when a hacked system goes titsup?

    Or am I giving the average hacker too much credit for common sense?

  • Translation (Score:4, Insightful)

    by countSudoku() ( 1047544 ) on Thursday May 14, 2015 @04:11PM (#49693289) Homepage

    Translation: We can't afford (read: won't pay) for real security personnel, so we'll let strangers do it on a dare and not even to any interesting assets like a fucking plane! No, just hack our shitty web site and we'll offer you some "free miles" that will be highly restricted and next to worthless, but don't fear, wherever you end up going will be a horrible journey filled with ignorant TSA agents frisking your panties and smelling your shoes and then if your fucking pilot decides NOT to crash the plane into a building or a mountain you might end up killing yourself at your destination rather than face the social rape that is modern air travel.

    • Does anyone still think "oh wow, airmiles!!!" ? What's a million airmiles worth? 3,000.00 [gizmodo.com] to $6,500.00 [cnn.com]

      This is like the guy who says "I lost my wallet with $1,000.00 in it. I'll pay $100.00 to whoever finds it!" Someone else immediately says "I'll pay $200.00"

      • by rtb61 ( 674572 )

        Now is that a million first class air miles or cargo class in box. It kind of makes a big difference. If they are offering free trips in a aluminium death tube, they had better make them at least comfortable trips. Even better they could offer a million cruise ship miles, then the journey is the fun.

    • Translation: We can't afford (read: won't pay) for real security personnel

      In all fairness, United is a huge company and like any huge company has tremendous inertia. Probably it's nearly impossible to get IT security bugs properly identified and fixed even if the CEO came to daily scrum meetings. A bounty for external parties is at least a realization they have this problem.

    • I'm a united frequent flyer.

      To get an upgrade on an international (atlantic or pacific crossing) flight will cost you 30,000 points and $500.
      The points have no value without extra money.

      Status is everything, points accumulate faster than you can spend them if you are a frequent flyer. With status you don't get a middle seat, you're first in line for upgrades, they don't bump you on overbooked flights. Status matters.

    • > Translation: We can't afford (read: won't pay) for real security personnel,

      Eh, not really. I guarantee you they have a lot of "real" security personnel.

      This is about taking over control of the story; it's a sort of "pay no attention to the thing we don't want you to hear about" (ie the fact that their onboard infotainment/networking and satellite uplink systems are ludicrously insecure) and "pay attention to this other thing."

      Now when you search for "united hacking", you'll get a billion stories about

    • by Skapare ( 16644 )
      ... and face the wrath of ignorant pilots [huffingtonpost.com]?
    • by nnull ( 1148259 )
      Pretty much. Worst of all, all those miles are pretty much worthless because they only let you fly on some of the worst possible flights with travel time in excess of 30 hours to get to your destination. I have over a million miles clocked up with Delta and I find it completely useless, even on upgrades. They never let me travel on the dates I want to travel and if by sheer luck they do have one on a date I want to travel, it's a flight with over 20 hours of travel. I would rather pay for a ticket that give
  • by PPH ( 736903 ) on Thursday May 14, 2015 @04:17PM (#49693361)

    ... of interest regarding the potential to hack planes, United offers rewards for finding vulnerabilities in their ground-based systems. But no trying to hack planes, or you'll be in trouble.

    I see a certain logic fail here.

  • they won't pay. not even in miles.
    • Well, here's an interesting question...

      If I hack their website such that I can give myself 93,000,000 air-miles, why should I tell United so that they'll give me "up to a million" air-miles?

  • one billion dollar bounty for anyone who can pass through solid wall without looking for or making a door.

    • one billion dollar bounty for anyone who can pass through solid wall without looking for or making a door.

      Are you allowed to look for Windows?

  • " The scheme not only bans participants from probing on-board flight systems but threatens criminal prosecution for any such attempt. "

    but THAT!!! is the easiest way IN!!!!

    Head in the sand will never work out well !!!

    • I wonder what happens if you just exploit them without probing first? After testing with an off-board flight system first of course, so you know exactly what will happen.

  • First Rule of United Airlines Hack Club is that you don't tweet about United Airlines Hack Club Second Rule of United Airlines Hack Club is that you don't tweet about United Airlines Hack Club If you tweet about it we're gonna call the FBI
  • I'm sick of companies putting out prizes to get work done instead of actually hiring people.
    What it amounts to is getting thousands of hours of labour for free.

    If the winner got a high salaried contract of employment it would still be a little predatory, but at least you could get behind the idea that maybe someone with great skills who never got the opportunity will get a good position out of it. That would be far too reasonable though. I mean, why pay that guy at all when the person organizing this nons

  • by Glasswire ( 302197 ) on Thursday May 14, 2015 @06:43PM (#49694389) Homepage

    and give myself a million miles, does that mean United will give a second million? Or just let me keep mine? So what do I need them for?

  • The scheme not only bans participants from probing on-board flight systems but threatens criminal prosecution for any such attempt.

    ... because those are not secured yet due to use of legacy software?

    • by suutar ( 1860506 )

      and hard to fix, because recertifying avionics is not fast. And if they do catch anyone scanning onboard systems, they don't have to consider "but I'm in this contest" as an excuse, they can just throw the book and be done with it.

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...