Hack our website, but please not our aeroplanes – the invite from United Airlines to friendly hackers
United Airlines has added a twist to the bug bounty scheme, offering friendly hackers frequent flyer miles if they can hack into its corporate websites and mobile apps.
But the airline doesn’t want hackers attempting to compromise airline avionics, in-flight Wi Fi or entertainment systems.
The US airline claimed that its unusual bug bounty scheme is the first time an airline has offered such a scheme. Instead of the usual cash reward, friendly hackers will receive between 50,000 and 1 million frequent flyer miles depending on the severity of the vulnerabilities they unearth.
But the airline warned that hackers would be permanently disqualified from the bug bounty program and face possible criminal and/or legal investigation if they attempt brute-force attacks; code injection on live systems; disruption or denial-of-service attacks, as well as a number of other restrictions including threats against airline staff.
“At United, we take your safety, security and privacy seriously,” said the airline. “We utilise best practices and are confident that our systems are secure. We are committed to protecting our customers’ privacy and the personal data we receive from them, which is why we are offering a bug bounty program – the first of its kind within the airline industry.
“We believe that this program will further bolster our security and allow us to continue to provide excellent service. If you think you have discovered a potential bug that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we’ll gladly reward you for your time and effort.”
While the United bounty program is more focused on safeguarding its corporate websites and customer data, there is growing concern over the security risks with onboard aeroplane systems.
Last month the US Government Accountability Office warned that in-flight Wi-Fi could be used by terrorists or other hackers to take control of an aircraft’s avionic systems.
It is concerned because avionic systems that have traditionally been self-contained are now sharing the same network as passenger Wi Fi, raising the possibility of remote unauthorised access.
And United Airlines found itself at the centre of security row last month, when one of the world’s foremost experts on counter-threat intelligence within the cybersecurity industry was hauled off one of its flights by the FBI.
Chris Roberts, of Colorado-based One World Labs, a security intelligence and risk detection firm had provided warnings to a number of journalists, including Fox News, about the vulnerabilities associated with in-flight technology.
Roberts was on his way to a security conference, but when his plane landed, he was removed, detained and interrogated. The FBI also reportedly confiscated his electronic devices and demanded he give them access to his data.
What made that detention laughable is that Roberts is regularly hired by private companies to help them identify threats to financial and intellectual property, customer data and other protected information. Indeed, the FBI (and other government agencies) has also consulted with him three times in order to get his guidance on protecting airplanes from cyberhackers.
It remains to be seen whether Roberts will be tempted to take United up on its bug bounty offer.
Are you a security pro? Try our quiz!