United Airlines awards 'bug bounty': Is it getting cybersecurity savvy?
United Airlines is rewarding two hackers with 1 million free flight miles each for calling attention to security gaps on its website. The reward is the highest that can be given as part of the company鈥檚 new 鈥渂ug bounty鈥 scheme, which compensates hackers who opt to privately disclose security flaws instead of exploiting them or exposing them on the Internet.
As aviation network vulnerabilities begin to garner headlines, airlines are seeking new ways to protect themselves from cyber threats.聽Many technology companies have been offering bug bounties for years, 聽but United may be the first in the aviation industry to adopt such a method 鈥 a sign that the airline is starting to catch up with the times, experts say.聽
鈥淚t [the bug bounty] shows more about the security posture of these companies. If you鈥檙e not up- to- date with your internal security stuff, you can鈥檛 do a bug bounty. It鈥檚 a good sign for the company, it shows they鈥檙e at a point where they handle these issues. Most companies can鈥檛 fix their internal problems themselves, even if you point them out,鈥 says Jordan Wiens, one of the two security researchers awarded United's 1 million-mile bounty.
Researchers have known for years that criminal hackers have the capabilities to take control of in-flight communications systems and avionics equipment, and the aviation industry has been criticized for not doing more to protect itself.
In April, a report by the Government Accountability Office revealed that the Federal Aviation Administration (FAA) 鈥渓acked a systematic approach to assessing security risks in airplanes, relying instead on case-by-case 鈥楽pecial Conditions鈥 rules to address risks in specific airplane models,鈥 the Monitor reported that month.
In response, the FAA in June convened its first committee to develop a set of cyber security protections for the industry.聽Still, experts widely say that addressing this issue is long overdue. United has experienced several major problems with its technology systems since 2012, when it adopted some of the systems previously utilized by its smaller merger partner,聽Continental Airlines.
Moreover, just weeks after its 鈥渂ug bounty鈥 scheme was unveiled, technical problems grounded United鈥檚 entire fleet twice, first preventing customers from checking in and then hindering the functionality of the software it uses to dispatch flight plans.
United said those problems were merely from technological glitches and not the work of nefarious hackers. Nevertheless, other airlines, such as the Polish company LOT, have recently been forced to ground flights due to cyberattacks.
Adding an extra dose of urgency to the situation, in May a security researcher with extensive knowledge of airline systems was banned from a United flight for sending out a about playing around with the airline鈥檚 Engine Indicator Crew Alert System.
The man responsible for the tweet was later questioned extensively by the FBI, which also claimed he had hacked into a plane鈥檚 navigation system and caused it to fly sideways.
Nevertheless, Mr. Wiens says he does not believe the tweeting incident was a catalyst for United to implement the 鈥渂ug bounty鈥.
鈥淭hey were probably thinking about this for a while,鈥 he says, while adding that companies are finally starting to trust white hat hackers instead of slapping them with injunctions.
鈥淭here used to be this tension between security researchers who were releasing vulnerabilities and companies. Companies were really antagonistic. Now the bug bounties are a healthy replacement for that, we鈥檙e at a point in the industry in which we鈥檙e building trust. It鈥檚 a healthy maturation,鈥 Wiens concludes.
Furthermore, the 鈥渂ug bounty鈥 schemes may be the best way for businesses to address these issues while also saving money, since offering a bounty is less expensive than hiring an outside consultant.
"Bounties can also benefit smaller companies who can't afford to give out cash rewards but can offer free products or services,鈥 security consultant Dr. Jessica Barker .
Rewarding miles may be the most cost-effective way for United to identify its glitches.
The it rewards the discovery聽of 鈥渂asic third-party issues affecting its systems with 50,000 miles, exploits that could jeopardize the confidentiality of customer information get 250,000 miles, and major flaws related to remote-code execution earn a maximum of 1,000,000 miles.鈥
Furthermore, while Wiens confirms that it鈥檚 normal for big companies like United to have bugs, he says 鈥渂ug bounty鈥 schemes, and the publicity they get, make companies safer by discouraging malicious hackers.
聽鈥淗ackers in general are lazy. People don鈥檛 want to waste their time looking for vulnerabilities, so malicious hackers aren鈥檛 going to bother people who have bug bounties because it shows they are looking at the problems,鈥 he says.
鈥淭hey want to go after companies that aren鈥檛 thinking about these things, that don鈥檛 have their internal security in order.鈥
The 鈥渂ug bounty鈥 scheme prohibits the hackers from subsequently disclosing information about the flaws they discovered, even after the flaws have been fixed, a fact that Wiens says ultimately hurts the industry by discouraging shared knowledge.
