United Airlines is rewarding two hackers with 1 million free flight miles each for calling attention to security gaps on its website. The reward is the highest that can be given as part of the company’s new “bug bounty” scheme, which compensates hackers who opt to privately disclose security flaws instead of exploiting them or exposing them on the Internet.
As aviation network vulnerabilities begin to garner headlines, airlines are seeking new ways to protect themselves from cyber threats. Many technology companies have been offering bug bounties for years, but United may be the first in the aviation industry to adopt such a method – a sign that the airline is starting to catch up with the times, experts say.
“It [the bug bounty] shows more about the security posture of these companies. If you’re not up- to- date with your internal security stuff, you can’t do a bug bounty. It’s a good sign for the company, it shows they’re at a point where they handle these issues. Most companies can’t fix their internal problems themselves, even if you point them out,” says Jordan Wiens, one of the two security researchers awarded United's 1 million-mile bounty.
Researchers have known for years that criminal hackers have the capabilities to take control of in-flight communications systems and avionics equipment, and the aviation industry has been criticized for not doing more to protect itself.
In April, a report by the Government Accountability Office revealed that the Federal Aviation Administration (FAA) “lacked a systematic approach to assessing security risks in airplanes, relying instead on case-by-case ‘Special Conditions’ rules to address risks in specific airplane models,” the Monitor reported that month.
In response, the FAA in June convened its first committee to develop a set of cyber security protections for the industry. Still, experts widely say that addressing this issue is long overdue. United has experienced several major problems with its technology systems since 2012, when it adopted some of the systems previously utilized by its smaller merger partner, Continental Airlines.
Moreover, just weeks after its “bug bounty” scheme was unveiled, technical problems grounded United’s entire fleet twice, first preventing customers from checking in and then hindering the functionality of the software it uses to dispatch flight plans.
United said those problems were merely from technological glitches and not the work of nefarious hackers. Nevertheless, other airlines, such as the Polish company LOT, have recently been forced to ground flights due to cyberattacks.
Adding an extra dose of urgency to the situation, in May a security researcher with extensive knowledge of airline systems was banned from a United flight for sending out a sarcastic tweet about playing around with the airline’s Engine Indicator Crew Alert System.
The man responsible for the tweet was later questioned extensively by the FBI, which also claimed he had hacked into a plane’s navigation system and caused it to fly sideways.
Nevertheless, Mr. Wiens says he does not believe the tweeting incident was a catalyst for United to implement the “bug bounty”.
“They were probably thinking about this for a while,” he says, while adding that companies are finally starting to trust white hat hackers instead of slapping them with injunctions.
“There used to be this tension between security researchers who were releasing vulnerabilities and companies. Companies were really antagonistic. Now the bug bounties are a healthy replacement for that, we’re at a point in the industry in which we’re building trust. It’s a healthy maturation,” Wiens concludes.
Furthermore, the “bug bounty” schemes may be the best way for businesses to address these issues while also saving money, since offering a bounty is less expensive than hiring an outside consultant.
"Bounties can also benefit smaller companies who can't afford to give out cash rewards but can offer free products or services,” security consultant Dr. Jessica Barker told the BBC.
Rewarding miles may be the most cost-effective way for United to identify its glitches.
The company says it rewards the discovery of “basic third-party issues affecting its systems with 50,000 miles, exploits that could jeopardize the confidentiality of customer information get 250,000 miles, and major flaws related to remote-code execution earn a maximum of 1,000,000 miles.”
Furthermore, while Wiens confirms that it’s normal for big companies like United to have bugs, he says “bug bounty” schemes, and the publicity they get, make companies safer by discouraging malicious hackers.
“Hackers in general are lazy. People don’t want to waste their time looking for vulnerabilities, so malicious hackers aren’t going to bother people who have bug bounties because it shows they are looking at the problems,” he says.
“They want to go after companies that aren’t thinking about these things, that don’t have their internal security in order.”
The “bug bounty” scheme prohibits the hackers from subsequently disclosing information about the flaws they discovered, even after the flaws have been fixed, a fact that Wiens says ultimately hurts the industry by discouraging shared knowledge.