United Airlines Invites Hackers To Find Security Vulnerabilities

An anonymous reader writes: Following a recent spike of interest regarding the potential to hack planes, United Airlines has created the first rewards-for-exploits scheme in the aviation industry. The 'Bug-Bounty' program offers up to a million air miles for submitters who find a specific range of exploits in the company's websites and digital infrastructure. The scheme not only bans participants from probing on-board flight systems but threatens criminal prosecution for any such attempt.

Goodie !

[randalware]

I will make reservations to Paris for two.
Then go visit Dr. Falkin.

Re:Goodie !

help, my plane is moving by itself

Re:Goodie !

[Joe_Dragon]

reservations are not tickets and don't drop the soap

bug bounty but no scanning

sounds odd they place the rule of no scanning of their network.
how is anyone suppose to find out what the structure is without probing

Re:bug bounty but no scanning

[ArsenneLupin]

In simple words: It's a bounty on finding bugs in their terrestrial infrastructure (reservation web sites, etc.), not in their on-board systems.

Scanning of networks is allowed, but only their ground networks.

wtf

They explicitly state brute-force attacks are not allowed and will "result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation"... then, the following section clearly states a 250,000 mile reward for discovering a brute-force attack. wtf.

Re:wtf

[SeaFox]

/insert Admiral Ackbar image: IT'S A TRAP!

Re:wtf

[spiritplumber]

Heh. The problem with half these contests is that two weeks later they say "No, contest over and if you publish a vulnerability we'll sue you".

Re:wtf

The problem from my point of view is handing out a pittance in exchange for the valuable work of many people.

Re:wtf

They explicitly state brute-force attacks are not allowed and will "result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation"... then, the following section clearly states a 250,000 mile reward for discovering a brute-force attack. wtf.

It's the airline's version of a honeypot intended to send "contestants" to an all-expense-paid vacation at Club Gitmo. You can checkout but you can never leave.

Re:wtf

[Lehk228]

so publish it anonymously (don't forget your 7 proxies) as a fully functional metasploit plugin.

Re:wtf

[TheRaven64]

It's hard to translate miles into actual value. 30K United miles + fees buys you a transatlantic flight. When I was looking a couple of weeks ago, it was the same going from LHR to EWR or SFO, with $188 for the UK leg and about $6 in the other direction (UK airport taxes are pretty huge). The round trip to SFO is about $1200 without the miles, so 60K miles works out to about $1K on that. That makes the value of 250K miles about $4000. This is a pretty low bug bounty.

On the other hand, the value depends a lot on whether they count as premiere qualifying miles and flight miles or not. If they count as PQM then the 250K is enough to give you the highest level of premiere status, which means you're at the head of the queue for upgrades and get a number of other benefits. If they count as flight miles (exceedingly unlikely!) then it's a quarter of the way to the million mile thing, which gives you star alliance gold for life (and, having flown far too much recently, I can attest to the fact that gold status makes it far less annoying. Apparently it actually become enjoyable at higher levels, but I'm hoping not to fly enough to find out).

Screw That.

[TechyImmigrant]

I've got all the points and arse ache I need.
I want a status upgrade. PQMs or go away.

Since the rewards are _air_miles_...

[Ann+O'Nymous-Coward]

...I would've thought that fact alone would be enough to discourage anyone (who's not actually suicidal) from stuffing around with onboard systems.

After all, if you win air miles, aren't you and/or friends & family that much more likely to be onboard when a hacked system goes titsup?

Or am I giving the average hacker too much credit for common sense?

Translation

[countSudoku()]

Translation: We can't afford (read: won't pay) for real security personnel, so we'll let strangers do it on a dare and not even to any interesting assets like a fucking plane! No, just hack our shitty web site and we'll offer you some "free miles" that will be highly restricted and next to worthless, but don't fear, wherever you end up going will be a horrible journey filled with ignorant TSA agents frisking your panties and smelling your shoes and then if your fucking pilot decides NOT to crash the plane into a building or a mountain you might end up killing yourself at your destination rather than face the social rape that is modern air travel.

Re:Translation

[BarbaraHudson]

Does anyone still think "oh wow, airmiles!!!" ? What's a million airmiles worth? 3,000.00 to $6,500.00

This is like the guy who says "I lost my wallet with $1,000.00 in it. I'll pay $100.00 to whoever finds it!" Someone else immediately says "I'll pay $200.00"

Re:Translation

[magarity]

Translation: We can't afford (read: won't pay) for real security personnel

In all fairness, United is a huge company and like any huge company has tremendous inertia. Probably it's nearly impossible to get IT security bugs properly identified and fixed even if the CEO came to daily scrum meetings. A bounty for external parties is at least a realization they have this problem.

Re:Translation

[TechyImmigrant]

I'm a united frequent flyer.

To get an upgrade on an international (atlantic or pacific crossing) flight will cost you 30,000 points and $500.
The points have no value without extra money.

Status is everything, points accumulate faster than you can spend them if you are a frequent flyer. With status you don't get a middle seat, you're first in line for upgrades, they don't bump you on overbooked flights. Status matters.

Re:Translation

[rtb61]

Now is that a million first class air miles or cargo class in box. It kind of makes a big difference. If they are offering free trips in a aluminium death tube, they had better make them at least comfortable trips. Even better they could offer a million cruise ship miles, then the journey is the fun.

Re:Translation

[Skapare]

... and face the wrath of ignorant pilots?

Re:Translation

[nnull]

Pretty much. Worst of all, all those miles are pretty much worthless because they only let you fly on some of the worst possible flights with travel time in excess of 30 hours to get to your destination. I have over a million miles clocked up with Delta and I find it completely useless, even on upgrades. They never let me travel on the dates I want to travel and if by sheer luck they do have one on a date I want to travel, it's a flight with over 20 hours of travel. I would rather pay for a ticket that gives me the shortest amount of travel time and pay for an upgrade.

All in all, this deal doesn't even entice me at all unless there was some financial gain here.

Plane layout bug.

So, who's gonna be the one to show them the seating layout bug that keeps taking an inch off of all dimensions of airliner seats every year?

Following a recent spike ....

[PPH]

... of interest regarding the potential to hack planes, United offers rewards for finding vulnerabilities in their ground-based systems. But no trying to hack planes, or you'll be in trouble.

I see a certain logic fail here.

scam

[turkeydance]

they won't pay. not even in miles.

Re:scam

[R3d+M3rcury]

Well, here's an interesting question...

If I hack their website such that I can give myself 93,000,000 air-miles, why should I tell United so that they'll give me "up to a million" air-miles?

Not for actual aircraft systems

"Investigation of actual on-board systems, including in-flight entertainment systems, is banned from the scheme, and United promises additionally to subject anyone who attempts such probing to criminal prosecution."

We'll let you play with our web site as much as you want if you'll stop poking around the actual planes.

Re:Not for actual aircraft systems

They don't make the call about criminal prosecution. I think that is the TSA / FAA / other GOV calls

Even a stopped clock is right twice a day

United is a pretty crappy company, I assume someone new came up with this idea. Damn uppity fool, United will eat your soul!

The best part, FAA fines cover the whole thing!

Not only is there no prize, you get to pay 100 grand when you win!

in other news...

[zlives]

one billion dollar bounty for anyone who can pass through solid wall without looking for or making a door.

Re:in other news...

[Em+Adespoton]

one billion dollar bounty for anyone who can pass through solid wall without looking for or making a door.

Are you allowed to look for Windows?

Re:in other news...

[zlives]

yes but then you have to pay a billion dollars or life in prison.

bugs

[JohnVanVliet]

" The scheme not only bans participants from probing on-board flight systems but threatens criminal prosecution for any such attempt. "

but THAT!!! is the easiest way IN!!!!

Head in the sand will never work out well !!!

Re:bugs

[Em+Adespoton]

I wonder what happens if you just exploit them without probing first? After testing with an off-board flight system first of course, so you know exactly what will happen.

Re:bugs

[Skapare]

what if we hack into their simulators and simulate flying into the Alps?

Airline miles...

What do these numbers translate to roughly, a million flyer miles.
$100-$200?

First Rule of United Airlines Hack Club

[l0ungeb0y]

First Rule of United Airlines Hack Club is that you don't tweet about United Airlines Hack Club Second Rule of United Airlines Hack Club is that you don't tweet about United Airlines Hack Club If you tweet about it we're gonna call the FBI

Who else is tired of playing "win your paycheck" ?

I'm sick of companies putting out prizes to get work done instead of actually hiring people.
What it amounts to is getting thousands of hours of labour for free.

If the winner got a high salaried contract of employment it would still be a little predatory, but at least you could get behind the idea that maybe someone with great skills who never got the opportunity will get a good position out of it. That would be far too reasonable though. I mean, why pay that guy at all when the person organizing this nonsense can just hand out a few air miles instead and get a bonus?

Does this happen in other industries? I'm sure it could be applied to all kinds of situations.
Imagine you owned a diamond mine but didn't really want to pay your workers. You use all that MBA know-how to come up with the following plan: Anyone who wants to can go in the mine at any time(you have security 24/7 to make sure nothing is taken). Nobody gets paid, but anyone who comes across a large diamond gets a 5,000 dollar prize! Imagine all the desperate people you'll be able to get to mine diamonds for you without paying them!

Award miles only and no employees / code share

Award miles only and no employees / code share employees / family member or household member of them as well.

What a joke.

Re:Who else is tired of playing "win your paycheck

[darkain]

Oh, so like Bitcoin!

dem haxx0rz

r in ur plaens nao

Re:Who else is tired of playing "win your paycheck

[BarbaraHudson]

1. Find big valuable diamond.
2. Smash into 100 smaller diamonds.
3. ($500,000.00) PROFIT.

If I get into United's reward system....

[Glasswire]

and give myself a million miles, does that mean United will give a second million? Or just let me keep mine? So what do I need them for?

Re:If I get into United's reward system....

[TechyImmigrant]

Give yourself Global Services status instead. It's far more useful.

Hey UA!

I got your Brute Force attack right here!

digital security only.. wasted opportunity

If they'd put up a few bug bounties for physical infrastructure they would be thousands of times as effective in improving security per dollar as the security improv group at the end of the line.

it's about taking control of the story/keywords

[SuperBanana]

> Translation: We can't afford (read: won't pay) for real security personnel,

Eh, not really. I guarantee you they have a lot of "real" security personnel.

This is about taking over control of the story; it's a sort of "pay no attention to the thing we don't want you to hear about" (ie the fact that their onboard infotainment/networking and satellite uplink systems are ludicrously insecure) and "pay attention to this other thing."

Now when you search for "united hacking", you'll get a billion stories about the bug bounty, and few about the original problem - that a passenger was able to walk all over stuff he shouldn't have been able to. It's already starting to work, a few hours in:

https://imgur.com/0rGuKaL

It also helps them look, to shareholders/the market/the public, like they're "responding" and making an effort to "improve security."

Lame double-talk rules

The highest payout is for Remote code execution but performing code injection on live systems is prohibited. Assuming that united.com, beta.united.com and mobile.united.com is all live systems, that means to get the highest payout involves finding remote code execution attacks against the United app (for Android and iOS).

Also, since cross-site attacks involving United Airlines are probably worth more to certain other groups than just a 50,000 mile payout, I don't see why anyone would bother taking the time to report it to United.

They also will not payout anything at all until the bug has been remediated. While they claim the desired timeframe is 90 days, they put no upper limit on how long it will take them to remediate. Since they reserve the right to change the offer and MileagePlus Program at any time and without notice, someone that reports may discover the that actual terms/value of the payout greatly changes once United gets around to remediation of the bug.

I don't see why anyone would bother to report to United under this conditions.

Been there, done that

Not the flight systems (aside from the moral issue of that, I don't like dying), but I was able to download one of their movies from the complimentary wi-fi using FFMpeg. I wouldn't really call it much of hack though. :-D

on-board flight systems?

[Skapare]

The scheme not only bans participants from probing on-board flight systems but threatens criminal prosecution for any such attempt.

... because those are not secured yet due to use of legacy software?

Re:on-board flight systems?

[suutar]

and hard to fix, because recertifying avionics is not fast. And if they do catch anyone scanning onboard systems, they don't have to consider "but I'm in this contest" as an excuse, they can just throw the book and be done with it.

How to repel potential customers

Wow, United, I can't think of a better way to scare potential customers away.

"Hey, folks! Come fly with us, but don't be surprised if our plane is hacked, or just stops working mid-flight, or if we have absolutely no trace of your ticket a few days after you purchase it."

In the words of Homer Simpson... DOH!

Pretty clear to me that whoever wrote these rules has no idea how any of this stuff works...

Bugs that are eligible for submission:
[...]
The ability to brute-force reservations, MileagePlus numbers, PINs or passwords

Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation.
Brute-force attacks

As someone who does this...

As someone who hacks aircraft systems as part of his job (yes, we do exist, far and few between) one of the problems is the equipment manufacturers don't want the attention and they are in the position of power too often. That said, if you had the money you could buy some of these systems yourselves, a lot of what I do is just hooking them up on a benchtop...