United Airlines Invites Hackers To Find Security Vulnerabilities

← Back to Stories (view on slashdot.org)

United Airlines Invites Hackers To Find Security Vulnerabilities

Posted by timothy on Thursday May 14, 2015 @09:00AM from the how-to-get-non-flyer-miles dept.

An anonymous reader writes: Following a recent spike of interest regarding the potential to hack planes, United Airlines has created the first rewards-for-exploits scheme in the aviation industry. The 'Bug-Bounty' program offers up to a million air miles for submitters who find a specific range of exploits in the company's websites and digital infrastructure. The scheme not only bans participants from probing on-board flight systems but threatens criminal prosecution for any such attempt.

37 of 54 comments (clear)

Min score:

Reason:

Sort:

Goodie ! by randalware · 2015-05-14 09:03 · Score: 4, Funny

I will make reservations to Paris for two.
Then go visit Dr. Falkin.

--
This is my opinion based on what little I know and understand of the rumors and lies Thanks, Randal
1. Re:Goodie ! by Anonymous Coward · 2015-05-14 09:17 · Score: 1
  
  help, my plane is moving by itself
2. Re:Goodie ! by Joe_Dragon · 2015-05-14 11:36 · Score: 1
  
  reservations are not tickets and don't drop the soap
bug bounty but no scanning by Anonymous Coward · 2015-05-14 09:08 · Score: 3, Insightful

sounds odd they place the rule of no scanning of their network.
how is anyone suppose to find out what the structure is without probing
1. Re:bug bounty but no scanning by ArsenneLupin · 2015-05-15 00:05 · Score: 1
  
  In simple words: It's a bounty on finding bugs in their terrestrial infrastructure (reservation web sites, etc.), not in their on-board systems.
  Scanning of networks is allowed, but only their ground networks.
wtf by Anonymous Coward · 2015-05-14 09:08 · Score: 1

They explicitly state brute-force attacks are not allowed and will "result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation"... then, the following section clearly states a 250,000 mile reward for discovering a brute-force attack. wtf.
1. Re:wtf by SeaFox · 2015-05-14 09:11 · Score: 1
  
  /insert Admiral Ackbar image: IT'S A TRAP!
2. Re:wtf by spiritplumber · 2015-05-14 09:12 · Score: 3, Insightful
  
  Heh. The problem with half these contests is that two weeks later they say "No, contest over and if you publish a vulnerability we'll sue you".
  
  --
  Liberty - Security - Laziness - Pick any two.
3. Re:wtf by Lehk228 · 2015-05-14 14:51 · Score: 1
  
  so publish it anonymously (don't forget your 7 proxies) as a fully functional metasploit plugin.
  
  --
  Snowden and Manning are heroes.
4. Re:wtf by TheRaven64 · 2015-05-14 20:34 · Score: 1
  
  It's hard to translate miles into actual value. 30K United miles + fees buys you a transatlantic flight. When I was looking a couple of weeks ago, it was the same going from LHR to EWR or SFO, with $188 for the UK leg and about $6 in the other direction (UK airport taxes are pretty huge). The round trip to SFO is about $1200 without the miles, so 60K miles works out to about $1K on that. That makes the value of 250K miles about $4000. This is a pretty low bug bounty.
  On the other hand, the value depends a lot on whether they count as premiere qualifying miles and flight miles or not. If they count as PQM then the 250K is enough to give you the highest level of premiere status, which means you're at the head of the queue for upgrades and get a number of other benefits. If they count as flight miles (exceedingly unlikely!) then it's a quarter of the way to the million mile thing, which gives you star alliance gold for life (and, having flown far too much recently, I can attest to the fact that gold status makes it far less annoying. Apparently it actually become enjoyable at higher levels, but I'm hoping not to fly enough to find out).
  
  --
  I am TheRaven on Soylent News
Screw That. by TechyImmigrant · 2015-05-14 09:09 · Score: 2

I've got all the points and arse ache I need.
I want a status upgrade. PQMs or go away.

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Since the rewards are _air_miles_... by Ann+O'Nymous-Coward · 2015-05-14 09:11 · Score: 1

...I would've thought that fact alone would be enough to discourage anyone (who's not actually suicidal) from stuffing around with onboard systems.
After all, if you win air miles, aren't you and/or friends & family that much more likely to be onboard when a hacked system goes titsup?
Or am I giving the average hacker too much credit for common sense?
Translation by countSudoku() · 2015-05-14 09:11 · Score: 3, Insightful

Translation: We can't afford (read: won't pay) for real security personnel, so we'll let strangers do it on a dare and not even to any interesting assets like a fucking plane! No, just hack our shitty web site and we'll offer you some "free miles" that will be highly restricted and next to worthless, but don't fear, wherever you end up going will be a horrible journey filled with ignorant TSA agents frisking your panties and smelling your shoes and then if your fucking pilot decides NOT to crash the plane into a building or a mountain you might end up killing yourself at your destination rather than face the social rape that is modern air travel.

--
This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
1. Re:Translation by BarbaraHudson · 2015-05-14 09:40 · Score: 1
  
  Does anyone still think "oh wow, airmiles!!!" ? What's a million airmiles worth? 3,000.00 to $6,500.00
  This is like the guy who says "I lost my wallet with $1,000.00 in it. I'll pay $100.00 to whoever finds it!" Someone else immediately says "I'll pay $200.00"
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
2. Re:Translation by magarity · 2015-05-14 09:47 · Score: 2
  
  Translation: We can't afford (read: won't pay) for real security personnel
  In all fairness, United is a huge company and like any huge company has tremendous inertia. Probably it's nearly impossible to get IT security bugs properly identified and fixed even if the CEO came to daily scrum meetings. A bounty for external parties is at least a realization they have this problem.
3. Re:Translation by TechyImmigrant · 2015-05-14 10:10 · Score: 2
  
  I'm a united frequent flyer.
  To get an upgrade on an international (atlantic or pacific crossing) flight will cost you 30,000 points and $500.
  The points have no value without extra money.
  Status is everything, points accumulate faster than you can spend them if you are a frequent flyer. With status you don't get a middle seat, you're first in line for upgrades, they don't bump you on overbooked flights. Status matters.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
4. Re:Translation by rtb61 · 2015-05-14 16:31 · Score: 1
  
  Now is that a million first class air miles or cargo class in box. It kind of makes a big difference. If they are offering free trips in a aluminium death tube, they had better make them at least comfortable trips. Even better they could offer a million cruise ship miles, then the journey is the fun.
  
  --
  Chaos - everything, everywhere, everywhen
5. Re:Translation by Skapare · 2015-05-14 21:29 · Score: 1
  
  ... and face the wrath of ignorant pilots?
  
  --
  now we need to go OSS in diesel cars
6. Re:Translation by nnull · 2015-05-15 03:27 · Score: 1
  
  Pretty much. Worst of all, all those miles are pretty much worthless because they only let you fly on some of the worst possible flights with travel time in excess of 30 hours to get to your destination. I have over a million miles clocked up with Delta and I find it completely useless, even on upgrades. They never let me travel on the dates I want to travel and if by sheer luck they do have one on a date I want to travel, it's a flight with over 20 hours of travel. I would rather pay for a ticket that gives me the shortest amount of travel time and pay for an upgrade.
  
  All in all, this deal doesn't even entice me at all unless there was some financial gain here.
Following a recent spike .... by PPH · 2015-05-14 09:17 · Score: 2

... of interest regarding the potential to hack planes, United offers rewards for finding vulnerabilities in their ground-based systems. But no trying to hack planes, or you'll be in trouble.
I see a certain logic fail here.

--
Have gnu, will travel.
scam by turkeydance · 2015-05-14 09:22 · Score: 1

they won't pay. not even in miles.
1. Re:scam by R3d+M3rcury · 2015-05-14 12:57 · Score: 1
  
  Well, here's an interesting question...
  If I hack their website such that I can give myself 93,000,000 air-miles, why should I tell United so that they'll give me "up to a million" air-miles?
in other news... by zlives · 2015-05-14 09:42 · Score: 1

one billion dollar bounty for anyone who can pass through solid wall without looking for or making a door.
1. Re:in other news... by Em+Adespoton · 2015-05-14 10:10 · Score: 1
  
  one billion dollar bounty for anyone who can pass through solid wall without looking for or making a door.
  Are you allowed to look for Windows?
2. Re:in other news... by zlives · 2015-05-14 11:15 · Score: 1
  
  yes but then you have to pay a billion dollars or life in prison.
bugs by JohnVanVliet · 2015-05-14 09:43 · Score: 1

" The scheme not only bans participants from probing on-board flight systems but threatens criminal prosecution for any such attempt. "
but THAT!!! is the easiest way IN!!!!
Head in the sand will never work out well !!!

--
"I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
1. Re:bugs by Em+Adespoton · 2015-05-14 10:12 · Score: 1
  
  I wonder what happens if you just exploit them without probing first? After testing with an off-board flight system first of course, so you know exactly what will happen.
2. Re:bugs by Skapare · 2015-05-14 21:15 · Score: 1
  
  what if we hack into their simulators and simulate flying into the Alps?
  
  --
  now we need to go OSS in diesel cars
First Rule of United Airlines Hack Club by l0ungeb0y · 2015-05-14 09:56 · Score: 1

First Rule of United Airlines Hack Club is that you don't tweet about United Airlines Hack Club Second Rule of United Airlines Hack Club is that you don't tweet about United Airlines Hack Club If you tweet about it we're gonna call the FBI
Who else is tired of playing "win your paycheck" ? by Anonymous Coward · 2015-05-14 10:09 · Score: 1

I'm sick of companies putting out prizes to get work done instead of actually hiring people.
What it amounts to is getting thousands of hours of labour for free.
If the winner got a high salaried contract of employment it would still be a little predatory, but at least you could get behind the idea that maybe someone with great skills who never got the opportunity will get a good position out of it. That would be far too reasonable though. I mean, why pay that guy at all when the person organizing this nonsense can just hand out a few air miles instead and get a bonus?
Does this happen in other industries? I'm sure it could be applied to all kinds of situations.
Imagine you owned a diamond mine but didn't really want to pay your workers. You use all that MBA know-how to come up with the following plan: Anyone who wants to can go in the mine at any time(you have security 24/7 to make sure nothing is taken). Nobody gets paid, but anyone who comes across a large diamond gets a 5,000 dollar prize! Imagine all the desperate people you'll be able to get to mine diamonds for you without paying them!
Re:Who else is tired of playing "win your paycheck by darkain · 2015-05-14 10:59 · Score: 1

Oh, so like Bitcoin!
Re:Who else is tired of playing "win your paycheck by BarbaraHudson · 2015-05-14 11:40 · Score: 1

1. Find big valuable diamond.
2. Smash into 100 smaller diamonds.
3. ($500,000.00) PROFIT.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
If I get into United's reward system.... by Glasswire · 2015-05-14 11:43 · Score: 2

and give myself a million miles, does that mean United will give a second million? Or just let me keep mine? So what do I need them for?
1. Re:If I get into United's reward system.... by TechyImmigrant · 2015-05-14 12:13 · Score: 1
  
  Give yourself Global Services status instead. It's far more useful.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
it's about taking control of the story/keywords by SuperBanana · 2015-05-14 13:22 · Score: 2

> Translation: We can't afford (read: won't pay) for real security personnel,
Eh, not really. I guarantee you they have a lot of "real" security personnel.
This is about taking over control of the story; it's a sort of "pay no attention to the thing we don't want you to hear about" (ie the fact that their onboard infotainment/networking and satellite uplink systems are ludicrously insecure) and "pay attention to this other thing."
Now when you search for "united hacking", you'll get a billion stories about the bug bounty, and few about the original problem - that a passenger was able to walk all over stuff he shouldn't have been able to. It's already starting to work, a few hours in:
https://imgur.com/0rGuKaL
It also helps them look, to shareholders/the market/the public, like they're "responding" and making an effort to "improve security."

--
Please help metamoderate.
on-board flight systems? by Skapare · 2015-05-14 21:12 · Score: 1

The scheme not only bans participants from probing on-board flight systems but threatens criminal prosecution for any such attempt.
... because those are not secured yet due to use of legacy software?

--
now we need to go OSS in diesel cars
1. Re:on-board flight systems? by suutar · 2015-05-15 04:38 · Score: 1
  
  and hard to fix, because recertifying avionics is not fast. And if they do catch anyone scanning onboard systems, they don't have to consider "but I'm in this contest" as an excuse, they can just throw the book and be done with it.