United Airlines announced this week that it's launching a bug bounty program inviting researchers to report bugs in its websites, apps and online portals.
The announcement comes weeks after the airline kicked a security researcher off of one of its flights for tweeting about vulnerabilities in the Wi-Fi and entertainment networks of certain models of United planes made by Boeing and Airbus.
It's believed to be the first bounty program offered by an airline. But curiously, United's announcement doesn't invite researchers to submit the most crucial vulnerabilities researchers could find—those discovered in onboard computer networks, such as the Wi-Fi and entertainment systems. In fact, the bounty program specifically excludes "bugs on onboard Wi-Fi, entertainment systems or avionics" and United notes that "[a]ny testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi" could result in a criminal investigation.
"At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure," United's announcement reads.
Researchers who report vulnerabilities in the airline's web sites or apps, however, will be rewarded. how much cash will they receive? None. Instead United will pay out in mileage points. The awards range from 50,000 points for cross-site scripting bugs to 1 million for high-severity vulnerabilities that could allow an attacker to conduct remote-code execution on a United system. For comparison, most bug bounty programs offered by companies like Google, Microsoft and Facebook pay researchers cash ranging from $1,500 to more than $200,000, depending on the type and severity of the vulnerability.
Last month, we wrote extensively about security researcher Chris Roberts, who was detained by FBI agents in New York and later banned from a United flight. Roberts was flying a United Airlines Boeing 737-800 from Chicago to Syracuse when news broke of a government report describing potential security holes in Boeing and Airbus planes. The report from the Government Accountability Office noted that security issues with passenger Wi-Fi networks on several models of aircraft could allow hackers to access critical avionics systems and hijack the flight controls.
Roberts, a respected cybersecurity professional with One World Labs had been researching the security of airline onboard networks since 2009 and had reported vulnerabilities to Boeing and Airbus, to little effect. In response to the GAO report, he sent out a tweet from the air saying, "Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM,? Shall we start playing with EICAS messages? 'PASS OXYGEN ON' Anyone?." He punctuated the tweet with a smiley face.
His tweet about the Engine Indicator Crew Alert System, or EICAS, was a reference to research he'd done years ago on vulnerabilities in inflight infotainment networks—vulnerabilities that could allow an attacker to access cabin controls and deploy a plane's oxygen masks.
When Roberts landed in Syracuse, he was met by two FBI agents and two Syracuse police officers who seized his computer and other electronics and detained him for an interrogation that lasted several hours. When Roberts attempted to board another United flight to San Francisco days later, he was barred by the airline and had to book a flight with Southwest.
Although Roberts says he did not explore the United networks during his flight to Syracuse, he had previously admitted to the FBI months earlier during a separate interview that in past flights he had indeed explored onboard networks of planes while he was inflight.
Following his interrogation in Syracuse, the FBI and TSA issued a warning to all airlines to be on the lookout for passengers attempting to hack into onboard networks through Wi-Fi or the media systems below airplane seats.
In response to United's announcement about its new bug bounty program, Roberts sent out a new tweet:
X content
This content can also be viewed on the site it originates from.
