US airline pays millions of air-miles in bug bounties to flaw-finders

United Airlines makes two separate frequent-flier pay-outs after researchers report security vulns

Tags: USAUnited Airlines
  • E-Mail
US airline pays millions of air-miles in bug bounties to flaw-finders (For illustrative purposes only).
By  Stephen McBride Published  July 16, 2015

US carrier United Airlines has awarded millions of frequent-flier miles to hackers who reported cyber vulnerabilities in the company's on-board Wi-Fi network, Reuters reported.

While compensation for freelance analysts who uncover cyber-security flaws is not new, UA's move is reportedly a first for the US civil aviation sector. The airline confirmed it had made two awards of one million miles each, but declined to comment on separate smaller awards reported on Twitter.

UA started its bug-bounty scheme in May after two separate incidents severely impacted operations: one that locked ground staff out of the reservation system and another that prevented circulation of a flight plan.

In April, the US Government Accountability Office released a report highlighting the concerns of four cyber security specialists about cyber security on commercial aircraft. The US Federal Aviation Administration and airlines have been working to modernise planes and flight tracking with Internet-based technology. It is this interconnectivity that the GAO is concerned about. Its report noted that cockpit systems are tied, albeit indirectly, to the passenger cabin, through shared networks. While critical systems are heavily firewalled, the security consultants interviewed by the GAO said the system was hackable.

In May, US hacker Chris Roberts told FBI agents that he had hacked into the navigation systems of a commercial US airliner through the plane's inflight entertainment system, and successfully executed a "climb" command.

It is not clear if UA's awards covered flaws as potentially life-threatening as the one Roberts claimed to have uncovered. The rules of the programme prevent disclosure of the exact nature of vulnerabilities found, but cyber researcher Jordan Wiens, one of the recipients of United's 1m-mile pay-outs, tweeted: "The miles alone tell you the bug class/severity... I will say it wasn't technically challenging though."

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code