United Airlines is offering 1 million rewards miles to hackers who report vulnerabilites in the company’s website or apps. The company claims it’s the first cybersecurity incentive program in the industry. But noteably, the “bug bounty program” does not apply to “bugs on onboard Wi-Fi, entertainment systems or avionics.” Basically, the company doesn’t want independent researchers vetting the systems that actually make planes fly.
The program debuted last week, less than a month after security researcher Chris Roberts was banned from flying on United after he tweeted about onboard Wi-Fi security vulnerabilities while on one of the company’s flights. Roberts implied in a tweet that he could access navigation systems and control passenger oxygen masks. In response, the FBI met him at the gate in Syracuse, New York, when he landed. Later, in conjunction with TSA, the agency issued a warning to airlines to be on alert for hackers.
The bug bounty program could have been in the works before this incident but either way it certainly speaks to the importance of engaging security researchers, sometimes called white-hat hackers, instead of alienating them. As Dan Gillmor wrote on Slate, “If United and the aviation industry as a whole want to earn customers’ confidence in this situation, they should put Roberts and a bunch of other white-hat hackers on retainer.”
That’s not exactly what United is doing, though. The company has made good security updates to its Web site, and a beta version that includes default page encryption (“https” at the beginning of the URLs) launched last week. Testing this and other new security features is important, but if bug hunters are discouraged from testing their ability to access flight systems, the bounty won’t help with the most crucial (and dangerous) vulnerabilities.
To be fair, it’s probably not safe for security researchers to mess around with critical systems while flying to win miles. You can see how that could lead to a tragic accident. Maybe airlines should run a few controlled hacking flights every year and voluntarily give researchers the opportunity to look for dangerous bugs. We all know how much companies love scrutiny of their proprietary systems!
