United Airlines has handed out one million air miles to a cybersecurity researcher who was able to detect a single security vulnerability in its system.
Jordan Wiens, the co-founder of Florida-based security firm Vector 35, was given a million air miles by United Airlines on 10 July for detecting a remote code execution vulnerability – a security bug most highly valued by the carrier.
One million air miles, in case you didn't know, is equivalent to 16 round trips from London to New York in Economy Class on United Airlines, or 4 round trips to the same distance in First Class. Or in monetary level, it equates to $25,000 (£16,000), which is quite a big payout for a security bounty.
Airlines need to realise the importance of cybersecurity
The airline's Bug Bounty Program is a first for a major airline, and highlights the growing importance the carrier places on cyber security, privacy and safety.
However, United Airlines did not come to this conclusion on its own – it first got very antsy with One World Labs security researcher/prominent hacker Chris Roberts in April, who jokingly tweeted that if he was onboard a Boeing 737-800, he would be able to hack the airplane and deploy the oxygen masks at will.
Unfortunately United Airlines did not find this tweet funny. He was removed by FBI agents from a United flight as soon as it landed in New York on 15 April and questioned for several hours.
Roberts caused a plane to briefly change course
During questioning, Roberts admitted that in February 2014 he was able to hack the in-flight entertainment system on an airplane and overwrote code in the Thrust Management Computer on the plane, allowing him to commandeer it and briefly command the plane to change course.
He also admitted that between 2011 to 2014, he had accessed the in-flight systems of airplanes on various flights at least 15 times, but he had only explored the networks and observed their traffic, but not affected the plane in any way.
These details have only come to light in an FBI warrant application filed in federal court that was seen by Canadian newspaper APTN National News.
Not surprisingly, when Roberts next tried to board a United flight from Colorado to San Francisco to attend the RSA Conference on 20 April where he was schedule to speak, he was stopped and told that he was now barred from all United Airline flights.
However, there are rules to the bounty program
For security vulnerabilities that are low in severity such as cross-site issues, United Airlines will pay out 50,000 air miles, while medium severity security bugs like brute-force attacks, authentication bypass and timing attacks are worth 250,000 air miles, and remote code executions are worth one million air miles.
While the bug bounty program sounds like a great way for hackers and cybersecurity researchers to never have to pay for flights across the US ever again, there is a catch.
Users have to be able to verify that they are US citizens, and the research must be conducted on US soil.
Not only that, but you are not allowed to conduct any of the attacks yourself in order to prove that they work, so you cannot hack United Airlines' websites using brute-force attacks, or inject code into a live system, and you definitely cannot test inflight entertainment systems or in-flight Wi-Fi the way Roberts did.
You are allowed to test your own MileagePlus account and try to compromise it, but no one else's account.