Hacker Airlines: United Awards 1M Air Miles For Vulnerability

We’re really happy to see companies getting serious about rewarding white hat hackers. The latest example of this is when [Jordan Wiens] submitted two bugs and was awarded 1,000,000 Sky Miles on United Airlines.

The bounty is so high because he uncovered a method of remote code execution which United has since patched. Unfortunately, United requires bug secrecy so we’re not getting any of the gritty details like we have for some of the recently discovered Facebook vulnerabilities. That’s really too bad because sharing the knowledge about what went wrong helps programmers learn to avoid it in the future. But we still give United a big nod for making this kind of work and responsible reporting worthwhile. [Jordan] did an AMA last night which covered some more general hacking questions.

If you want to turn your leet skills into free travel you need to be a MileagePlus member and not reside in a US sanctioned country. Details on United’s Bug Bounty page.

14 thoughts on “Hacker Airlines: United Awards 1M Air Miles For Vulnerability

  1. What they’ve done is enter the marketplace – they hope that a million miles on a United jet is worth more than the bid from some other party. This may get them security in avionics, or engine control (or not) but isn’t likely to flag problems in their financials, reservation system, or … someone who can alter their own balance in a frequent-flier system.

  2. Read the conditions: you get no bonus for messing with the avionics / in board WiFi/entertainment system. This would be to dangerous, because someone cold argue he/she just started having because of the bounty. Guess what a lawyer would do after a hack based crash… – Probably you would need a plane on the ground with the engines secured AND a strict NDA without anonymity to start a competition to hack a plane. But will there ever be an airline ready to even take this risk?

    1. Yes, because nothing will cause a plane to auger-in nose-first on a mountain faster than people not being able to tweet and being forced to watch “Galaxy Quest” with Thurmian as the spoken language(and Korean subs)…

      1. The onboard WiFi and entertainment are dangerous to mess with because they are often wired into the same systems as everything else. For example, recently there was an exploit in a Jeep entertainment system that allowed remote control of the entire vehicle including the engine, brakes, transmission, and steering.

  3. Well, some colleges have their own jet aircraft for research purposes. I think Purdue is an example, and others with Atmospheric Sciences (e.g. meteorology). A student at one of those colleges could get access (through proper channels) to test one on the tarmac. Generally the jets are older, so may not have the newest avionics, or entertainment systems.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.