The First Bug Bounty Program for Airlines May Be Detrimental to Customer Safety and Security
In the media debacle that is United Airlines vs. their hacking enemies, one thing is finally clear—United Airlines is finally starting to realize that anyone who can infiltrate their systems may be better off on their side than against them.
Last month, a security professional named Chris Roberts, approached the FBI with claims that he had been able to gain access to Boeing avionics systems while in-flight. The claim suggests that he was able to access various systems of multiple Boeing aircrafts from 2011 to 2015, and his motive was simply to improve aircraft security.
FBI Responds to Vigilante Hackers
The FBI’s response is not surprising. You can read the warrant for yourself.
To be fair, it’s not that United Airlines is the only airline that has had security vulnerabilities and software defects come to light; it’s just that they have a tendency to give themselves more media attention than it’s worth. They have a history of flip flopping in these types of situations, and it is not helping their cause nor is it helping safety and security, which is every airline's main objective.
A reminder of this is the media debacle United Airlines caused by penalizing people who found an issue with their website's ticketing system a few years ago. I won't comment on that since you can just read the article for yourself.
Yes, there are always concerns about the ability to hack into avionics systems, but the reality is that it doesn't mean we are less safe in-flight than we were before. In actuality, we’re safer because of people like Chris Roberts. If he did indeed do what he claims he did, just like a firewall, when you find a hole, you plug it and move on until you find the next one.
What United Airlines is Doing About Their "Security" Issue
In response to all this, United Airlines has decided to set up a reward system for security professionals, or hackers, who find security holes in their systems. The problem is that it doesn't go far enough and may actually be detrimental to the cause of protecting customers and employees.
The reward of frequent flier miles are only for hacking systems that may compromise confidential employee and customer data, not live systems like parts their website or avionics equipment. Not that I would want someone to try and hack a flight I was on, but the truth is there needs to be more testing of if this is possible and who better to test these systems than the hackers themselves.
Some experts say it isn't possible, since avionics equipment is usually physically separated from all other electronics on an aircraft. However, with the way that United Airlines is acting and the FBI response, it only makes me think that they know it is possible and Mr. Roberts found out how.
I'd argue that United Airlines response is a dangerous one in that it doesn't make them more safe, but rather makes security professionals or hackers less forthcoming about information they have about security flaws in any of United Airlines' systems. Now that they have made clear that they will take legal action to anyone who attempts to hack live systems, who is going to admit to hacking them?
However, there is one commendable act by United Airlines in all of this and that is that they are the first airline to set up a bug bounty program. We can at least give them that.