United Airlines Offers Frequent Flier Miles for Finding Security Vulnerabilities

Vulnerabilities on the website only, not in airport security or in the avionics.

Posted on May 18, 2015 at 7:14 AM • 25 Comments

Comments

timMay 18, 2015 8:21 AM

Thank you Andrew. I came here as soon I woke up to see Bruce's comments on the matter.

Spaceman SpiffMay 18, 2015 8:29 AM

I hate flying United. Can I trade their miles for Southwest?

ZenzeroMay 18, 2015 8:46 AM

@ tim

It’s still not clear what actually happened yet.

If you read the actual warrant (PDF document here: http://aptn.ca/news/wp-content/uploads/sites/4/2015/05/warrant-for-Roberts-electronics.pdf)

“He also said that he used VBox which is a virtualized environment to build his own version of the airplane network. The virtual environment would replicate airplane network, and that he used virtual machine's on his laptop while compromising the airplane network."

So the question remains did he try control a real plane he was flying on (which would be quite insane) or try control a virtual plane in a virtual copy of the network. This could easily be an FBI agent misunderstanding technical information provided to him by Roberts.

We will know more soon.

Another question remains to be asked and that is why are the airlines so afraid of security researchers checking that security is as strong as it should be. Quite often this fear is caused by some knowledge of underlying issues/problems that are either too expensive to fix (for whatever reason) or cannot be fixed.

ClayMay 18, 2015 8:47 AM

I was wondering about this. Reading the rules, remote code execution gets you up to 1,000,000 miles. At the same time, for "Code injection on live systems" you get "Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation." Seems like they get to find out about the vulnerabilities and then skip giving you the miles because they will try and have you jailed.

Clive RobinsonMay 18, 2015 9:13 AM

Hmm United had a dodgy reputation some years ago long prior to 9/11 so I've never had the pleasure/misfortune to fly them.

With regards the rules it looks like you would only be safe if you went bug hunting on a "copy system" not their live system...

Personally I'd give the whole thing a very very wide birth especially as a million air miles is actually not that many for quite a few people glob hopping on business (say fourty times around the world).

Oh and what's to stop you being put on the SSSS list for that extra special treatment or worse no fly list by the authorities...

Some GuyMay 18, 2015 9:15 AM

Is Delta doing the same? I have a couple 0day in delta.com. Feel free to email me for details and hopefully Delta will respond and fix finally? They haven't responded to me in over a year: kristian.hermansen@gmail.com

Andrew WallaceMay 18, 2015 9:20 AM

You don't need to be inside the aeroplane.

You just need to compromise the correct computers on the ground with something as simple as spear phishing for the initial compromise.

Boeing's engineering team are sent up to 500GB of data during every flight.

"Boeing 787s, are incredibly connected. Literally every piece of that plane has an internet connection, from the engines, to the flaps, to the landing gear."

http://www.computerworlduk.com/news/data/boeing-787s-create-half-terabyte-of-data-per-flight-says-virgin-atlantic-3433595/

There are data channels sending data back and forth that a bad guy could leverage if has carried out hostile reconnaissance on engineering staff members.

We can blame the "internet of things" for this vulnerability of aviation.

Andrew

ZenzeroMay 18, 2015 9:35 AM

@ Some Guy

"Is Delta doing the same? I have a couple 0day in delta.com."

Not as far as I can find.

If they are still not getting back to you, then maybe look at

https://hackerone.com/

or CERT to try help with coordination with the Vendor.

If all else fails consider full disclosure, you can be sure someone else will find it and abuse it and never mention it. Better it gets fixed whether the vendor likes it or not :)

AdrianMay 18, 2015 10:47 AM

I had my United mileage account hacked.

I started planning a vacation and checked my balance to discover that I was about 100,000 miles lower than before. According to the site, I had "spent" those miles on a hotel package. More research showed that, on the very same day the package had been purchased, someone had changed my profile details, including: first name, address, phone number, and gender.

I contact United, and, at first, they accused me of lying. When I pointed out the change of my profile details on the same day as the acquisition, they relented. They later explained that someone had guessed my four-digit PIN. But I don't use a PIN--I'd set up the account with a strong, unique password. United explained that the PIN was from long ago, and that you can log into the account with either the PIN or the password.

After setting things straight (which took a week or more), I asked if they could disable the PIN on my account. "No," the rep explained. "In fact, we'll be getting rid of the passwords and moving only to PINs for security reasons."

albertMay 18, 2015 10:55 AM

@andrew
"...There are data channels sending data back and forth that a bad guy could leverage if has carried out hostile reconnaissance on engineering staff members...."
.
These are data collection systems. Show me how aircraft behavior can be controlled by them.
.
.
@Zenzero
"... Quite often this fear is caused by some knowledge of underlying issues/problems that are either too expensive to fix (for whatever reason) or cannot be fixed...."
.
Airlines, and to a certain extent, aircraft manufacturers, are notorious for ignoring incidents, which then lead to accidents. The NTSB does stellar work, but by the time they get involved, it's too late. Hopefully, Boeing will use their data collection system to correct potential engineering problems, before they become disasters. It must be cheaper to wait for a crash (often two), before engineering problems are corrected, then often at a glacial pace. Allah only knows what they know about their systems, and what we don't.
.
...

SasparillaMay 18, 2015 12:39 PM

@Adrian

"No," the rep explained. "In fact, we'll be getting rid of the passwords and moving only to PINs for security reasons."

Stupid is as stupid does...

Although most people don't know this the FAA has a dual mandate to promote the aviation/airline industry as well as handle safety and this leads it to always be behind the 8 ball when it comes to addressing new safety issues.

We'll probably have to wait till there are some accidents due to people disabling systems on airliners before this obvious huge issue gets dealt with. The fact that passenger entertainment/wifi systems are not on a completely separate and gapped network from the aircraft systems blows the mind.

ObservateurMay 18, 2015 1:00 PM

I remember seeing in a Boeing or Airbus patent that the in-flight-entertainment and PAX data networks were interconnected with the mission-critical ones.

[SHUDDER]

Marcos El MaloMay 18, 2015 1:13 PM

@tim

Possibly Bruce is waiting for more facts before commenting. I'm sure there are thousands (at least) of others willing to offer their opinions based on what little we do know at this point.

name.withheld.for.obvious.reasonsMay 18, 2015 1:40 PM

On and off topic...

Under statutory law, Title 18 USC Section 1030, Roberts is being held for the very same action NSA, and DoD under PPD-20, carries out daily. Two sections of the code define types of access or abuse that could put not only Roberts in the line of fire--but could implicate the U.S. government. If charges are brought by the DoJ I would be tempted to say that Roberts is a victim of selective prosecution.

A complex argument to the efficacy of the law, and application, would include the indistinguishable nature of "accessed/accesses a computer" as an unlawful act where the goals of nation states such as the United States are to achieve complete dominance of computational systems, networks, and data. What differentiate state-based actions in pursuit of said goal, attribution, and the physical evidence? Let me example by several examples, first, a brief challenge to the charges might look like this:

The silk road case could probably serve as evidence of "sanctioned" illicit activity, though I'd argue it's not in statute or public law, demonstrating that LEA violates the same law with the knowledge of DoJ.

The second example might be stated as follows:
The United States has a classified program, not known to the public or the courts, that allow members of any LEA to perform summary executions of specific individuals (U.S. citizens, foreigners, or aliens) without fear of retribution or threat of prosecution. A citizen, using the same proscribed methods enumerated in the "secret" law but is held by DoJ for the capital crime of murder. Before the preliminary phase of the trial, a public disclosure is made with court rulings and DoJ guidance describing the summary execution orders...

name.withheld.for.obvious.reasonsMay 18, 2015 1:45 PM

EDIT: "is being held" should be "is suspect"

Nick PMay 18, 2015 2:11 PM

@ Jayson

That's exactly how I see it. Rule No 1: Dont Talk to the Police. Especially the FBI. That's what lawyers are for.

albertMay 18, 2015 3:39 PM

@Nick P,
@Jayson,

Absolutely.
DO NOT talk to the police without an attorney present, especially the FBI. LE _will_ lie to you, but you can't lie to them. They will try to confuse you into contradicting yourself. You are not required to answer their questions, either. Even you're an innocent witness to a 'crime', you are a suspect in that crime. Any lawyer will tell you this. It's a shame more folks don't know about it.
.
@Observateur,
.
It was an inflight entertainment system that brought down Swissair 111 (229 lost). A short circuit failed to trip a circuit breaker, resulting in a fire. Remember, these systems are designed and built by outside vendors. Apparently, Swissair was ultimately responsible for the installation of the IFE systems (see http://www.iasa.com.au/folders/sr111/IFENFacts.html)
.
...

who needs hackers/crackersMay 19, 2015 6:26 AM

Slightly off topic: The German magazine der Spiegel reports that the A400M military transport plane that crashed recently in Spain did so because of software issues (article in German).

Quote from the article: Nach Informationen von SPIEGEL ONLINE haben die Ingenieure von Airbus Military ein Softwareproblem in der Steuerungseinheit der Triebwerke entdeckt, das den Ausfall von gleich drei Treibwerken verursacht haben soll.

Translation: According to information received by SPIEGEL ONLINE, engineers at Airbus Military have discovered a software issue in the engine control unit that supposedly led to three [simultaneous] engine failures.

Vulnerability ResearcherMay 19, 2015 11:59 AM

Brief punch on this post:

I could maybe see some web app consultants hit at their site, but that is definitely not any major solution to vulnerabilities. You need a full and mature model of application security, internally. I do not think encouraging anyone and everyone to run security tests on production systems is wise, in general.

The vast majority of security researchers are not going to engage in anything like this. Why? Because that is what we do for our work. Why do that off hours just to maybe get some frequent flyer miles? So, who will you get for this kind of effort? People who are not qualified to do that kind of work.

(The frequent flyers mile offer contrasted against the wage of even the lowest wrung but professional web application penetration testers will almost invariably be horrible. We are well used to these offers by companies and most will not even bother to look.)

(Maybe, if the researcher can also receive some publicity for finding issues, it might have that value for researchers who do not yet have a resume in the field. Maybe it can provide some publicity for some consultancies that need that kind of publicity. But, that is it, and that is not worth the value of opening up your systems to production level tests to anyone and everyone.)


albertMay 20, 2015 10:31 AM

RE: Swissair 111,
The IFE system was a retrofit. It drew power from the same buss as the Flight Control System. If the IFE failed, the only way to stop it was to open the breaker, resulting in total loss of the FCS. The resulting fire accomplished the same thing. A short circuit should have tripped the breaker instantly, and might have prevented the fire. Shitty wiring and/or shoddy installation, and an insane power wiring scheme was to blame.
.
Engine Control Systems can't execute a 'climb' command. I'll shut up when someone can show me how an ECS can operate control surfaces.
.
There's a lot of silliness going on here.
.
That said, I agree that FCS and IFES don't belong on the same network. Even uplinks need to be separate. A passenger should be able to totally own the IFE, without affecting the aircrafts safety. I'll bet that's not in the design spec.
.
...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.