US should pay hackers who find threats, says analyst

CIA Mr Geer develops technology for US security agencies

Related Stories

The US government should pay hackers who indentify significant cybersecurity threats, a respected risk analyst has proposed.

Dan Geer said large bounties would prevent the vulnerabilities from ending up in the hands of criminal gangs or hostile authorities.

Mr Geer, whose tech firm assists the CIA, was referring to previously unknown security flaws, for which a patch is not yet available.

They are often used in cyber-warfare.

Tech news site the Register reported that Mr Geer, who made the suggestion in a keynote address at the Black Hat cybersecurity conference in Las Vegas, said the tactic would only work if there were few vulnerabilities in existence.

"If there are many vulnerabilities, then we've wasted our money," he reportedly said.

Could airport security be hacked?

"But if there are a limited number, by making them not weaponisable have we not contributed to world peace?

"The US can corner the market in this in a way few other countries can."

Mr Geer added that the government should consider paying 10 times more than anyone else would for the vulnerabilities.

Once a patch was found, authorities should make the vulnerabilities public, he advised.

Hotel take-over
Starwood Hotels Jesus Molina was able to hack the network of a Chinese hotel

Other cybersecurity experts unveiled their research at the annual conference.

Jesus Molina explained how he had taken over a hotel in Shenzhen, China, after hacking into the central system via a guest iPad in his room.

Mr Molina said he was able to control the rooms' temperature, lighting and even the hotel doors.

Another cybersecurity professional, Billy Rios, claimed to have found multiple vulnerabilities in the tech used by the US Transportation Security Administration (TSA) in airports.

He said he could gain access to the TSA's X-ray machines, as well as a system that tracks employees' shift changes and the scanners used to detect hazardous materials in luggage or clothing.

"They all have major issues," Mr Rios told the BBC.

However a representative of the company that develops the airport technology, Morpho, denied the devices were vulnerable to attack.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

BBC Future

(Jeff Turner/Flickr/CC BY 2.0)

Is tech transforming language?

The truth about online communication Read more...

Programmes

  • Suspension bridge connecting mountain peaksThe Travel Show Watch

    Must-see global events including walking the first suspension bridge to connect mountain peaks

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.