When important security stories break that can really put the public on edge, it is usually a good practice to wait for a bit of clarity. Whether it is a major breach of a retailer where millions of pieces of sensitive personal data have been compromised, or worse yet hacks of critical infrastructure or government agencies by rogue nations, avoiding a rush to judgment is a good thing. Last week’s VENOM threat to data centers worldwide that originally seemed incredibly menacing is a case in point. Yes it is bad but not nearly as bad as portrayed and the fix was already in.
This will hopefully be the case with the story heating up the Internet over the past few days regarding security researcher Chris Roberts and the publication online of an FBI search warrant about Mr. Robert less-than-discreet alleged identification of vulnerabilities with the in-flight entertainment systems on Boeing (News - Alert) 737-800, 737-900, 757-200 and Airbus A-320 aircraft. The warrant also noted that Roberts said he had exploited in-flight vulnerabilities 15 to 20 times from 2011 to 2014.
Roberts is a well-know “ethical hacker” with a propensity for publicity so the fact that he was the subject of more than casual interest by the authorities is not a surprise. This is particularly true given that he bragged about hacking a United Airlines flight’s in-flight system while it was in the air, and managed to alter the plane’s flight path to confirm the vulnerability; he was subsequently banished from the airline where there was clear evidence of his tampering with the entertainment system—although his claims of successfully taking over the in-flight system have yet to be validated.
What the case highlights are some serious issues that have to be addressed on a number of fronts.
Let’s start at a high level with the critical area of airline in-flight security and the possible susceptibility to it being compromised. Given the major airline tragedies caused by those with piloting skills in the cockpit to use/abuse technology to bring down planes, the possibility of a passenger being able to do so only armed with a computer is disconcerting to say the least.
I think Jonathan Sander, Strategy & Research Officer with STEALTHbits, has a great take on this:
"Unlike the big heavy door protecting the cockpit from passengers, there is an inviting little portal into critical flight systems under half the seats on many airplanes. The hack of Iranian nuclear systems using Stuxnet made the notion of an ‘air gap’ famous. The air gap is the physical separation between systems that is meant to protect critical systems, like ones that run nuclear centrifuges, from the activities on less critical systems that people use to surf the web. You would think the systems on board an airplane that run the flight controls would be a great candidate for an air gap to protect them from in-flight entertainment system wired into the cabin. Now we know for sure it’s not behind any kind of gap at all. One of the other details that emerged is that the security researcher used default usernames and passwords built into the inflight systems to access them. When you get your new shiny mobile phone, it makes you pick a new password. Why don’t the systems meant to keep airplanes flying straight do that? It’s a failure of the basics.”
I also found the comments for Richard Blech, CEO and Co-Founder of Secure Channels, insightful regarding what is still an alleged breach. He noted:
"The United Airlines flight was allegedly breached through their flight's Wi-Fi system. If the control system data had been encrypted the breach would have no impact. By encrypting the flight control system, the hacker would not be able to see the commands and alter them; commands must be visible to enter or change them. If United Airlines had taken the time to protect its data by implementing deep encryption solutions beforehand, this alleged [breach] would have been considered an achievement rather than a dangerous experiment at their (and potentially their passengers') expense. Planes being taken over in this country are a valid fear, and updating the cyber security of critical transportation systems should be of the utmost importance. Treating security as an afterthought leaves our country open to terrorism. In this age of technology, there are no excuses for this type of carelessness when it comes to protecting people’s lives."
In a week where a major train derailment here in the U.S. outside of Philadelphia has put a spotlight on the lack of investment in technology that could have prevented the fatal crash, one would hope that the airline industry likewise would start looking at assuring an “air gap” is in place when it comes to who has access to in-flight systems and how. Indeed, air gap aside, it should be noted that United already has a bugging bounty program for people interested in finding ways to defeat its existing systems. Look for the rest of the industry to follow since finding out now is a lot less expensive than the lawsuits that would follow if terrorists were successful in taking down a plane based on using the knowledge that already is in the wild.
On the non-technology front, the question about what should constitute ethical versus malicious hacking is certainly something that should be the subject of public policy debate. Regardless of how grateful you might feel that Mr. Roberts identified this “possible” serioius flaw with what is being characterized by some as an “experiment,” condoning his behavior as to methods used and public disclosure would be a mistake.
If Mr. Roberts was so concerned about his theory that a plane could be compromised in-flight, why not speak with the airlines, as well as the FBI, before rather than after the fact. One would think given that we are moving to an even more software-centric and connected world that private corporations and governments would be willing to pay a nice chunk of change to proactively head off disasters. They would also include developing counter-measures and other rapid mitigation techniques if/when bad things are discovered.
While hypothetical formulations are “what if” scenarios that can strain plausibility, they do serve to make at point. For example, the day when somebody is merely “experimenting” to see what type of explosive payload can be accurately delivered by an off-the-shelf drone and the defense when they blow something up and possibly injure somebody is they were just experimenting seems to me coming closer every day.
It is a reminder of the old observation that defines the Yiddish world Chutzpah, which roughly translated means unmitigated gall, as being when somebody kills their parents and begs for mercy because they are an orphan.
The Roberts affair, not unlike the Snowden affair where he was supposedly disclosing all of the information in the name of the public good, hopefully spurs not just industries being more thorough in protecting their systems and data but also public discussion. After all, the bad guys are busy trying to monetize their mischief and there is no good reason why the good guys shouldn’t be thinking and acting along the same lines.