United Airlines In-flight Hack Raises Important Questions


When important security stories break that can really put the public on edge, it is usually a good practice to wait for a bit of clarity. Whether it is a major breach of a retailer where millions of pieces of sensitive personal data have been compromised, or worse yet hacks of critical infrastructure or government agencies by rogue nations, avoiding a rush to judgment is a good thing. Last week’s VENOM threat to data centers worldwide that originally seemed incredibly menacing is a case in point. Yes it is bad but not nearly as bad as portrayed and the fix was already in.

This will hopefully be the case with the story heating up the Internet over the past few days regarding security researcher Chris Roberts and the publication online of an FBI search warrant about Mr. Robert less-than-discreet alleged identification of vulnerabilities with the in-flight entertainment systems on Boeing 737-800, 737-900, 757-200 and Airbus A-320 aircraft. The warrant also noted that Roberts said he had exploited in-flight vulnerabilities 15 to 20 times from 2011 to 2014.

Roberts is a well-know “ethical hacker” with a propensity for publicity so the fact that he was the subject of more than casual interest by the authorities is not a surprise.  This is particularly true given that he bragged about hacking a United Airlines flight’s in-flight system while it was in the air, and managed to alter the plane’s flight path to confirm the vulnerability; he was subsequently banished from the airline where there was clear evidence of his tampering with the entertainment system—although his claims of successfully taking over the in-flight system have yet to be validated.

What the case highlights are some serious issues that have to be addressed on a number of fronts.

Let’s start at a high level with the critical area of airline in-flight security and the possible susceptibility to it being compromised.  Given the major airline tragedies caused by those with piloting skills in the cockpit to use/abuse technology to bring down planes, the possibility of a passenger being able to do so only armed with a computer is disconcerting to say the least. 

I think Jonathan Sander, Strategy & Research Officer with STEALTHbits, has a great take on this: 

"Unlike the big heavy door protecting the cockpit from passengers, there is an inviting little portal into critical flight systems under half the seats on many airplanes. The hack of Iranian nuclear systems using Stuxnet made the notion of an ‘air gap’ famous. The air gap is the physical separation between systems that is meant to protect critical systems, like ones that run nuclear centrifuges, from the activities on less critical systems that people use to surf the web. You would think the systems on board an airplane that run the flight controls would be a great candidate for an air gap to protect them from in-flight entertainment system wired into the cabin. Now we know for sure it’s not behind any kind of gap at all. One of the other details that emerged is that the security researcher used default usernames and passwords built into the inflight systems to access them. When you get your new shiny mobile phone, it makes you pick a new password. Why don’t the systems meant to keep airplanes flying straight do that? It’s a failure of the basics.”

I also found the comments for Richard Blech, CEO and Co-Founder of Secure Channels, insightful regarding what is still an alleged breach. He noted: 

"The United Airlines flight was allegedly breached through their flight's Wi-Fi system. If the control system data had been encrypted the breach would have no impact. By encrypting the flight control system, the hacker would not be able to see the commands and alter them; commands must be visible to enter or change them. If United Airlines had taken the time to protect its data by implementing deep encryption solutions beforehand, this alleged [breach] would have been considered an achievement rather than a dangerous experiment at their (and potentially their passengers') expense. Planes being taken over in this country are a valid fear, and updating the cyber security of critical transportation systems should be of the utmost importance. Treating security as an afterthought leaves our country open to terrorism. In this age of technology, there are no excuses for this type of carelessness when it comes to protecting people’s lives."

In a week where a major train derailment here in the U.S. outside of Philadelphia has put a spotlight on the lack of investment in technology that could have prevented the fatal crash, one would hope that the airline industry likewise would start looking at assuring an “air gap” is in place when it comes to who has access to in-flight systems and how.  Indeed, air gap aside, it should be noted that United already has a bugging bounty program for people interested in finding ways to defeat its existing systems. Look for the rest of the industry to follow since finding out now is a lot less expensive than the lawsuits that would follow if terrorists were successful in taking down a plane based on using the knowledge that already is in the wild. 

Image via Shutterstock

On the non-technology front, the question about what should constitute ethical versus malicious hacking is certainly something that should be the subject of public policy debate. Regardless of how grateful you might feel that Mr. Roberts identified this “possible” serioius flaw with what is being characterized by some as an “experiment,” condoning his behavior as to methods used and public disclosure would be a mistake. 

If Mr. Roberts was so concerned about his theory that a plane could be compromised in-flight, why not speak with the airlines, as well as the FBI, before rather than after the fact.  One would think given that we are moving to an even more software-centric and connected world that private corporations and governments would be willing to pay a nice chunk of change to proactively head off disasters.  They would also include developing counter-measures and other rapid mitigation techniques if/when bad things are discovered.

While hypothetical formulations are “what if” scenarios that can strain plausibility, they do serve to make at point.  For example, the day when somebody is merely “experimenting” to see what type of explosive payload can be accurately delivered by an off-the-shelf drone and the defense when they blow something up and possibly injure somebody is they were just experimenting seems to me coming closer every day. 

It is a reminder of the old observation that defines the Yiddish world Chutzpah, which roughly translated means unmitigated gall, as being when somebody kills their parents and begs for mercy because they are an orphan. 

The Roberts affair, not unlike the Snowden affair where he was supposedly disclosing all of the information in the name of the public good, hopefully spurs not just industries being more thorough in protecting their systems and data but also public discussion. After all, the bad guys are busy trying to monetize their mischief and there is no good reason why the good guys shouldn’t be thinking and acting along the same lines. 

Edited by Dominick Sorrentino
Related Articles

What Is an XS-Leak Attack?

By: Contributing Writer    1/13/2022

The "same-site" origin policy (SOP) is a critical piece of online security. While it's not an internet standard, but rather a rule enforced by interne…

Read More

USB-C Is Here to Stay

By: Contributing Writer    1/7/2022

For years, micro USB connectors were the standard for nearly every device on the market. Also known as USB Type-A connections, they were the preferred…

Read More

PayPal, Neteller or Skrill - which is the best e-wallet for iGaming?

By: Contributing Writer    1/3/2022

There are many elements that make up a great casino site. Some of these aspects are obvious to the customer while others have an important role to pla…

Read More

5 Smart Home Technologies to Enhance Your Home Safety

By: Contributing Writer    1/3/2022

Compared to traditional home security methods, smart home security systems have far more effective capabilities. Innovative home technologies are a pr…

Read More

White Label VS. Full Personalized App Development

By: Contributing Writer    12/22/2021

If you're looking to start a business, no matter if it's big or small, you're going to want to make it easier for your customers to find you and havin…

Read More