Yes, airplanes can be hacked, just as power plants can be hacked. No, it’s not a widespread problem right now. Yes, we should talk about it before it becomes a widespread (and quite deadly) problem. No, we shouldn’t be harassing and detaining people who research these problems for a living. But we are. And that makes us all less safe. A lot less safe.
I was selected for extra screen on my last flight…and was told almost immediately that the reason was a mis-calibrated explosives trace detection machine. The kind, apologetic screener knew this. So did her colleagues who stood around watching. So did the man who ran the back of his hand all around my private parts, once they track him down. By the time we were done, four employees were involved and we all wasted 10-15 minutes. It was no trouble for me; I had arrived nice and early. It is trouble for you. It made you less safe. We all often forget that security professionals only have so many minutes in the day to look for bad guys. Time they spend wasting on known good guys is time they can’t get back. It makes us all less safe.
I tell this story because no doubt, you have a similar story. And you’ve thought these same things. And that’s why you will understand the importance of Chris Roberts’ faux arrest last week. Only mere hours after Congress’ General Accountability Office released a report ringing the alarm bell about airplane hacking, Roberts was arrested over his research about airplane hacking. Roberts has been working on the problem of hackable avionics, quite publicly, for years. He is founder and Chief Technology Officer of One World Labs, a security research firm. And as he boarded a plane last week on his way to make a presentation, he announced to the world that he was concerned the aircraft was hackable. When he landed, FBI agents and local cops took him into custody, took the equipment he had for the conference, and questioned him for a few hours.
And the story doesn’t end there. This weekend, Roberts was on his way to the big RSA security conference in San Francisco. After he had made his way through security and to the gate. United Airlines employees confronted him and told him he wasn’t welcome on their aircraft, according to the Electronic Frontier Foundation. He was able to take another airline to the conference.
Maybe the end result of this incident will be more focus on avionics hacking, which would only be a good thing. But I’ve seen this movie before, and so have you. Authority figures focused on the wrong thing. Instead of fixing the problem, they harass the messenger. It makes our world more dangerous. And it plays right into the hands of those who would hurt us.
This is no isolated incident. In fact, this very problem is being debated at the highest levels of government right now. The White House’s recent proposal to enhance penalties for certain cybercrimes has been universally criticized in the hacker community for its potentially chilling effects on research. By now, you should know that hackers break things in order to see how they work. Some hackers do this for fun, some for profit, some for the public good. It’s not always clear who is who. But rules that put hackers in jail long-term for tinkering will of course mean fewer good guys do this research, and leave all the breaking and entering to the criminals. We don’t want that. We want Roberts working for our side.
Now, as for that GAO report. I wrote about it last week for Credit.com. It’s always hard to right-size the scariness of such studies. You have a lot more to fear right now than airplanes falling out of the sky because of hackers, which to date is not realistic. But as I’ve already said, the time to talk about it is now, not later.
There are two ways to describe an important report issued by Congress’ General Accountability Office this week about airplanes and computers. Here’s how the GAO titled its paper: “FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen.”
And here’s how many observers described the report: “Airplanes can be hacked through passenger WiFi!”
As always, the truth is somewhere in the middle. The world’s air transportation systems are going through the same changes as all industrial control systems, and these changes bring both opportunities and peril. Once upon a time, it was nearly impossible to remotely hack into a power plant because the plant used old-fashioned proprietary systems that required hands-on users for operation. Slowly, critical infrastructure systems like power plants are transitioning to off-the-shelf software, and at the same time, they’re being connected to the Internet. This allows remote access, which is both a good and a bad thing. It’s good to be able to manage power plants from a long distance. It’s bad because it creates an avenue by which, at least theoretically, hackers can also break in.
So it is with airplanes. The Federal Aviation Administration is transitioning to its “Next Generation Air Transportation System,” known as NexTGen. Modernizing is a necessity. But as air traffic control systems and in-flight avionics systems are increasingly networked, the risk of unauthorized access increases. Any time you connect a computer to the world, the world can connect to that computer.
It makes sense to ring the alarm bell about these possibilities before they actually occur, and that’s what this week’s GAO report does. Auditors asked 15 cyber experts to conjure up worst-case scenarios, and they did a fine job of it. The report does not say that airplanes are currently being hacked. But it does raise a series of possibilities that frankly sound straight out of a horror movie — such as a computer virus causing a flight disaster.
“One cybersecurity expert noted that a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines,” the report noted.
You would think that in-flight WiFi could never be used to connect to pilot controls — after all, the systems are quite different — but several experts said it could be possible.
“Firewalls protect avionics systems located in the cockpit from intrusion by cabin system users, such as passengers who use in-flight entertainment services onboard. Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented,” the report said. “The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin.”
The report also talks about the added risk of an insider threat from connected systems — a malicious airline employee or FAA worker might be able to remotely cause havoc with specialized knowledge of Internet-connected planes. There’s also the contractor problem. The FAA and airlines must not only certify the security of all the systems they build, but of systems built for them by third parties. Imagine a back-door being inserted into a critical airplane system that a malicious programmer could use later.
It’s important to notice the presence of the word “if” in all these disaster scenarios, as in “if the cabin systems connect to the cockpit avionics systems.” They shouldn’t be physically connected, of course. It’s easy to imagine that happening, however, in the pressure-packed, cost-sensitive world of airline operations.
That’s why the GAO report urges the FAA to “develop a holistic threat model” towards airline hacking, and criticizes the agency for failing to do so. The report does praise the FAA for other cyber security initiatives it has already undertaken.
The FAA says it has already addressed many of the concerns the GAO report raises.
“We take this risk seriously,” said Keith Washington, acting assistant secretary for administration for the FAA, in a response to the report. He noted that the FAA recently established a cyber test center so it could more closely examine potential threats.
But the GAO report, while not suggesting that air travel is unsafe today because of hackers, pulls no punches about possibilities in the future.
“Significant security control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system,” the report concludes.