Modern field guide to security and privacy

Warnings of hackers on planes all too familiar to airline security researchers

Fresh government reports and alerts about the hacking threat to airplane avionics systems underscores the challenges facing industry and government as more critical infrastructure becomes Internet connected.

|
Reuters/File
An Airbus A350 takes off near the Airbus A320neo after its first flight event in Colomiers near Toulouse, southwestern France, in 2014.

The warnings were certainly alarming: following fresh reports that airline navigation systems were vulnerable to digital attacks, federal agents warned flight crews to be on the lookout for hackers.

And in a sign of how edgy the airline industry and federal agents may be over hacking planes, earlier this month the FBI detained a security researcher after he tweeted about computers flaws within the Boeing 737 on which he was traveling.

But while breaking into aviation networks has become the latest cybersecurity risk grabbing headlines, government watchdogs along with the Federal Aviation Administration (FAA) and computer researchers have been warning for years that the software used in modern airplanes is vulnerable to attacks from criminal hackers. Yet, according to many researchers, despite these alarm bells, the industry as a whole does not appear to have taken the necessary steps to keep their systems secure. 

“We blew a lot of this stuff up four or five years ago at BSides,” said Chris Roberts, a noted researcher and principal at One World Labs, referring to the security conference where he presented evidence of airline security flaws.

In fact, over the past few years, researchers have demonstrated how attackers could take control of in-flight communication systems and avionics equipment that pilots rely on during flight.

The industry and law enforcement didn't take kindly to Mr. Roberts' latest comments regarding its systems. While he was traveling on a flight to Syracuse on April 15, Roberts tweeted about breaking into an airline computer system.

"Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)”. EICAS refers to the Engine Indicating and Crew Alerting System, which is critical in-flight systems.

After the flight, he was detained and questioned by federal agents for two hours. The FBI retained his laptop and other devices, saying it needed to do a forensic analysis of them to determine whether Roberts had, in fact, attempted to hack the Boeing jet. He was also later barred from boarding a separate flight on his way to the RSA Conference, a major security industry gathering last week in San Francisco.

“We knew these things were issues four or five years ago. So I wonder ‘is there a specific threat that they’re not telling us about,’ or are they just [upset] because I’m not shutting up?” Roberts said following the incident.

Latest warnings

The renewed attention to airline security – and what Roberts had been commenting about on Twitter – started when with a Government Accountability Office (GAO) report on April 14.

The report warned that the FAA lacked a systematic approach to assessing security risks in airplanes, relying instead on case-by-case “Special Conditions” rules to address risks in specific airplane models. The FAA’s Radio Technical Commission for Aeronautics (RTCA) has yet to design new regulations that could be used to certify cybersecurity assurance for avionics systems because those systems historically haven’t been accessible in a way that would permit cyberattacks, the GAO noted.

The reaction to the GAO report from lawmakers and law enforcement was swift and pronounced. Rep. Peter DeFazio (D) of Oregon, the ranking member of the House Transportation and Infrastructure Committee, told CNN that the report has exposed serious threats to aircraft in flight and urged the FAA to respond.

“I can’t believe this is just now becoming news,” says Joshua Corman, the chief technology officer at the firm Sonatype and a founding member of IAmTheCavalry, a grassroots organization of security experts who advocate for issues in which computer security intersects with public safety.

Mr. Corman said the failure to address cybersecurity risk by the FAA and airplane makers is symptomatic of what he calls a “cultural defect” in the information security sphere – and more generally in society – that focuses attention on threats but not the bigger questions of prevention.

“Our manner of digesting and discussing topics is biased toward waiting for some in the wild manifestation of an attack,” said Corman. “That really truncates conversations about secure architecture and secure design.”

The consequences of that is a lack of measurable progress in making systems and software more secure over time, as the GAO report suggests.

“That’s disappointing when the stakes are personally identifiable information or credit card numbers being stolen,” Corman said. “But now we’re talking about areas where the cost of failure is measured in human lives.”

Awareness is growing

Even if the GAO report doesn't break new ground, it was "necessary" and a "good idea," said Ruben Santamarta from the firm IOActive, another noted airline security researcher. “It’s better to approach these kind of potential scenarios from a proactive manner, instead of waiting until something happens,” he said. 

And Mr. Santamarta says that awareness is growing within the aerospace sector regarding cybersecurity risks. One bit of proof: in June he’ll be speaking about aircraft security at Aviation Festival Americas, a major conference for the world’s airlines.

The fallout from the GAO report underscores the difficulty that private firms, federal regulators, and lawmakers face as more and more critical infrastructure comes to rely on software and Internet connectivity, experts acknowledge.

After years of operating as little-explored technology islands, firms across the transportation industry are beginning to encounter many of the same issues that software firms such as Microsoft and Adobe Systems have long had to contend with, said Katie Moussouris, the chief policy officer of the firm HackerOne, which helps firms sponsor and run programs to find and fix software flaws.

“Critical infrastructure is not immune from security vulnerabilities,” said Ms. Moussouris. The good news is that firms such as Boeing and Airbus are in a position to learn the lessons of companies such as Microsoft, where she worked as a senior security analyst.

That company spent years battling with independent security researchers over protocol related to the discovery of vulnerabilities in its software. In the process, Microsoft came to be an industry leader, not only in secure software development, but also in its infrastructure for producing and distributing software patches to users, and in communicating with the public about the substance of those.

At a minimum, Moussouris said companies need to create a “front door” for researchers such as Roberts. That means creating something like a spot on their webpages that instructs independent researchers on how to report software vulnerabilities to the company.

 “You need openness, transparency, and acceptance," she said "That’s just a reality when software is running on things."

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Warnings of hackers on planes all too familiar to airline security researchers
Read this article in
https://www.csmonitor.com/World/Passcode/2015/0429/Warnings-of-hackers-on-planes-all-too-familiar-to-airline-security-researchers
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe