Bringing down a plane carrying hundreds of passengers doesn’t require a suicidal pilot, a missile or a terrorist bomb. Apparently, a guy with a computer may be able to pull it off by hacking into the airliner’s entertainment system.
This has scary implications not just for air travel but for the entire Internet of Everything concept, as well as for society’s attitude to hackers who track down such vulnerabilities.
The amazing case of Chris Roberts, a cybersecurity expert with One World Labs, is laid out in a search warrant application by the Federal Bureau of Investigation, which seeks permission to seize his MacBook Pro, his iPad and a number of external storage devices. Here’s what he told the FBI he once did on a flight:
“After removing the cover of the Seat Electronic Box that was installed under the passenger seat in front of his seat, he would use a Cat6 ethernet cable with a modified connector to connect his laptop computer to the in-flight entertainment system while in flight. He then connected to other systems on the airplane network after he exploited/gained access to, or ‘hacked’ the IFE system. He stated that he then overwrote code on the airplane’s Thrust Management Computer while aboard a flight. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. He also stated that he used Vortex software after compromising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system.”
Roberts liked to post tweets about hacking planes, which is why the FBI took an interest in his research. The bureau warned him in February that his actions were illegal, but Roberts was so hooked he couldn’t stop. On April 15, he tweeted,
“Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)”
He’s been covering his run-in with the authorities, too, so we know the search warrant produced results: “Also found my attack tools, 0-Days and other toys, so only thing back I’d like (if @FBIDenver is listening) are the photos of my daughter…”
Recently, however, Roberts has been told – presumably by lawyers and the agents on his case – to keep his mouth shut about the details: “Over last 5 years my only interest has been to improve aircraft security…given the current situation I’ve been advised against saying much”
So I guess I won’t be able to figure out how to “compromise/exploit or ‘hack’” the next flight I’m on and make it go sideways. That doesn’t mean, however, that somebody else won’t. Roberts is a benign hacker who is just a little too fond of playing with his “toys.” He wasn’t afraid of getting caught because his ultimate goal wasn’t glory but to prove to airlines they don’t take network security seriously enough. Next time, however, someone with far more evil intent could exploit the same vulnerabilities.
Even if Roberts actually made a plane fly sideways – an incredibly foolhardy thing to do, and probably a crime (he claims his words to the FBI were taken out of context), it’s in the interests of authorities and aircraft builders to find out what he knows, and maybe even let him continue his experiments.
There’s almost certainly another vulnerability no one has found yet. Eventually, someone will.
Various half-measures have been suggested, such as a “full disclosure policy” for security researchers that would require them to pass on all discovered vulnerabilities in the software they’ve hacked (and expect a response within five days). That won’t solve the problem, if only because some of the people looking for security flaws aren’t researchers.
We need to think hard about the benefits of a fully connected world. The Internet of Everything is a $19 trillion opportunity with major implications for future economic growth.
In some cases, as in equipping factories and warehouses with networked devices, the efficiency improvements may outweigh the security risks and justify serious investment in combating them. But there are areas – such as energy grids, traffic management systems and defense – where the risks of over- reliance on networked devices may well be too grave because a single breach can do irreparable damage.
Then there are applications that are simply unnecessary because the benefit they provide is disproportionately small compared with the dangers.
These include connected teddy bears that, if hacked, can be used to monitor your home, as well as Internet-capable faucets that can be turned on remotely, causing flooding in your home. In-flight connectivity and entertainment fall into this category. Anyone can watch a video on a phone, tablet or laptop, so why should airplane makers endanger passengers by providing that service?
The Internet of Everything imposes important choices on consumers and, ultimately, on regulators. It’s time for legislators, tech companies and cybersecurity professionals to begin figuring which applications of network technology are acceptable.
Input from companies such as One World Labs should be part of that discussion. It certainly isn’t their fault that vulnerabilities exist, and it shouldn’t be held against researchers that they sometimes fail to announce their findings in the most tactful way.
Roberts’s scrutiny by the FBI and the withdrawal of funding from his company by investors aren’t the right responses: They discourage further disclosures that could ultimately save lives.
View the original content and more from this author here: http://ift.tt/1Fb8KVY
from cyber security caucus http://ift.tt/1AptdKd
via IFTTT
No comments:
Post a Comment