PLANE SAFE? CYBER ISSUES
By Jeremy
Wagstaff
Security
researcher Chris Roberts made headlines last month when he was hauled off a
plane in New York by the FBI and accused of hacking into flight controls via
his underseat entertainment unit. Other security researchers say Roberts - who
was quoted by the FBI as saying he once caused "a sideways movement of the
plane during a flight" - has helped draw attention to a wider issue: that
the aviation industry
has not kept pace with the threat hackers pose
to increasingly computer-connected airplanes. Through his lawyer, Roberts said his only interest had been to "improve aircraft security. "This is going to drive change. It
will force the hand of organizations (in the aviation industry)," says Jonathan Butts, a former US Air Force researcher who now runs a company working on IT security issues in aviation and other industries. As the aviation industry adopts communication protocols similar to those used on the Internet to connect cockpits, cabins and ground controls, it leaves itself open to the vulnerabilities bedeviling other industries - from finance to oil and gas to medicine.
More worrying
than people like Roberts, said Mark Gazit, CEO of Israel-based security company
ThetaRay, are the hackers probing aircraft systems on the quiet. His team found
Internet forum users claiming to have hacked, for example, into cabin food
menus, ordering free drinks and meals. That may sound harmless enough, but
Gazit has seen a similar pattern of trivial exploits evolve into more serious breaches
in other industries. "It always starts this way," he says.
Anxious Airlines
The red flags
raised by Roberts' case are already worrying some airlines, says Ralf Cabos, a
Singapore-based specialist in inflight entertainment systems. One airline
official at a recent trade show, he said, feared the growing trend of offering
inflight WiFi allowed hackers to gain remote access to the plane. Another senior
executive demanded that before discussing any sale, vendors must prove their
inflight entertainment systems do not connect to critical flight controls. Panasonic
Corp and Thales SA, whose inflight entertainment units Roberts allegedly
compromised, declined to answer detailed questions on their systems, but both
said they take security seriously and their devices were certified as secure. Airplane
maker Boeing Co says that while such systems do have communication links,
"the design isolates them from other systems on planes performing critical
and essential functions." European rival Airbus said its aircraft are
designed to be protected from "any potential threats coming from the
In-Flight- Entertainment System, be it from Wi-Fi or compromised seat
electronic boxes." Steve Jackson, head of security at Qantas Airways Ltd,
said the airline's "extremely stringent security measures" would be
"more than enough to mitigate any attempt at remote interference with aircraft
systems."
Circumventing
But experts
question whether such systems can be completely isolated. An April report by the
U.S. General Accountability Office quoted four cybersecurity experts as saying
firewalls "could be hacked like any other software and circumvented,"
giving access to cockpit avionics - the machinery that pilots use to fly the
plane. That itself reflects doubts about how well an industry used to focusing
on physical safety understands cybersecurity, where the threat is less clear
and constantly changing. The U.S. National Research Council this month issued a
report on aviation communication systems saying that while the Federal Aviation
Administration, the U.S. regulator, realized cybersecurity was an issue, it
"has not been fully integrated into the agency's thinking, planning and
efforts." The chairman of the research team, Steven Bellovin of Columbia
University, said the implications were worrying, not just for communication
systems but for the computers running an aircraft. "The conclusion we came
to was they just didn't understand software security, so why would I think they
understand software avionics?" he said in an interview.
Slow Response
This, security
researchers say, can be seen in the slow response to their concerns.
The International Civil Aviation Organisation (ICAO)
last year
highlighted long-known
vulnerabilities in a new aircraft positioning communication system, ADS-B, and called for a working group to be set up to tackle them. Researchers like Haines have shown that ADS-B, a replacement for radar and other air traffic control systems, could allow a hacker to remotely give wrong or misleading information to pilots and air traffic controllers. And that's just the start. Aviation
security consultant Butts
said his company, QED Secure Solutions,
had identified vulnerabilities
in ADS-B components that could give
an attacker access to critical parts of
a plane. But since
presenting his findings to vendors,
manufacturers and
the industry's security community six months ago he's had little or no
response. "This is just the tip of the iceberg," he says.
No comments:
Post a Comment