Modern field guide to security and privacy

Opinion: Why the aviation industry needs more hackers

Claims about a researcher infiltrating a plane's control systems have put a spotlight on aviation security. It's time for the industry to be more open about potential risks and let hackers test the strength of their networks. 

Reuters/File
Federal agents claim security researcher Chris Roberts said he gained access to flight controls via onboard entertainment systems such as these on Air Canada's Boeing 787 Dreamliner.

Security researcher Chris Roberts made headlines earlier this month when the FBI claimed he hacked a Boeing airplane's avionics system and made it go slightly off course.

Whether Mr. Roberts actually did it – and whether it's even possible – has since been the subject of heated debate within the security community.

Regardless, the resulting controversy around Roberts raises important questions about airline safety, specifically about the vulnerability of the inflight entertainment systems. Federal agents claim that's how Roberts, a longtime critic of airline security, gained access to the plane's thrust controller. 

If that's really possible – again, it's up for dispute – this is a way bigger threat than bringing four ounces of water or a three-inch pocket knife on board.

Boeing officials have said there's no way to connect to flight control systems through the on-board entertainment systems. Other airline executives aren't so sure. Jeff Smisek, chief executive of United Airlines, has been quoted as saying: “We are unaware of whether or not this is possible."

This kind of industry denial – or lack of understanding – will sound familiar to security professionals. It's almost exactly the same argument that carmakers made about the ability to access vehicle controls through in-car entertainment systems. They said it just wasn't possible. 

Well, we proved them wrong. 

In fact, in one case, security researchers gained access to vehicle controls through the wireless signals emitted by the tire pressure monitoring system. In another case, they gained access through an MP3 file being played on the car's CD player.

When it comes to airlines, it's important to remember how infotainment systems are installed. 

Plane manufacturers such as Boeing, Airbus, and McDonnell Douglas don't build inflight entertainment systems (IFE). That's left up to the companies that purchase the planes – airlines such as Delta, United, and American. Those companies purchase systems that let passengers watch TV or movies from companies such as Panasonic Avionics Corp. or Thales Group.

The Federal Aviation Administration certifies IFE systems but the agency is concerned only that its failure would alter other plane functions. Typically, this concern has led to power supplies and data links for the IFE to be separated from other critical systems. 

In recent years, however, cabling has been collapsed to save weight on modern airlines such as the Boeing 787 Dreamliner, and possibly even earlier aircraft. Now, several different systems on the aircraft utilize the same cables with data separation handled by what the airline industry calls isolation technologies.

Information security people would call them firewalls.

But whatever the name, they are intended to separate the data on IFE systems from the data on the avionics systems. It's the firewalls that aviation engineers have said will keep hackers going from the easily accessible IFE systems to the systems that keep the planes in the air.

Security researchers have shown time and time again – since the firewall concept was first invented – that firewalls can be bypassed, routed around, or just driven straight through. Researchers have done this on computer network firewalls, vehicle firewalls, and industrial control system firewalls. It's reasonable to assume that they can do the same for firewalls on airplanes.

The airline industry has a history of downplaying researchers' claims about inflight computers and air traffic control systems. They'll typically say that the research is merely theoretical and therefore the threats aren't real. 

But if that was the case, why would the FBI be investigating Chris Roberts? Either what they claim he said about breaching an airplane is actually impossible and is the (not uncommon) result of hacker braggadocio, or it is possible – and then we have a serious problem on our hands. 

The best way to find out is for the airline industry to let professional hackers go to work and see if we can penetrate their networks. The airline industry shouldn't follow the lead of automakers and keep quiet about potential vulnerabilities until they are forced to confront the issue.

It's only now – with millions of cars already connected to the Internet – that automakers are hiring information security professionals to help them understand the risks inherent in building vehicles equipped with advanced technology. 

The airline industry shouldn't be so slow to act.

C. Thomas (aka Space Rogue) is a strategist at the cybersecurity firm Tenable Network Security. You can follow him on Twitter @SpaceRog.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.