Security researcher Chris Roberts made headlines earlier this month when the FBI claimed he hacked a Boeing airplane's avionics system and made it go slightly off course.
Whether Mr. Roberts actually did it – and whether it's even possible – has since been the subject of heated debate within the security community.
Regardless, the resulting controversy around Roberts raises important questions about airline safety, specifically about the vulnerability of the inflight entertainment systems. Federal agents claim that's how Roberts, a longtime critic of airline security, gained access to the plane's thrust controller.
If that's really possible – again, it's up for dispute – this is a way bigger threat than bringing four ounces of water or a three-inch pocket knife on board.
Boeing officials have said there's no way to connect to flight control systems through the on-board entertainment systems. Other airline executives aren't so sure. Jeff Smisek, chief executive of United Airlines, has been quoted as saying: “We are unaware of whether or not this is possible."
This kind of industry denial – or lack of understanding – will sound familiar to security professionals. It's almost exactly the same argument that carmakers made about the ability to access vehicle controls through in-car entertainment systems. They said it just wasn't possible.
Well, we proved them wrong.
In fact, in one case, security researchers gained access to vehicle controls through the wireless signals emitted by the tire pressure monitoring system. In another case, they gained access through an MP3 file being played on the car's CD player.
When it comes to airlines, it's important to remember how infotainment systems are installed.
Plane manufacturers such as Boeing, Airbus, and McDonnell Douglas don't build inflight entertainment systems (IFE). That's left up to the companies that purchase the planes – airlines such as Delta, United, and American. Those companies purchase systems that let passengers watch TV or movies from companies such as Panasonic Avionics Corp. or Thales Group.
The Federal Aviation Administration certifies IFE systems but the agency is concerned only that its failure would alter other plane functions. Typically, this concern has led to power supplies and data links for the IFE to be separated from other critical systems.
In recent years, however, cabling has been collapsed to save weight on modern airlines such as the Boeing 787 Dreamliner, and possibly even earlier aircraft. Now, several different systems on the aircraft utilize the same cables with data separation handled by what the airline industry calls isolation technologies.
Information security people would call them firewalls.
But whatever the name, they are intended to separate the data on IFE systems from the data on the avionics systems. It's the firewalls that aviation engineers have said will keep hackers going from the easily accessible IFE systems to the systems that keep the planes in the air.
Security researchers have shown time and time again – since the firewall concept was first invented – that firewalls can be bypassed, routed around, or just driven straight through. Researchers have done this on computer network firewalls, vehicle firewalls, and industrial control system firewalls. It's reasonable to assume that they can do the same for firewalls on airplanes.
The airline industry has a history of downplaying researchers' claims about inflight computers and air traffic control systems. They'll typically say that the research is merely theoretical and therefore the threats aren't real.
But if that was the case, why would the FBI be investigating Chris Roberts? Either what they claim he said about breaching an airplane is actually impossible and is the (not uncommon) result of hacker braggadocio, or it is possible – and then we have a serious problem on our hands.
The best way to find out is for the airline industry to let professional hackers go to work and see if we can penetrate their networks. The airline industry shouldn't follow the lead of automakers and keep quiet about potential vulnerabilities until they are forced to confront the issue.
It's only now – with millions of cars already connected to the Internet – that automakers are hiring information security professionals to help them understand the risks inherent in building vehicles equipped with advanced technology.
The airline industry shouldn't be so slow to act.
C. Thomas (aka Space Rogue) is a strategist at the cybersecurity firm Tenable Network Security. You can follow him on Twitter @SpaceRog.