There are two evolutions happening simultaneously that pose major threats for cyber security. One of them is the mounting sophistication of cyber criminals. Once amateur and unorganized, criminal hackers now operate with a formidable level of global connectedness – and they have the skills to match. The other evolution involves the infusion of intelligent capabilities into objects beyond computers and similar devices.
This movement, called the Internet of Things, is already changing the way we live. From smart lighting systems to Wi-Fi-enabled refrigerators, IoT devices are beginning to populate our homes, and it’s not hard to imagine a future where every element in our lives – from the house we wake up in to the car we drive to work in the morning – is not only equipped with intelligent capabilities, but is connected to every other thing we own. Your house alerts your car that you’ve woken up, and the car warms up in preparation for the drive to work. This is the kind of reality that’s close on the horizon.
But with the parallel growth of hackers and IoT technology, there’s one major problem we’ll face: security. As hackers refine their skill sets, they’ll increasingly look for the easiest vulnerabilities to exploit. Meanwhile, with IoT devices rapidly evolving, there’s not the security infrastructure to match that growth. This creates an ideal scenario for cyber criminals.
In the relatively brief history of the cyber sphere, a trend has emerged among cyber security experts seeking to reveal major security flaws. What these experts will do is carry out an actual hack to demonstrate what the real bad guys will do. The practice, called white hat hacking, has proven helpful in a wide array of industrial sectors. In 2011, for instance, some white hat hackers discovered that a high-tech prison had a security vulnerability wherein hackers could open doors and tamper with alarms within the facility – all while working remotely. Also in 2011, a man named Jay Radcliffe revealed that insulin pumps for diabetes patients could be hacked, thereby putting the lives of those who used them in jeopardy. But white hat hacking like this is a divisive practice. While some people look to these hackers as noble for exposing massive cyber security flaws, others see their practices as criminal. After all, they did carry out the hack to prove their point. This is the story of a recent white hat hack situation that took place at 38,000 feet in the air.
Chris Roberts: Flight risk or flaw revealer – or both?
Recently, Chris Roberts boarded a United Airlines plane in Denver, bound for Chicago. When he landed in Chicago, he got on another flight to Philadelphia. By the time he landed there, FBI agents nabbed him and hauled him off for questioning. Search warrant in hand, they also confiscated and began examining all his tech equipment.
Their detention of Roberts had been prompted by a tweet he sent out mid-flight while on the plane to Chicago. His tweet suggested that he’d hacked into the entertainment system of the Boeing 737 he was flying on. But in his subsequent interview with the FBI, Roberts made a bold and shocking claim: Not only had he hacked in-flight entertainment systems on many occasions – reportedly between 15 and 20 times – but he had also once been able to use his access to the entertainment system to get into the avionics system, according to The Christian Science Monitor. From there, he claims he’d been able to send out an administrative command that led directly to a “lateral or sideways movement of the plane during one of these flights.”
In short, Roberts was allegedly able to turn a plane sideways from his passenger seat by busting into an electronics box under his seat. The idea that this happened is disconcerting to say the least. If Roberts was able, as he claimed, to manipulate the flight course of a 737 by breaching his Seat Electronic Box, what other hacks could be in store for the aviation industry? Roberts reportedly exposed a scary reality by carrying it out. But does that make him a criminal, or someone who’s merely sounding – albeit in a provocative fashion – a much-needed alarm?
Roberts sees himself as falling into the latter category. In a recent tweet, for instance, he wrote, “Over last 5 years my only interest has been to improve aircraft security … given the current situation I’ve been advised against saying much.”
While Roberts’ actions – and the FBI’s involvement with his case – may be preventing him from offering much in the way of commentary on his actions, that hasn’t stopped media outlets from having their own spirited debate about the unique situation Roberts’ actions pose. In a piece for the Centre Daily Times entitled “Don’t punish plane hacker: Learn from him,” Leonid Bershidsky argues that Roberts’ gaining administrative access to the 737 was a helpful deed that should lead to security patches.
“It’s in the interests of authorities and aircraft builders to find out what he knows, and maybe even let him continue his experiments,” Bershidsky stated. “I’d be surprised if the manufacturers aren’t already thinking about removing those electronic boxes under the seats or shutting off in-flight entertainment systems until they can be secured. And there’s almost certainly another vulnerability no one has found yet.”
The reality is that legally, Roberts inhabits a grey area. In one sense, he did something criminal, since he knowingly breached a system to which he did not have administrative approval and used that breach to carry out an act that potentially put human lives at risk. But in another way, Roberts’ actions are also hugely helpful to both authorities and United Airlines. And in fact, as a NewsFix video coverage points out, United has a policy in place offering flyer mile rewards to hackers who reveal security bugs. For things like authentication bypass and timing attacks, United is willing to shell out 250,000 award miles. For a remote code execution, the payout can be up to 1,000,000 miles.
So that begs the question: Should Roberts face prosecution, or enjoy a whole lot of free United flights? There’s no clear answer yet. But what is clear stemming from the Roberts incident is that cyber crime is on the cusp of a dangerous new phase. Hackers stealing credit cards is one thing. But cyber criminals commandeering a plane or a car – that’s when human lives enter into the balance. All the reporting on the Roberts case suggests that Roberts had no malicious motives in his airline hacks. His only goal seemed to be to prove that he could do it. But there are other hackers out there – the ones Roberts says he’s working to stave off – who have far more malicious intentions.
Now that the threat that cyber crime poses to human safety is out there in the open, it may help spur more proactive cyber defense strategies among governments, businesses and individuals. With hackers gaining power and more devices acquiring intelligent capabilities, the need to protect the virtual sphere has never been greater. For shedding light on this issue, at least, Roberts deserves some measure of recognition.