For the past couple of days the security industry has been discussing claims that the systems of a commercial aircraft was “hacked” via the on-board inflight entertainment system (IFE). This became public after a search warrant was obtained by media outlets which revealed that the Federal Bureau of Investigation had applied for a search warrant targeting Chris Roberts, a researcher looking into airplane security. The warrant alleged that Roberts could “hack” the IFE systems of various commercial planes and issued what he called the “CLB” or climb command. At the time of this warrant, Robert had made the following tweet:
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? 🙂
— Chris Roberts (@Sidragon1) April 15, 2015
This led to Roberts being escorted off his flight and various electronic items (including his iPad, his laptop, and various USB keys) being seized.
Reaction from both the security and aviation communities was swift. Some viewed Roberts’s actions as unethical. Many were upset that Roberts had chosen to perform his “attack” on a plane during an actual commercial flight. The veracity of his claims was doubted by many as well, and this was a reaction shared by many in the aviation community.
What do I think happened? I don’t think he hacked into the airplane’s critical systems. Other technical factors aside, he was on the plane. Unless we’re supposed to believe he was some sort of suicide hacker, he would probably not want to cause any actual harm.
Security research should be carried out in a controlled environment. We’ve carried out research into AIS systems, and we are currently carrying out research into in-car systems. We did not start out right away with real-life boats. For our car research, we rented cars and started out in parking lots, gradually making the environment more closely resemble real-world environments. (We are now working with the car manufacturer in question.) Doing any actual “tests” in a scenario without the consent of the parties concerned (such as the airline or other passengers) is not the way to go about this.)
Of course, sometimes vendors do not respond well to researchers who want to work with them. When we were conducting our own AIS research, we were rebuffed because Trend Micro is not a country, and the organization in question only dealt with member-countries. We went ahead and publicized our research anyway, and now the first organizations took action and switched to encrypted AIS to protect themselves against the threats we talked about.
The reaction to this incident reminds me of earlier days in software security, when companies were reluctant to admit that their products could contain vulnerabilities, when security through obscurity was viewed as a proper defense. The response of the FBI (to shut down the research) and by airplane/IFE manufacturers (refuse to disclose details) are natural responses. Adding security costs real money, and vendors are reluctant to spend resources that they do not have to.
Whatever you think of Roberts and what he did or didn’t do, the fact is that the topic of airplane security is now out in the open. Like any other system, there are bugs somewhere in this system; no human-built system is 100% error-free. It will be up to governments and regulators to force vendors (both of airplanes and IFE systems) to move beyond simple security-through-obscurity and demonstrate that existing systems are secure, and to fix any vulnerabilities that do come to light. Who knows, perhaps the systems that are in place have been designed in a robust and secure manner and do a good job of keeping attackers out. Until the mindset changes, though, we can’t be 100% sure.
If you think this is only relevant to aviation, you’re wrong. It just happens to be one of the most visible aspects of the computerization of everything, what others would call the Internet of Things. Other sectors will have to deal with their own challenges soon enough, and the quicker we learn how to do just that, the better it turns out for everybody.
