• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Mile-High Hacking: Should You Worry?

Mile-High Hacking: Should You Worry?

  • Posted on:May 19, 2015 at 9:10 am
  • Posted in:Malware
  • Author:
    Martin Roesler (Director, Threat Research)
0

For the past couple of days the security industry has been discussing claims that the systems of a commercial aircraft was “hacked” via the on-board inflight entertainment system (IFE). This became public after a search warrant was obtained by media outlets which revealed that the Federal Bureau of Investigation had applied for a search warrant targeting Chris Roberts, a researcher looking into airplane security. The warrant alleged that Roberts could “hack” the IFE systems of various commercial planes and issued what he called the “CLB” or climb command. At the time of this warrant, Robert had made the following tweet:

Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? 🙂

— Chris Roberts (@Sidragon1) April 15, 2015

This led to Roberts being escorted off his flight and various electronic items (including his iPad, his laptop, and various USB keys) being seized.

Reaction from both the security and aviation communities was swift. Some viewed Roberts’s actions as unethical. Many were upset that Roberts had chosen to perform his “attack” on a plane during an actual commercial flight. The veracity of his claims was doubted by many as well, and this was a reaction shared by many in the aviation community.

What do I think happened? I don’t think he hacked into the airplane’s critical systems. Other technical factors aside, he was on the plane. Unless we’re supposed to believe he was some sort of suicide hacker, he would probably not want to cause any actual harm.

Security research should be carried out in a controlled environment. We’ve carried out research into AIS systems, and we are currently carrying out research into in-car systems. We did not start out right away with real-life boats. For our car research, we rented cars and started out in parking lots, gradually making the environment more closely resemble real-world environments. (We are now working with the car manufacturer in question.) Doing any actual “tests” in a scenario without the consent of the parties concerned (such as the airline or other passengers) is not the way to go about this.)

Of course, sometimes vendors do not respond well to researchers who want to work with them. When we were conducting our own AIS research, we were rebuffed because Trend Micro is not a country, and the organization in question only dealt with member-countries. We went ahead and publicized our research anyway, and now the first organizations took action and switched to encrypted AIS to protect themselves against the threats we talked about.

The reaction to this incident reminds me of earlier days in software security, when companies were reluctant to admit that their products could contain vulnerabilities, when security through obscurity was viewed as a proper defense. The response of the FBI (to shut down the research) and by airplane/IFE manufacturers (refuse to disclose details) are natural responses. Adding security costs real money, and vendors are reluctant to spend resources that they do not have to.

Whatever you think of Roberts and what he did or didn’t do, the fact is that the topic of airplane security is now out in the open. Like any other system, there are bugs somewhere in this system; no human-built system is 100% error-free. It will be up to governments and regulators to force vendors (both of airplanes and IFE systems) to move beyond simple security-through-obscurity and demonstrate that existing systems are secure, and to fix any vulnerabilities that do come to light. Who knows, perhaps the systems that are in place have been designed in a robust and secure manner and do a good job of keeping attackers out. Until the mindset changes, though, we can’t be 100% sure.

If you think this is only relevant to aviation, you’re wrong. It just happens to be one of the most visible aspects of the computerization of everything, what others would call the Internet of Things. Other sectors will have to deal with their own challenges soon enough, and the quicker we learn how to do just that, the better it turns out for everybody.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: airplane hacking

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.