Spy in the Sky – are planes hacker-proof?

My take on aviation cybersecurity for Reuters: Plane safe? Hacker case points to deeper cyber issues:

“Plane safe? Hacker case points to deeper cyber issues

BY JEREMY WAGSTAFF

Security researcher Chris Roberts made headlines last month when he was hauled off a plane in New York by the FBI and accused of hacking into flight controls via his underseat entertainment unit.

Other security researchers say Roberts – who was quoted by the FBI as saying he once caused ‘a sideways movement of the plane during a flight’ – has helped draw attention to a wider issue: that the aviation industry has not kept pace with the threat hackers pose to increasingly computer-connected airplanes.

Through his lawyer, Roberts said his only interest had been to ‘improve aircraft security.’

‘This is going to drive change. It will force the hand of organizations (in the aviation industry),’ says Jonathan Butts, a former US Air Force researcher who now runs a company working on IT security issues in aviation and other industries.

As the aviation industry adopts communication protocols similar to those used on the Internet to connect cockpits, cabins and ground controls, it leaves itself open to the vulnerabilities bedevilling other industries – from finance to oil and gas to medicine.

‘There’s this huge issue staring us in the face,’ says Brad Haines, a friend of Roberts and a security researcher focused on aviation. ‘Are you going to shoot the messenger?’

More worrying than people like Roberts, said Mark Gazit, CEO of Israel-based security company ThetaRay, are the hackers probing aircraft systems on the quiet. His team found Internet forum users claiming to have hacked, for example, into cabin food menus, ordering free drinks and meals.

That may sound harmless enough, but Gazit has seen a similar pattern of trivial exploits evolve into more serious breaches in other industries. ‘It always starts this way,’ he says.

ANXIOUS AIRLINES

The red flags raised by Roberts’ case are already worrying some airlines, says Ralf Cabos, a Singapore-based specialist in inflight entertainment systems.

One airline official at a recent trade show, he said, feared the growing trend of offering inflight WiFi allowed hackers to gain remote access to the plane. Another senior executive demanded that before discussing any sale, vendors must prove their inflight entertainment systems do not connect to critical flight controls.

Panasonic Corp and Thales SA, whose inflight entertainment units Roberts allegedly compromised, declined to answer detailed questions on their systems, but both said they take security seriously and their devices were certified as secure.

Airplane maker Boeing Co says that while such systems do have communication links, ‘the design isolates them from other systems on planes performing critical and essential functions.’ European rival Airbus said its aircraft are designed to be protected from ‘any potential threats coming from the In-Flight-Entertainment System, be it from Wi-Fi or compromised seat electronic boxes.’

Steve Jackson, head of security at Qantas Airways Ltd, said the airline’s ‘extremely stringent security measures’ would be ‘more than enough to mitigate any attempt at remote interference with aircraft systems.’

CIRCUMVENTING

But experts question whether such systems can be completely isolated. An April report by the U.S. General Accountability Office quoted four cybersecurity experts as saying firewalls ‘could be hacked like any other software and circumvented,’ giving access to cockpit avionics – the machinery that pilots use to fly the plane.

That itself reflects doubts about how well an industry used to focusing on physical safety understands cybersecurity, where the threat is less clear and constantly changing.

The U.S. National Research Council this month issued a report on aviation communication systems saying that while the Federal Aviation Administration, the U.S. regulator, realized cybersecurity was an issue, it ‘has not been fully integrated into the agency’s thinking, planning and efforts.’

The chairman of the research team, Steven Bellovin of Columbia University, said the implications were worrying, not just for communication systems but for the computers running an aircraft. ‘The conclusion we came to was they just didn’t understand software security, so why would I think they understand software avionics?’ he said in an interview.

SLOW RESPONSE

This, security researchers say, can be seen in the slow response to their concerns.

The International Civil Aviation Organisation (ICAO) last year highlighted long-known vulnerabilities in a new aircraft positioning communication system, ADS-B, and called for a working group to be set up to tackle them.

Researchers like Haines have shown that ADS-B, a replacement for radar and other air traffic control systems, could allow a hacker to remotely give wrong or misleading information to pilots and air traffic controllers.

And that’s just the start. Aviation security consultant Butts said his company, QED Secure Solutions, had identified vulnerabilities in ADS-B components that could give an attacker access to critical parts of a plane.

But since presenting his findings to vendors, manufacturers and the industry’s security community six months ago he’s had little or no response.

‘This is just the tip of the iceberg,’ he says.

(Additional reporting by Siva Govindasamy; Editing by Ian Geoghegan)”

Cabin Fever

Flight International reports (sorry, can’t find a link, but here are some similar stories from Thisislondon and New Electronics) that “BAE Systems and its research partners have completed initial tests with an in-cabin computer vision system intended to identify suspect behaviour by potential terrorists.” Seems the system involves cameras in the cabin with software that analyses the image “for movement or other actions that indicate an unruly or potentially dangerous individual, whether seated or standing.” Some of this, says BAE Systems Advanced Technology Centre human factors specialist Katherine Neary, involves face recognition. Given most people behave badly on airlines, I think they’re going to have to tweak their algorithms if they don’t want to subdue everyone on the flight.

I think I’d prefer an airline like Thailand’s Nok Air, which takes a friendlier attitude to passengers. According to Flight, the low-cost carrier “is expanding its fleet Boeing 737-400s and its fleet of scantily-dressed “PDA girls”” who help check-in passengers that only have carry-on bags. Chief executive Patee Sarasin tries not to sound surprised when he says “It’s been fantastically well received”. Of course he then spoils it by adding: “It is very efficient and costs you less than $4.00 a day to have these girls walking around in Thailand.”

Nok
Khun Patee’s walking check-in counters

 

Data That Blows Up in Your Face

Great idea, this one: A USB flash drive that looks like a balloon (or a handbag) and that changes size depending on how much space there is left on the drive (via the excellent infosthetics and randomly good stuff:

When empty the flashbag is small, like a sack, and then it balloons up as stuff is added, alerting the owner that it’s time to get another one or shift some stuff. What isn’t quite clear is what happens when it’s full. The blurb suggests a violent end:

When the device is about to blow up you will see the familiar error message on your screen: “There is not enough free space”.

I think the author, designer Dima Komissarov, may not quite mean that, although it does have interesting implications for data storage. People might be a bit more careful with what they load onto their storage devices if excessive downloading brings the risk of explosion. Might be worth honing the concept before it hits the shelves.

 
 

News: The Future Of Inflight Entertainment, From A Baggage Handler

 Nice, interesting story about an Alaska Airlines baggage handler who has come up with the digEplayer, a 2.4-pound, battery-powered unit can hold up to 30 full-length movies, hours of digital music, maps, cartoons, sitcoms, language courses and travel promotions. It’s an inflight entertainment system that will start appearing on Alaska Airlines next month: The units, which cost a little more than $1,000, will be provided free to first-class passengers. Passengers in the main cabin will be able to rent the media players for $10 or reserve them before boarding for $8.