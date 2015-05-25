May 26 Security researcher Chris Roberts made
headlines last month when he was hauled off a plane in New York
by the FBI and accused of hacking into flight controls via his
underseat entertainment unit.
Other security researchers say Roberts - who was quoted by
the FBI as saying he once caused "a sideways movement of the
plane during a flight" - has helped draw attention to a wider
issue: that the aviation industry has not kept pace with the
threat hackers pose to increasingly computer-connected
airplanes.
Through his lawyer, Roberts said his only interest had been
to "improve aircraft security."
"This is going to drive change. It will force the hand of
organisations (in the aviation industry)," says Jonathan Butts,
a former US Air Force researcher who now runs a company working
on IT security issues in aviation and other industries.
As the aviation industry adopts communication protocols
similar to those used on the Internet to connect cockpits,
cabins and ground controls, it leaves itself open to the
vulnerabilities bedevilling other industries - from finance to
oil and gas to medicine.
"There's this huge issue staring us in the face," says Brad
Haines, a friend of Roberts and a security researcher focused on
aviation. "Are you going to shoot the messenger?"
More worrying than people like Roberts, said Mark Gazit, CEO
of Israel-based security company ThetaRay, are the hackers
probing aircraft systems on the quiet. His team found Internet
forum users claiming to have hacked, for example, into cabin
food menus, ordering free drinks and meals.
That may sound harmless enough, but Gazit has seen a similar
pattern of trivial exploits evolve into more serious breaches in
other industries. "It always starts this way," he says.
ANXIOUS AIRLINES
The red flags raised by Roberts' case are already worrying
some airlines, says Ralf Cabos, a Singapore-based specialist in
inflight entertainment systems.
One airline official at a recent trade show, he said, feared
the growing trend of offering inflight WiFi allowed hackers to
gain remote access to the plane. Another senior executive
demanded that before discussing any sale, vendors must prove
their inflight entertainment systems do not connect to critical
flight controls.
Panasonic Corp and Thales SA, whose
inflight entertainment units Roberts allegedly compromised,
declined to answer detailed questions on their systems, but both
said they take security seriously and their devices were
certified as secure.
Airplane maker Boeing Co says that while such systems
do have communication links, "the design isolates them from
other systems on planes performing critical and essential
functions." European rival Airbus said its aircraft are
designed to be protected from "any potential threats coming from
the In-Flight-Entertainment System, be it from Wi-Fi or
compromised seat electronic boxes."
Steve Jackson, head of security at Qantas Airways Ltd
, said the airline's "extremely stringent security
measures" would be "more than enough to mitigate any attempt at
remote interference with aircraft systems."
CIRCUMVENTING
But experts question whether such systems can be completely
isolated. An April report by the U.S. General Accountability
Office quoted four cybersecurity experts as saying firewalls
"could be hacked like any other software and circumvented,"
giving access to cockpit avionics - the machinery that pilots
use to fly the plane.
That itself reflects doubts about how well an industry used
to focusing on physical safety understands cybersecurity, where
the threat is less clear and constantly changing.
The U.S. National Research Council this month issued a
report on aviation communication systems saying that while the
Federal Aviation Administration, the U.S. regulator, realised
cybersecurity was an issue, it "has not been fully integrated
into the agency's thinking, planning and efforts."
The chairman of the research team, Steven Bellovin of
Columbia University, said the implications were worrying, not
just for communication systems but for the computers running an
aircraft. "The conclusion we came to was they just didn't
understand software security, so why would I think they
understand software avionics?" he said in an interview.
SLOW RESPONSE
This, security researchers say, can be seen in the slow
response to their concerns.
The International Civil Aviation Organisation (ICAO) last
year highlighted long-known vulnerabilities in a new aircraft
positioning communication system, ADS-B, and called for a
working group to be set up to tackle them.
Researchers like Haines have shown that ADS-B, a replacement
for radar and other air traffic control systems, could allow a
hacker to remotely give wrong or misleading information to
pilots and air traffic controllers.
And that's just the start. Aviation security consultant
Butts said his company, QED Secure Solutions, had identified
vulnerabilities in ADS-B components that could give an attacker
access to critical parts of a plane.
But since presenting his findings to vendors, manufacturers
and the industry's security community six months ago he's had
little or no response.
"This is just the tip of the iceberg," he says.
(Additional reporting by Siva Govindasamy; Editing by Ian
Geoghegan)