Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/19/2015
02:30 PM
Don Bailey
Don Bailey
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Hacking Airplanes: No One Benefits When Lives Are Risked To Prove A Point

In the brave new world of self-driving cars and Wifi-enabled pacemakers, everything we do as information security professionals, everything we hack, every joke we make on Twitter, has real, quantifiable consequences.

There are a lot of things Denver is known for being high on --  mostly altitude. Lately, it isn’t just the sticky green political battle that has been gaining attention. It’s the high-altitude antics of our local information security enthusiast Chris Roberts. But, like most highs and hacked aviation systems, this story is bound to plummet into the lifeless, high-desert plains. Why? News agencies are reporting that Chris Roberts, as a passenger, took control of an airplane mid flight by hacking the plane’s entertainment system, and was able to briefly redirect the flight’s course.

The fact is that the information security industry, the Department of Defense, the aviation industry, and other agencies, have known that this is possible for years. The capability itself is not news, and even if information security analysts want to presume they are the first to uncover a hole such as this, they aren’t. Embedded systems engineers, especially ones managing and building critical systems, are aware of these risks, and are continually working towards cost effective measures to combat these risks. After researching Internet of Things technology and embedded systems for over a decade, I came to realize that most engineering teams do understand the risks, but they are limited by budgetary constraints, talent, corporate politics, and time.

So how do we mitigate the risk? It’s not through a dramatic stunt such as redirecting the course of an airplane.To take control of a plane mid-flight, and potentially perform an action against the best judgment of the humans in control of the cockpit, against the flight management system that constantly evaluates sensors and statistical models far faster than a human is able to react, is a benefit to no one. Dramatizing the potential for loss of human life is a benefit to no one. No one wins by creating fear, uncertainty, and doubt. So why do it?

Over the past several years, the information security industry has exploded from a small group of loose-knit hackers who all knew each other, to an industry of millions of wannabe professionals vying for a speaker slot at the world-renowned Black Hat Briefings, DEFCON, or Hack In The Box security conferences. Our little universe has suddenly become saturated by newcomers that want to make a name for themselves, and stake a claim on the high salaries that come with notoriety. But, we’re also at a critical juncture in the technological advancement of the Internet, embedded systems, and accessibility.

The Internet of Things movement eschews the common perception of the Internet as a hidden highway of bits and bytes flowing through ethereal tubes, somehow disparate from the physical reality in which we all live. Instead, the IoT and modern embedded systems create a conglomeration of the human experience and the digital highway; fusing together the somatic human experience with intangible algorithmic expressions. The binding of these two universes means that, for the first time in human history, actions in an abstract virtual environment have a perceivable, tangible effect on the physical world. In other words, our thoughts now have consequences. Real consequences. And because of this, there are no more free thoughts. There is, instead, a quantifiable cost to everything we do as information security professionals.

When I performed the first remote hack of a vehicle security system in 2011 at Black Hat Briefings Las Vegas, I wasn’t aware of the real significance of what I had accomplished. To me, it was as simple as taking a small piece of technology and understanding its risks, and abusing its weaknesses, to achieve a goal that the device wasn’t meant to achieve. I knew that I had proven there was a new set of risks to users of IoT technology, but I wasn’t conscious of how entwined our lives would become in this next iteration of the Internet, nor did I realize how quickly IoT would explode into every aspect of our lives. It became obvious very quickly that we, as a society, were evolving far faster than we intended, as we turned the Internet into the Internet of Us; the human-digital existential experience. And, as we all know, innovation far outpaces sound security practices. 

Another early researcher into IoT technology, Barnaby Jack, proved that there was a direct risk to humans with his research into pacemaker hacking, automated saline drip systems, and even Automated Teller Machine (ATM) attacks. For about a year we happened to live in the same apartment building in San Francisco. One afternoon, months before he was scheduled to give a speech on pacemaker hacking at Black Hat, I ran into him in the elevator.

“What do you think is going to happen with this new era of embedded risks? Any predictions?” I asked.

“I don’t know, but I don’t think it’s going to be pretty.”

I’ll never forget how forlorn Barnes looked, realizing that our actions now meant human lives were hanging in the balance of information security professionals. It’s a scary thought, that the right hacker could save hundreds of thousands of lives, or harm them. It’s a scary thought that Andrew Auernheimer was sent to prison for far less than probing critical medical systems. It’s a scary thought that Aaron Schwartz was persecuted, and subsequently committed suicide, for simply downloading documents. It’s a scary thought that Stephen Watt was imprisoned for years for writing a computer program. It’s a scary thought that engineers are developing the next iteration of the Internet with no requirements from the government, or engineering organizations, to adhere to safety and security standards. It’s a scary thought that some of our own information security scene members would risk the lives of people on their own plane just to prove a point, far exceeding the legal sins of Andrew, Aaron, and Stephen.

As we traverse through this brave new world of technology and an industry saturated by newcomers throwing bows for attention and viability, we can’t allow our ranks to disintegrate into some Industry of Cool, where we only care about what will grab people’s attention. We now have to consider the end-user’s physical safety, and adhere to ethics that ensure the consumer is considered far before any headline grabbing desires. Risking the lives of the people we are supposedly trying to save is not just unethical, it’s abhorrent. We need to mature our industry beyond its infantile rock star thought models, and build a foundation of trust between our ranks, systems engineers, business owners, and especially consumers. Now, more than ever, consumers need us to speak on their behalf, not put them at risk.

Every topic we research, everything we hack, every joke we make on Twitter, now, more than ever, has a quantifiable cost. Think the next time you make a statement that could put those around you at tangible risk. Because now, in this brave new world of self-driving cars, WiFi-enabled pacemakers, and bionic limbs, there absolutely are no more free thoughts without consequences.

Don A. Bailey is a pioneer in security for mobile technology, the Internet of Things, and embedded systems. He has a long history of ground-breaking research, protecting mobile users from worldwide tracking systems, securing automobiles from remote attack, and mitigating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/20/2015 | 3:25:02 PM
Re: Wired article hints it was simulation system, not real aircraft
Even though it is simulation and he did succeed to hack the simulation that is something we should take seriously. Simulation is most like a prototype and gives away vulnerabilities. I also say, this is not a way to earn credit, he can easily be discredited and I do not think he would take that risk if there is no vulnerability. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/20/2015 | 3:20:29 PM
Re: Remembering 911
Obviously we see mire cyber-attacks and there is a industry built behind that, lots of people are benefiting from each cyber-attack even though they are not involved in the attacks.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/20/2015 | 3:06:30 PM
Re: Remembering 911
I could not consider 9/11 as cyber-attack, the reason it was not detected because it has not enough footprint on the cyber world.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/20/2015 | 3:04:43 PM
TV system vs. Flight control system
I hope and assume there are some type of isolation so through a TV system you can not control plane's flight path. Remember, number one rule of security having layered approach, systems should be isolated.
mulfinge
50%
50%
mulfinge,
User Rank: Apprentice
5/20/2015 | 11:38:59 AM
Wired article hints it was simulation system, not real aircraft
From reading the Wired magazine article ("Feds Say That Banned Researcher Commandeered a Plane"), I infer that he performed the engine control on a simulation system that he created using software he was able to obtain. Further corroborating this is that he says the Feds took one paragraph of his out of context, but he would not elaborate further.

Nice point about security researchers willing to go to great extents to make a name for themselves. Clearly Chris Roberts is in this camp, but my guess is that he did not commandeer a real aircraft.
ODA155
50%
50%
ODA155,
User Rank: Ninja
5/20/2015 | 10:22:37 AM
Re: Remembering 911
Wow...
HCHENG085
50%
50%
HCHENG085,
User Rank: Guru
5/19/2015 | 8:59:04 PM
Remembering 911
That would benefit to cyberwarfare or terrorist attacks such as the 911 incidence. In addition, it also provided an evidence to a possbility of the missing MH370 - which may still be in the desert of Australia.

 

The simpliest benefit is on demanding ransom. 

 

All in all, power corrupt - hacking abilities escalates the desires of cybercriminal who will generate infinite possibilities.
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...