Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Don Bailey
Don Bailey
Connect Directly
E-Mail vvv

Hacking Airplanes: No One Benefits When Lives Are Risked To Prove A Point

In the brave new world of self-driving cars and Wifi-enabled pacemakers, everything we do as information security professionals, everything we hack, every joke we make on Twitter, has real, quantifiable consequences.

There are a lot of things Denver is known for being high on --  mostly altitude. Lately, it isn’t just the sticky green political battle that has been gaining attention. It’s the high-altitude antics of our local information security enthusiast Chris Roberts. But, like most highs and hacked aviation systems, this story is bound to plummet into the lifeless, high-desert plains. Why? News agencies are reporting that Chris Roberts, as a passenger, took control of an airplane mid flight by hacking the plane’s entertainment system, and was able to briefly redirect the flight’s course.

The fact is that the information security industry, the Department of Defense, the aviation industry, and other agencies, have known that this is possible for years. The capability itself is not news, and even if information security analysts want to presume they are the first to uncover a hole such as this, they aren’t. Embedded systems engineers, especially ones managing and building critical systems, are aware of these risks, and are continually working towards cost effective measures to combat these risks. After researching Internet of Things technology and embedded systems for over a decade, I came to realize that most engineering teams do understand the risks, but they are limited by budgetary constraints, talent, corporate politics, and time.

So how do we mitigate the risk? It’s not through a dramatic stunt such as redirecting the course of an airplane.To take control of a plane mid-flight, and potentially perform an action against the best judgment of the humans in control of the cockpit, against the flight management system that constantly evaluates sensors and statistical models far faster than a human is able to react, is a benefit to no one. Dramatizing the potential for loss of human life is a benefit to no one. No one wins by creating fear, uncertainty, and doubt. So why do it?

Over the past several years, the information security industry has exploded from a small group of loose-knit hackers who all knew each other, to an industry of millions of wannabe professionals vying for a speaker slot at the world-renowned Black Hat Briefings, DEFCON, or Hack In The Box security conferences. Our little universe has suddenly become saturated by newcomers that want to make a name for themselves, and stake a claim on the high salaries that come with notoriety. But, we’re also at a critical juncture in the technological advancement of the Internet, embedded systems, and accessibility.

The Internet of Things movement eschews the common perception of the Internet as a hidden highway of bits and bytes flowing through ethereal tubes, somehow disparate from the physical reality in which we all live. Instead, the IoT and modern embedded systems create a conglomeration of the human experience and the digital highway; fusing together the somatic human experience with intangible algorithmic expressions. The binding of these two universes means that, for the first time in human history, actions in an abstract virtual environment have a perceivable, tangible effect on the physical world. In other words, our thoughts now have consequences. Real consequences. And because of this, there are no more free thoughts. There is, instead, a quantifiable cost to everything we do as information security professionals.

When I performed the first remote hack of a vehicle security system in 2011 at Black Hat Briefings Las Vegas, I wasn’t aware of the real significance of what I had accomplished. To me, it was as simple as taking a small piece of technology and understanding its risks, and abusing its weaknesses, to achieve a goal that the device wasn’t meant to achieve. I knew that I had proven there was a new set of risks to users of IoT technology, but I wasn’t conscious of how entwined our lives would become in this next iteration of the Internet, nor did I realize how quickly IoT would explode into every aspect of our lives. It became obvious very quickly that we, as a society, were evolving far faster than we intended, as we turned the Internet into the Internet of Us; the human-digital existential experience. And, as we all know, innovation far outpaces sound security practices. 

Another early researcher into IoT technology, Barnaby Jack, proved that there was a direct risk to humans with his research into pacemaker hacking, automated saline drip systems, and even Automated Teller Machine (ATM) attacks. For about a year we happened to live in the same apartment building in San Francisco. One afternoon, months before he was scheduled to give a speech on pacemaker hacking at Black Hat, I ran into him in the elevator.

“What do you think is going to happen with this new era of embedded risks? Any predictions?” I asked.

“I don’t know, but I don’t think it’s going to be pretty.”

I’ll never forget how forlorn Barnes looked, realizing that our actions now meant human lives were hanging in the balance of information security professionals. It’s a scary thought, that the right hacker could save hundreds of thousands of lives, or harm them. It’s a scary thought that Andrew Auernheimer was sent to prison for far less than probing critical medical systems. It’s a scary thought that Aaron Schwartz was persecuted, and subsequently committed suicide, for simply downloading documents. It’s a scary thought that Stephen Watt was imprisoned for years for writing a computer program. It’s a scary thought that engineers are developing the next iteration of the Internet with no requirements from the government, or engineering organizations, to adhere to safety and security standards. It’s a scary thought that some of our own information security scene members would risk the lives of people on their own plane just to prove a point, far exceeding the legal sins of Andrew, Aaron, and Stephen.

As we traverse through this brave new world of technology and an industry saturated by newcomers throwing bows for attention and viability, we can’t allow our ranks to disintegrate into some Industry of Cool, where we only care about what will grab people’s attention. We now have to consider the end-user’s physical safety, and adhere to ethics that ensure the consumer is considered far before any headline grabbing desires. Risking the lives of the people we are supposedly trying to save is not just unethical, it’s abhorrent. We need to mature our industry beyond its infantile rock star thought models, and build a foundation of trust between our ranks, systems engineers, business owners, and especially consumers. Now, more than ever, consumers need us to speak on their behalf, not put them at risk.

Every topic we research, everything we hack, every joke we make on Twitter, now, more than ever, has a quantifiable cost. Think the next time you make a statement that could put those around you at tangible risk. Because now, in this brave new world of self-driving cars, WiFi-enabled pacemakers, and bionic limbs, there absolutely are no more free thoughts without consequences.

Don A. Bailey is a pioneer in security for mobile technology, the Internet of Things, and embedded systems. He has a long history of ground-breaking research, protecting mobile users from worldwide tracking systems, securing automobiles from remote attack, and mitigating ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/20/2015 | 3:25:02 PM
Re: Wired article hints it was simulation system, not real aircraft
Even though it is simulation and he did succeed to hack the simulation that is something we should take seriously. Simulation is most like a prototype and gives away vulnerabilities. I also say, this is not a way to earn credit, he can easily be discredited and I do not think he would take that risk if there is no vulnerability. 
User Rank: Ninja
5/20/2015 | 3:20:29 PM
Re: Remembering 911
Obviously we see mire cyber-attacks and there is a industry built behind that, lots of people are benefiting from each cyber-attack even though they are not involved in the attacks.
User Rank: Ninja
5/20/2015 | 3:06:30 PM
Re: Remembering 911
I could not consider 9/11 as cyber-attack, the reason it was not detected because it has not enough footprint on the cyber world.
User Rank: Ninja
5/20/2015 | 3:04:43 PM
TV system vs. Flight control system
I hope and assume there are some type of isolation so through a TV system you can not control plane's flight path. Remember, number one rule of security having layered approach, systems should be isolated.
User Rank: Apprentice
5/20/2015 | 11:38:59 AM
Wired article hints it was simulation system, not real aircraft
From reading the Wired magazine article ("Feds Say That Banned Researcher Commandeered a Plane"), I infer that he performed the engine control on a simulation system that he created using software he was able to obtain. Further corroborating this is that he says the Feds took one paragraph of his out of context, but he would not elaborate further.

Nice point about security researchers willing to go to great extents to make a name for themselves. Clearly Chris Roberts is in this camp, but my guess is that he did not commandeer a real aircraft.
User Rank: Ninja
5/20/2015 | 10:22:37 AM
Re: Remembering 911
User Rank: Guru
5/19/2015 | 8:59:04 PM
Remembering 911
That would benefit to cyberwarfare or terrorist attacks such as the 911 incidence. In addition, it also provided an evidence to a possbility of the missing MH370 - which may still be in the desert of Australia.


The simpliest benefit is on demanding ransom. 


All in all, power corrupt - hacking abilities escalates the desires of cybercriminal who will generate infinite possibilities.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to This issue does not affect: QNAP...
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.