May 19, 2015

The Mile High Club, of IoT of Course… — Bastille

The Mile High Club, of IoT of Course…

A very elite club was just created by Chris Roberts, if his allegations of commandeering an airplane are true. Modern day transportation relies heavily on remote access to the outside world…and consumer trust. These two things have been at odds recently, ever since the world read a tweet from Chris Roberts, in which he jokingly suggested releasing oxygen masks while aboard a commercial flight. Whether or not Roberts was actually joking about hacking the aircraft is up for debate, but the move led the Government Accountability Office to issue a warning about potential vulnerabilities to aircraft systems via in-flight Wi-Fi.

What may be of more grave concern is that Mr. Roberts claims that he dismantled passenger seats 15-20 times, plugged in a CAT6 cable and fired up Kali Linux, or at least that’s what’s said in the search warrant. If I were the passenger sitting next to him, it probably would have resulted in a call the flight attendant to notify the air marshal on board. As a pilot myself, having a passenger issue a climb command and remotely monitor the cockpit would be disturbing to say the least. But, maybe he did. And perhaps this is a wake up call for all transportation industries to heavily consider security before they implement Internet connectivity.

While the aviation industry is downplaying the claims, United Airways (the airline that banned Mr. Roberts for his attempt at in flight humor) is taking security seriously. The airline has issued a bug bounty, compensating hackers with flight miles for reporting vulnerabilities in United’s tech team. Though, and it’s important to note, there’s no reward for debugging anything having to do with in-flight Wi-Fi or on-board systems. They’ve even gone so far as to warn that any attempt to access live systems would result in criminal consequences.

While I agree that we don’t want every 16-year-old script kiddie trying to tamper with people’s lives at 35,000 feet, we do wonder if United or any of the other major carriers would be willing to park a plane at Black Hat. Surely if they were certain that there is no way to exploit the pilot’s aviation systems, they would be willing to allow expert researchers to have a look while the plane is on the ground? Tremendous insight and overall global information security could only improve if a major carrier or manufacturer hosted a hack week on a Dreamliner on the tarmac at McCarran international.

I’ll issue that as my own personal challenge to security minded commercial airline companies – allow these white hats access to a plane in a safe location so that you can be certain your passengers are safe. Right now, we’ve got claims, and refutes, but no one is really saying much more than that. Remove the doubt.

As for the concern at hand, this isn’t the first time that white hat hackers have claimed to be able to access, and potentially control or damage commercial aircraft with simple methods. In 2013, a hacker by the name of Hugo Teso debuted an Android phone app at Hack in the Box, the Amsterdam con that draws thousands of security researchers, claiming he could override the autopilot from the smart phone. By simply pushing a message through the communication system (ACARS), which he claimed had no security, and that the exploit could actually be done remotely from the ground. This was all done in a lab, of course. But, it was a strong thesis. And for those that are wondering about the app – it was never intended for public consumption.

For now, the good news remains that these guys are on the right side, having no other motivation than to make air travel safer. But as we move into a world where transportation is more heavily reliant on Internet communication and embedded sensors, these types of vulnerabilities will have the potential to fall into the wrong hands with devastating consequences. This is why IoT security has to remain first priority, above and beyond any conveniences or cost savings.

And for the record, if Chris Roberts did in fact breach a plane in flight, I do not ever condone that by any person – no matter how smart or well intentioned. I’ll leave by once again reiterating my offer to the airlines. Park one of these on the ground and let us help you make air travel as safe as possible.

Close your cybersecurity gaps with AI-driven wireless visibility

See Bastille in action with a live demo from our experts in wireless threat detection.