“Security researchers have long warned that hackers could jump from in-flight entertainment systems in the passenger cabin to cockpit avionics systems if airlines did not take proper precautions”
This quote comes from an April 14, 2015 Security Ledger blog, GAO Warns of Cyber Risks In-Flight, which reports on a US Government Accountability Office (GAO) warning to the U.S. Federal Aviation Administration(FAA). The GAO April 2015 Report found that “As the agency transitions to the Next Generation Air Transportation System (NextGen), the Federal Aviation Administration (FAA) faces cybersecurity challenges in at least three areas: (1) protecting air-traffic control (ATC) information systems, (2) protecting aircraft avionics used to operate and guide aircraft, and (3) clarifying cybersecurity roles and responsibilities among multiple FAA offices.”
The plot thickens in a follow up April 17, 2015 Security Ledger blog, Update: Hacker on a Plane: FBI Seizes Researcher’s Gear. The blog gives details of the FBI affidavit and also quotes from an interview with the “hacker”, Chris Roberts, who is founder and Chief Technology Officer of One World Labs, a security intelligence firm. The blog notes that “Roberts said he had met with the Denver office of the FBI two months ago and was asked to back off from his research on avionics – a request he said he agreed to. But recent weeks have seen him get high profile media attention from Fox news and CNN, who ran stories about the danger of hacking into airplanes in flight. Those stories apparently got the attention of federal authorities, Roberts said”
Quotes from Chris Roberts include “This has been a known issue for 4 or 5 years where a bunch of us has stood up and pounded our chest and said this is an issue…Are they pissed because there are credible threats and we’re giving those credible threats more intelligence, or because we’re standing up and saying ‘there’s a problem,’ or because they can’t get anywhere with this? I don’t know.”
The April 17, 2015 Security Ledger blog also notes that Chris Roberts “ is one of a cadre of computer security experts looking at the security of avionics systems. Among them are Ruben Santamarta a Principal Security Consultant for the firm IOActive who demonstrated last year how satellite based communications devices (SatCom) used to provide Internet access to planes in flight could be used to gain access to cockpit based avionics equipment. Another: Brad “RenderMan” Haines has also demonstrated methods for moving from in-flight entertainment systems to critical control systems aboard planes.”
But wait, there’s more! It’s not just the FAA and the airline manufacturers who are failing to respond to issues raised by security researchers. An April 14, 2015 Security Ledger blog, Windows Bug From 1997 Enables Credential Theft, notes that “Researchers from the firm Cylance warned that an unpatched security flaw first discovered in 1997 could be used to attack a wide range of popular applications and steal user credentials.“ This resulted in Carnegie Mellon’s CERT (Computer Emergency Response Team) issuing a warning about “an exploitable vulnerability in all supported versions of Windows, as well as software by dozens of other vendors that could be used to steal user credentials and compromise vulnerable systems.”
And still more! In a May 19, 2015 Security Ledger blog, Everything Tastes Better with Bluetooth: Understanding IoT Risk, Marc Blackmer of Cisco explains how a hacker could use a Bluetooth connection to a wearable device to compromise a corporate network. This is one example of risks arising from the Internet of Things.
See also the article Application Security: Disasters Waiting To Happen? in this Issue for other recent details of potentially disastrous security vulnerabilities.