Other security researchers say Roberts - who was quoted by the FBI
as saying he once caused "a sideways movement of the plane during a
flight" - has helped draw attention to a wider issue: that the
aviation industry has not kept pace with the threat hackers pose to
increasingly computer-connected airplanes.
Through his lawyer, Roberts said his only interest had been to
"improve aircraft security."
"This is going to drive change. It will force the hand of
organizations (in the aviation industry)," says Jonathan Butts, a
former US Air Force researcher who now runs a company working on IT
security issues in aviation and other industries.
As the aviation industry adopts communication protocols similar to
those used on the Internet to connect cockpits, cabins and ground
controls, it leaves itself open to the vulnerabilities bedevilling
other industries - from finance to oil and gas to medicine.
"There's this huge issue staring us in the face," says Brad Haines,
a friend of Roberts and a security researcher focused on aviation.
"Are you going to shoot the messenger?"
More worrying than people like Roberts, said Mark Gazit, CEO of
Israel-based security company ThetaRay, are the hackers probing
aircraft systems on the quiet. His team found Internet forum users
claiming to have hacked, for example, into cabin food menus,
ordering free drinks and meals.
That may sound harmless enough, but Gazit has seen a similar pattern
of trivial exploits evolve into more serious breaches in other
industries. "It always starts this way," he says.
ANXIOUS AIRLINES
The red flags raised by Roberts' case are already worrying some
airlines, says Ralf Cabos, a Singapore-based specialist in inflight
entertainment systems.
One airline official at a recent trade show, he said, feared the
growing trend of offering inflight WiFi allowed hackers to gain
remote access to the plane. Another senior executive demanded that
before discussing any sale, vendors must prove their inflight
entertainment systems do not connect to critical flight controls.
Panasonic Corp and Thales SA, whose inflight entertainment units
Roberts allegedly compromised, declined to answer detailed questions
on their systems, but both said they take security seriously and
their devices were certified as secure.
Airplane maker Boeing Co says that while such systems do have
communication links, "the design isolates them from other systems on
planes performing critical and essential functions." European rival
Airbus said its aircraft are designed to be protected from "any
potential threats coming from the In-Flight-Entertainment System, be
it from Wi-Fi or compromised seat electronic boxes."
Steve Jackson, head of security at Qantas Airways Ltd, said the
airline's "extremely stringent security measures" would be "more
than enough to mitigate any attempt at remote interference with
aircraft systems."
[to top of second column] |
CIRCUMVENTING
But experts question whether such systems can be completely
isolated. An April report by the U.S. General Accountability Office
quoted four cybersecurity experts as saying firewalls "could be
hacked like any other software and circumvented," giving access to
cockpit avionics - the machinery that pilots use to fly the plane.
That itself reflects doubts about how well an industry used to
focusing on physical safety understands cybersecurity, where the
threat is less clear and constantly changing.
The U.S. National Research Council this month issued a report on
aviation communication systems saying that while the Federal
Aviation Administration, the U.S. regulator, realized cybersecurity
was an issue, it "has not been fully integrated into the agency's
thinking, planning and efforts."
The chairman of the research team, Steven Bellovin of Columbia
University, said the implications were worrying, not just for
communication systems but for the computers running an aircraft.
"The conclusion we came to was they just didn't understand software
security, so why would I think they understand software avionics?"
he said in an interview.
SLOW RESPONSE
This, security researchers say, can be seen in the slow response to
their concerns.
The International Civil Aviation Organisation (ICAO) last year
highlighted long-known vulnerabilities in a new aircraft positioning
communication system, ADS-B, and called for a working group to be
set up to tackle them.
Researchers like Haines have shown that ADS-B, a replacement for
radar and other air traffic control systems, could allow a hacker to
remotely give wrong or misleading information to pilots and air
traffic controllers.
And that's just the start. Aviation security consultant Butts said
his company, QED Secure Solutions, had identified vulnerabilities in
ADS-B components that could give an attacker access to critical
parts of a plane.
But since presenting his findings to vendors, manufacturers and the
industry's security community six months ago he's had little or no
response.
"This is just the tip of the iceberg," he says.
(Additional reporting by Siva Govindasamy; Editing by Ian Geoghegan)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |