The aviation industry faces tangible threats of on-board computer system vulnerabilities, experts say
We are undoubtedly living in a hack-happy society today. Every nook and cranny of available data seems to be on some sort of information thievery smorgasbord buffet – from bank and credit reports to unreleased Hollywood movies and personal healthcare records. The onslaught has been relentless over the past half-decade; yet, as sensational as most hacks first appear, many are more of an inconvenience that leave the door open for eventual repair and hardly present a physical danger to the general population.
However, as our modes of transportation become smarter, more autonomous and interconnected, that could quickly change. Computer hackers with a larger agenda than simply copping Bitcoin ransom from some small-town hospital could up the stakes by potentially commandeering a jam-packed commercial airliner or seizing control of a self-driven, over-the-road 18-wheeler – when and if that day comes.
Sound like science fiction? Not to Chris Roberts, who currently is the Chief Security Architect at Acalvio Technologies, a company that delivers advanced defense solutions using a combination of distributed deception and data science technologies. Roberts is a 30-year IT veteran entrepreneur who has started several tech and consulting companies and helped others get off the ground. He is also a noted and perhaps infamous “White Hat” hacker, who has done penetration testing, assessments and forensic projects for several major agencies and private organizations.
For Roberts, the threat of a malicious hack into an onboard airline system is more than fiction. He’s done it, although not while in actual flight, he says.
During the years of 2010 through 2013, Roberts and his cohorts were performing penetration testing and vulnerability research of onboard computer systems. For example, they hacked In-Flight Entertainment (IFE) systems in simulated scenarios that could potentially enable them to manipulate an airliner’s navigation cockpit controls.
They discovered that exploitation points for an airline’s onboard computer system can include the networks accessible to passengers, such as the IFE systems and on-board Wi-Fi systems; however, they can also encompass communications systems, such as the Aircraft Communications Addressing and Reporting System (ACARS), which is used to send messages to airliners during flights. They also found vulnerabilities in a flight crew’s electronic flight bag, which contains computer tablets chock full of reference materials for pilots to interface with the airliner’s computer systems.
Unfortunately, Roberts says, until recently, he found little interest in his group’s findings among those in the aviation industry and the airlines themselves. “The industry wasn’t listening, the airlines weren’t listening, the avionics companies weren’t listening, so quite honestly I threw in the towel and went off to hack other things (vehicles, trains and other transportation modes),” Roberts says. “I gave a number of presentations on the topic related to the work we had done in 2011-2013, and we tried talking to Boeing, Airbus and several other suppliers and vendors – one even put us under an NDA for two years, but really didn’t do anything to fix the problems. So obviously when we came out from under that NDA, we checked with lawyers and decided to go public with the issue.”
Much to his dismay, the public outcry and media attention was minimal. Roberts was taken aback, yet not surprised. “Honestly, the media didn’t pick up on this. Nobody really seemed concerned that we had the ability to – from a grandstand point, from an avionics standpoint – interface with various surfaces in the systems, and it wasn’t until 2015 that people finally picked up on the fact that there were potential issues,” he says.
A government agency report confirming that the airlines might be susceptible to the potential hack attacks was published in 2015. “Unfortunately one airline refuted all this information as nothing more than speculation, and it was the very airline that annoyed me the most at the time. So, I’m sitting in their airplane one flight calling out their BS because I realized what I could do if so inclined – emphasis on the phrase, ‘what I could do.’”
Contrary to published reports and industry myths, Roberts insists he never hacked an in-flight system while actually in the air. “Subsequent to this, a couple of the suppliers have reached out and I’m now having conversations with a few other entities in the aviation business,” Roberts says. “I’m trying to help them now that they realize I’m not quite public enemy number one. This is sort of the same thing that happened with vehicle (manufacturers). We went on a hacking spree back in 2010 and 2011 before the automotive industry decided it might be a good idea to talk to us.”
In fact, according to an article in The Telegraph in 2015, a group of ethical U.S. hackers from IOActive took control of a Jeep Cherokee and crashed it into a ditch by remotely breaking into its dashboard computer from 10 miles away. In the first breach of its kind, security experts killed the engine and applied the brakes on the Jeep Cherokee, sending it veering off the road – all while sitting on their sofa. The hacker used a laptop and mobile phone to access the Jeep's on-board systems via a wireless internet connection.
IT Security in an IoT World
Many security experts are in agreement that the transportation sector in general – aviation industry in particular – are woefully unprepared for the new threats brought by the new world of connectivity and the Internet of Things.
Airlines and airports must construct well-defined information security strategies to help safeguard airline customer information, protect the airline’s digital assets, and enable the accuracy of information exchanged within the aviation framework.
“Aviation companies need to go beyond traditional, weak multi-factor authentication (MFA) that hackers can easily compromise and instead look for hardened MFA,” explains Al Sargent, senior director at identity management provider OneLogin, which announced in August that that Airbus has chosen the company’s Identity & Access Management (IAM) solution that includes MFA.
Sargent says airlines should not use SMS codes for MFA, since hackers can view them on the lock screen of a stolen phone. A better approach is what Airbus is planning: to use hardened MFA apps that prevent hackers from stealing employee phones and using them as second authentication factors. MFA apps will work only if a phone has a lock screen, isn’t jailbroken, and isn’t a cloned image.
“When it comes to assessing security risk, airlines can’t stop at their employees – they need to consider risks from their extended enterprise, which includes contractors, suppliers, and partners because these groups can increasingly access corporate apps and data,” Sargent says. “For instance, Airbus plans to apply their stringent security practices to thousands of users at their partners and suppliers in order to secure their corporate intellectual property.”
Other industry experts profess that where and how data is stored and processed is being redefined for IoT. The distributed nature of IoT means that cloud-based systems become the backbone of IoT projects, collecting relevant data from remote devices – in this case, airplanes – and driving operations centrally from a cloud system.
The challenge to the security and IT managers is how to manage the vast scope of the data universe. “Cloud-based IoT systems operate at a different scale and with a significantly higher number of entry points than any other system,” explains Isabelle Dumont, VP of Marketing at cloud security provider Lacework. “In addition to traditional man-based rules and controls that gate access to these systems – which we all know have become fragile – it is imperative that more advanced and systematic security mechanisms be put into place.”
Dumont says an effective technique is to baseline activity and behaviors of all components in the cloud and then detect any deviation from that normal, baseline behavior – which can be an early indicator of compromise or a simple misconfiguration. “This approach can be fully automated, very precise, and much more accurate than any policy-based protection,” Dumont says.
Anthony J. Ferrante, Head of Cybersecurity and Senior Managing Director at FTI Consulting, says it is incumbent on the aviation industry to become more proactive in combating potential threats, while establishing strategies to mitigate their threats. “The proliferation of IoT devices opens the door to a host of cybersecurity threats across nearly every industry – including aviation,” Ferrante says.
Ferrante outlines a number of proactive measures that the aviation industry and organizations at large can adopt to address emerging cybersecurity threats. It starts with understanding an organization’s information technology infrastructure and conducting regular risk assessments. “Beyond these initial actions, the aviation industry should also routinely update their security policies and procedures to stay ahead of the curve on cybersecurity vulnerabilities,” Ferrante adds. “The industry should also leverage emerging technologies and intel to enhance the security and safety of airline passengers, equipment and operations and mitigate cyber risks.”
Airlines: A Unique Challenge
Philip Lieberman, President of Lieberman Software Corp., whose products help to isolate and contain data breaches that occur after cyberattacks, says that over the last 10 years, arilines’ core infrastructures have been modernized, supplemented by automation, and are considered to be life-safety critical.
He insists that government investments in cybersecurity have been ongoing and continue in aviation and surrounding law enforcement and intelligence. “There is a fundamental difference between commercial for-profit airlines operating in competitive environments and government agencies without those economic pressures,” Lieberman explains. “Airlines mostly rely on government guidance and systems provided by aircraft manufacturers and amenity systems providers (IFE). Expertise in in-flight operation cybersecurity rolls to vendors, rather than the airlines themselves.
“Airlines typically operate in physical isolation with infiltration being difficult due to their air-gapped nature,” Lieberman continues. “The same goes for aircraft, which are generally disconnected and operate with isolated systems (or are supposed to). Unfortunately, the greatest risk to many of the airlines now is their decision to outsource their customer service and other operations. The movement of some of these elements to multiple third-world countries with little accountability has had serious consequences (mostly not public).”
When you consider the reality that many aviation computer systems are more vulnerable to attack than other critical data systems in vertical market sectors like retail and financial, professional hackers like Roberts worry that the industry’s lack of urgency and sophistication in addressing the issues will eventually lead to disaster.
He says the airlines tend to deflect admitting there is a tangible risk. “[The airline] will get a PEN test and follow that up with an audit that tells them they are safe and secure,” Roberts says. “I think it is that situation of, ‘I don’t want to know how bad it is because then I have to fix it.’ It is a matter of prioritization – airlines and airports have finite resources, tight margins, and they have to keep the airport open. It’s a hell of a balancing act trying to secure an industry and at the same time keep it viable.”
Roberts does admit that at least the awareness of the security issues have improved in the aviation industry, but stresses that awareness must be followed by acceptance and understanding. “I obviously can’t name suppliers, but we finally do have several listening to what we have to say and I applaud them,” he says. “Still, there is an overwhelming majority sitting there asking ‘who would hack us,’ and ‘why would they do that?’ The industry is in denial, and that will continue until someone drops an airplane out of the sky.”
Steve Lasky is Editorial Director for the Southcomm Security Group, which includes SecurityInfoWatch.com, Security Dealer & Integrator (SD&I) magazine and Security Technology Executive magazine. Reach him at [email protected].