Who's flying the plane? The latest reason to never ignore security holes

Companies make excuses for not addressing security holes that seem unlikely to be exploited. The problem is that they often do get exploited. Just ask United.

Some things are just so predictable. A retailer is told about a mobile security hole and dismisses it, saying it could never happen in real life -- and then it happens. A manufacturer of passenger jets ridicules the risk posed by a wireless security hole in its aircraft, saying defensive mechanisms wouldn't let it happen -- and then it happens.

An example of that second thing came to light last week, and it illustrates the folly of ignoring security holes because they seem to have a very low probability of ever being a real-world problem. Our ability to measure the likelihood of security holes being exploited just isn't that good. You can ask United Air Lines.

Last month, a security researcher tweeted from a United plane that security controls were so lax that he could hack into the system and make the oxygen masks fall. At the time, Airbus, the maker of the plane in question, said there wasn't any real security issue. "Airbus and Boeing said that "there are security measures in place, such as firewalls that restrict access," said a CNN story last month. "Airbus said it constantly assesses and revisits the system architecture' to make sure planes are safe. Boeing also noted that pilots rely on more than one navigation system -- so even if a hacker disrupts one of them, pilots can still rely on others to make safe decisions overall."

Uh-huh. Would it surprise you to learn that, during an earlier flight, the security researcher actually did seize control of the aircraft and caused it to briefly fly sideways, according to an FBI search warrant application?

The researcher, Chris Roberts of One World Labs, had a decidedly simple attack procedure. The trick is to be on an aircraft with an in-flight entertainment system (IFE). Roberts told the FBI, according to the federal filing, that he had taken over IFE systems "approximately 15-20 times" from 2011 through 2014. Note that this was long before Boeing and Airbus said that it couldn't be done.

Was any large or unwieldy equipment needed to access the inner workings? Not quite. "He would get physical access to the IFE system through the Seat Electronic Box (SEB) installed under the passenger seat on airplanes. He said he was able to remove the cover" by "wiggling and squeezing the box."

Then? "He would use a Cat6 Ethernet cable with a modified connector to connect his laptop computer to the IFE system while in flight," the filing said. Roberts "overrode code on the airplane's Thrust Management Computer while aboard a flight. He stated that he successfully commanded the system he had accessed to issue the CLB, or climb, command. He stated that he thereby caused one of the airplane engines to climb, resulting in a lateral or sideways movement of the plane during one of these flights." How did he log in? It's embarrassing: He used the system's default IDs and passwords.

I risk being assaulted for saying this, but Roberts is not the bad guy here. He told the airlines what the hole was and they chose to either not believe him or at least play dumb. The only way to prevent real bad guys -- actual terrorists -- from doing this is for Roberts to do it himself. Why do companies refuse to take security holes seriously?

A few years ago, a security specialist at one of the largest big-box chains described a straightforward ROI mechanism that is used to decide which security holes and bugs get IT attention and which do not. Given that there are always IT projects that the team doesn't have time for, triage is being done constantly.

With security, the questions include: Realistically, how much fraud -- in terms of dollars -- is likely to result from this issue near term? How many hours of IT work will it take to fix? How much revenue will be likely generated from whatever project has to be put on hold to make room for this fix? Which execs are behind which projects? (There were other issues too, such as "Who is our boss angry with this week?" and "Who do we owe a favor to?")

The problem with using those kinds of questions to arrive at a project ROI is that it doesn't consider other factors. Let's say, theoretically, that a security hole was projected to result in $100,000 worth of fraud while costing $200,000 worth of IT time to fix. The missing factor is the media. Even if the fraud is small, coverage in the news media and social media will leave a far greater number of people worried.

In the case of the airplane, will consumers actually avoid using the kind of aircraft susceptible to this attack? The fact is that as long as travel sites make it easy to do so -- "Show me all flights that do not use planes from these two aircraft manufacturers" -- I think this one has potential. If a bad guy can steer the plane -- even briefly -- the consequences could be devastating. What if it's done at a crucial instant during landing? What if the attacks are coordinated and two planes are quickly turned to collide?

If an engine can be taken over, Airbus and Boeing have some explaining to do. The explaining is not about how this hole was allowed to exist. It's why it wasn't dealt with the instant this security guy screamed about it.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every other Tuesday.

Join the CSO newsletter!

Error: Please check your email address.

Tags LinecnnboeingMalware & Vulnerabilitiesantispamsecurity

More about CNNFBIRoberts

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts