Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
Whether Or Not Chris Roberts Took Over A Plane, It Still Matters
Whether prominent hacker Chris Roberts took over a plane or not, the industry needs to rethink the way white hat hackers do their research.
May 18, 2015
4 Min Read
<p align="left">(Image: <a href="http://pixabay.com/p-86452/?no_redirect" target="_blank">adueck</a> via Pixabay)</p>
Plan X: DARPA's Revolutionary Cyber Security Platform
Plan X: DARPA's Revolutionary Cyber Security Platform (Click image for larger view and slideshow.)
Hey security guys, this is why we can't have nice things. According to some reports, One World Labs founder and security expert, Chris Roberts, took over a passenger plane through the plane's infotainment center. Other reports claim that that's impossible because the two systems are not connected in any way.
Regardless of whether or not the report is true, the problem still remains: White hat hacking is a problem we need to work through in better ways than we have.
To understand the issue, you need to understand what Roberts claims to have done. In an effort to show a vulnerability he's been talking about for years, Roberts, according to some reports, has taken over planes "15 times" since 2011.
In April, he claims he made a flight fly sideways by issuing a climb command to one engine. He's even tweeted about messing with the oxygen on airplanes.
According to him, this all a way to give more attention to vulnerabilities he's found in Boeing and Airbus planes, including tiny boxes under our seats which he claims allow him to use a simple Ethernet cable to connect his computer to the system.
Several aviation experts say this is impossible. They point out that the two systems are isolated. Roberts is either lying or he did something else to compromise the plane, they claim.
[Could this happen to cars? It matters now that Google is on the road. Read Google Self-Driving Cars Hit the Road.]
My response is that it doesn't matter. Neither is OK.
If Roberts took over a plane, he is irresponsible, and he is potentially putting people's lives in danger. Even if he were an expert pilot, flying the plane from the coach is a bad idea.
If Roberts didn't do it, he's willfully lying to bring notoriety to himself or expose a flaw in a dangerous way.
Whether he's telling the truth or lying, at the very least he's exposed a potential vector of attack in a way that might encourage it to be closed, but in a way that lays the potential vulnerability out there for all to see before there is a potential fix.
This is not white hat. This is no hat because you're flying by the seat of your pants and your hat fell off a few stops back on your road to black hat.
At the heart of the issue is this idea that we accept white hat hacking.
When people meddle in stuff without being paid or invited to do so, then make a reputation and eventually a business from it, it seems like things are running backwards. It's like telling someone he or she can break into your house, steal your jewelry and, as long as the person gives it back and explains how it was done, you'll pay for the knowledge. In that setting it is called a ransom. In cyber-security it's seen as normal.
I'm not naïve. The reason the process exists is: the more eyes on something the better. It behooves Microsoft to pay rewards to hackers who find zero-day vulnerabilities. In theory, it makes the same sense for Boeing.
The problem is that if you repeatedly invite people to break into your house, they're going to leave a lot of broken glass on the floor. And that's what this is, no matter what happened. Whether it is an attention-seeking security expert who did nothing, a guy who tried to crash a plane to make a point, or anything in between -- white hat hacking is anarchy at best.
I'm not saying prosecution of white hat hacking is in order. That's equally dangerous. But it is time to have a grown up conversation about all this broken glass on the floor. If you want security, really pay for it. If you want to do pen testing, find a way to get paid for it before you do it. Security is crucial. Let's start treating it like that, and build business models that show how seriously it should be taken.
[Did you miss any of the InformationWeek Conference in Las Vegas last month? Don't worry: We have you covered. Check out what our speakers had to say and see tweets from the show. Let's keep the conversation going.]
About the Author(s)
Executive Editor, Community & IT Life
David has been writing on business and technology for over 10 years and was most recently Managing Editor at Enterpriseefficiency.com. Before that he was an Assistant Editor at MIT Sloan Management Review, where he covered a wide range of business topics including IT, leadership, and innovation. He has also been a freelance writer for many top consulting firms and academics in the business and technology sectors. Born in Silver Spring, Md., he grew up doodling on the back of used punch cards from the data center his father ran for over 25 years. In his spare time, he loses golf balls (and occasionally puts one in a hole), posts too often on Facebook, and teaches his two kids to take the zombie apocalypse just a little too seriously.
You May Also Like
Integrations to automate your framework compliance: ISO 27001, SOC 2, and NIST CSF
NIST Cybersecurity Framework 2.0: Changes, impacts, and opportunities for your InfoSec program
*Why DDI? Why it is Important to Integrate DNS, DHCP, and IP Address Management in Your Network
Key Lessons for Enterprise Service Management
Cloud Crisis Management: Tech Insights Report