informa
/
Commentary

Whether Or Not Chris Roberts Took Over A Plane, It Still Matters

Whether prominent hacker Chris Roberts took over a plane or not, the industry needs to rethink the way white hat hackers do their research.
Plan X: DARPA's Revolutionary Cyber Security Platform
Plan X: DARPA's Revolutionary Cyber Security Platform
(Click image for larger view and slideshow.)

Hey security guys, this is why we can't have nice things. According to some reports, One World Labs founder and security expert, Chris Roberts, took over a passenger plane through the plane's infotainment center. Other reports claim that that's impossible because the two systems are not connected in any way.

Regardless of whether or not the report is true, the problem still remains: White hat hacking is a problem we need to work through in better ways than we have.

To understand the issue, you need to understand what Roberts claims to have done. In an effort to show a vulnerability he's been talking about for years, Roberts, according to some reports, has taken over planes "15 times" since 2011.

In April, he claims he made a flight fly sideways by issuing a climb command to one engine. He's even tweeted about messing with the oxygen on airplanes.

According to him, this all a way to give more attention to vulnerabilities he's found in Boeing and Airbus planes, including tiny boxes under our seats which he claims allow him to use a simple Ethernet cable to connect his computer to the system.

Several aviation experts say this is impossible. They point out that the two systems are isolated. Roberts is either lying or he did something else to compromise the plane, they claim.

[Could this happen to cars? It matters now that Google is on the road. Read Google Self-Driving Cars Hit the Road.]

My response is that it doesn't matter. Neither is OK.

If Roberts took over a plane, he is irresponsible, and he is potentially putting people's lives in danger. Even if he were an expert pilot, flying the plane from the coach is a bad idea.

If Roberts didn't do it, he's willfully lying to bring notoriety to himself or expose a flaw in a dangerous way.

Whether he's telling the truth or lying, at the very least he's exposed a potential vector of attack in a way that might encourage it to be closed, but in a way that lays the potential vulnerability out there for all to see before there is a potential fix.

This is not white hat. This is no hat because you're flying by the seat of your pants and your hat fell off a few stops back on your road to black hat.

At the heart of the issue is this idea that we accept white hat hacking.

When people meddle in stuff without being paid or invited to do so, then make a reputation and eventually a business from it, it seems like things are running backwards. It's like telling someone he or she can break into your house, steal your jewelry and, as long as the person gives it back and explains how it was done, you'll pay for the knowledge. In that setting it is called a ransom. In cyber-security it's seen as normal.

I'm not naïve. The reason the process exists is: the more eyes on something the better. It behooves Microsoft to pay rewards to hackers who find zero-day vulnerabilities. In theory, it makes the same sense for Boeing.

The problem is that if you repeatedly invite people to break into your house, they're going to leave a lot of broken glass on the floor. And that's what this is, no matter what happened. Whether it is an attention-seeking security expert who did nothing, a guy who tried to crash a plane to make a point, or anything in between -- white hat hacking is anarchy at best.

I'm not saying prosecution of white hat hacking is in order. That's equally dangerous. But it is time to have a grown up conversation about all this broken glass on the floor. If you want security, really pay for it. If you want to do pen testing, find a way to get paid for it before you do it. Security is crucial. Let's start treating it like that, and build business models that show how seriously it should be taken.

[Did you miss any of the InformationWeek Conference in Las Vegas last month? Don't worry: We have you covered. Check out what our speakers had to say and see tweets from the show. Let's keep the conversation going.]