Whether Or Not Chris Roberts Took Over A Plane, It Still Matters - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Life
06:15 PM
David Wagner
David Wagner
Connect Directly

Whether Or Not Chris Roberts Took Over A Plane, It Still Matters

Whether prominent hacker Chris Roberts took over a plane or not, the industry needs to rethink the way white hat hackers do their research.

Plan X: DARPA's Revolutionary Cyber Security Platform
Plan X: DARPA's Revolutionary Cyber Security Platform
(Click image for larger view and slideshow.)

Hey security guys, this is why we can't have nice things. According to some reports, One World Labs founder and security expert, Chris Roberts, took over a passenger plane through the plane's infotainment center. Other reports claim that that's impossible because the two systems are not connected in any way.

Regardless of whether or not the report is true, the problem still remains: White hat hacking is a problem we need to work through in better ways than we have.

To understand the issue, you need to understand what Roberts claims to have done. In an effort to show a vulnerability he's been talking about for years, Roberts, according to some reports, has taken over planes "15 times" since 2011.

In April, he claims he made a flight fly sideways by issuing a climb command to one engine. He's even tweeted about messing with the oxygen on airplanes.

(Image: adueck via Pixabay)

(Image: adueck via Pixabay)

According to him, this all a way to give more attention to vulnerabilities he's found in Boeing and Airbus planes, including tiny boxes under our seats which he claims allow him to use a simple Ethernet cable to connect his computer to the system.

Several aviation experts say this is impossible. They point out that the two systems are isolated. Roberts is either lying or he did something else to compromise the plane, they claim.

[Could this happen to cars? It matters now that Google is on the road. Read Google Self-Driving Cars Hit the Road.]

My response is that it doesn't matter. Neither is OK.

If Roberts took over a plane, he is irresponsible, and he is potentially putting people's lives in danger. Even if he were an expert pilot, flying the plane from the coach is a bad idea.

If Roberts didn't do it, he's willfully lying to bring notoriety to himself or expose a flaw in a dangerous way.

Whether he's telling the truth or lying, at the very least he's exposed a potential vector of attack in a way that might encourage it to be closed, but in a way that lays the potential vulnerability out there for all to see before there is a potential fix.

This is not white hat. This is no hat because you're flying by the seat of your pants and your hat fell off a few stops back on your road to black hat.

At the heart of the issue is this idea that we accept white hat hacking.

When people meddle in stuff without being paid or invited to do so, then make a reputation and eventually a business from it, it seems like things are running backwards. It's like telling someone he or she can break into your house, steal your jewelry and, as long as the person gives it back and explains how it was done, you'll pay for the knowledge. In that setting it is called a ransom. In cyber-security it's seen as normal.

I'm not naïve. The reason the process exists is: the more eyes on something the better. It behooves Microsoft to pay rewards to hackers who find zero-day vulnerabilities. In theory, it makes the same sense for Boeing.

The problem is that if you repeatedly invite people to break into your house, they're going to leave a lot of broken glass on the floor. And that's what this is, no matter what happened. Whether it is an attention-seeking security expert who did nothing, a guy who tried to crash a plane to make a point, or anything in between -- white hat hacking is anarchy at best.

I'm not saying prosecution of white hat hacking is in order. That's equally dangerous. But it is time to have a grown up conversation about all this broken glass on the floor. If you want security, really pay for it. If you want to do pen testing, find a way to get paid for it before you do it. Security is crucial. Let's start treating it like that, and build business models that show how seriously it should be taken.

[Did you miss any of the InformationWeek Conference in Las Vegas last month? Don't worry: We have you covered. Check out what our speakers had to say and see tweets from the show. Let's keep the conversation going.]

David has been writing on business and technology for over 10 years and was most recently Managing Editor at Enterpriseefficiency.com. Before that he was an Assistant Editor at MIT Sloan Management Review, where he covered a wide range of business topics including IT, ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
A Strategy to Aid Underserved Communities and Fill Tech Jobs
Joao-Pierre S. Ruth, Senior Writer,  7/9/2021
10 Ways AI and ML Are Evolving
Lisa Morgan, Freelance Writer,  6/28/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Flash Poll