Whether Or Not Chris Roberts Took Over A Plane, It Still Matters - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Life
Commentary
5/18/2015
06:15 PM
David Wagner
David Wagner
Commentary
Connect Directly
Twitter
RSS
100%
0%

Whether Or Not Chris Roberts Took Over A Plane, It Still Matters

Whether prominent hacker Chris Roberts took over a plane or not, the industry needs to rethink the way white hat hackers do their research.

Plan X: DARPA's Revolutionary Cyber Security Platform
Plan X: DARPA's Revolutionary Cyber Security Platform
(Click image for larger view and slideshow.)

Hey security guys, this is why we can't have nice things. According to some reports, One World Labs founder and security expert, Chris Roberts, took over a passenger plane through the plane's infotainment center. Other reports claim that that's impossible because the two systems are not connected in any way.

Regardless of whether or not the report is true, the problem still remains: White hat hacking is a problem we need to work through in better ways than we have.

To understand the issue, you need to understand what Roberts claims to have done. In an effort to show a vulnerability he's been talking about for years, Roberts, according to some reports, has taken over planes "15 times" since 2011.

In April, he claims he made a flight fly sideways by issuing a climb command to one engine. He's even tweeted about messing with the oxygen on airplanes.

(Image: adueck via Pixabay)

(Image: adueck via Pixabay)

According to him, this all a way to give more attention to vulnerabilities he's found in Boeing and Airbus planes, including tiny boxes under our seats which he claims allow him to use a simple Ethernet cable to connect his computer to the system.

Several aviation experts say this is impossible. They point out that the two systems are isolated. Roberts is either lying or he did something else to compromise the plane, they claim.

[Could this happen to cars? It matters now that Google is on the road. Read Google Self-Driving Cars Hit the Road.]

My response is that it doesn't matter. Neither is OK.

If Roberts took over a plane, he is irresponsible, and he is potentially putting people's lives in danger. Even if he were an expert pilot, flying the plane from the coach is a bad idea.

If Roberts didn't do it, he's willfully lying to bring notoriety to himself or expose a flaw in a dangerous way.

Whether he's telling the truth or lying, at the very least he's exposed a potential vector of attack in a way that might encourage it to be closed, but in a way that lays the potential vulnerability out there for all to see before there is a potential fix.

This is not white hat. This is no hat because you're flying by the seat of your pants and your hat fell off a few stops back on your road to black hat.

At the heart of the issue is this idea that we accept white hat hacking.

When people meddle in stuff without being paid or invited to do so, then make a reputation and eventually a business from it, it seems like things are running backwards. It's like telling someone he or she can break into your house, steal your jewelry and, as long as the person gives it back and explains how it was done, you'll pay for the knowledge. In that setting it is called a ransom. In cyber-security it's seen as normal.

I'm not naïve. The reason the process exists is: the more eyes on something the better. It behooves Microsoft to pay rewards to hackers who find zero-day vulnerabilities. In theory, it makes the same sense for Boeing.

The problem is that if you repeatedly invite people to break into your house, they're going to leave a lot of broken glass on the floor. And that's what this is, no matter what happened. Whether it is an attention-seeking security expert who did nothing, a guy who tried to crash a plane to make a point, or anything in between -- white hat hacking is anarchy at best.

I'm not saying prosecution of white hat hacking is in order. That's equally dangerous. But it is time to have a grown up conversation about all this broken glass on the floor. If you want security, really pay for it. If you want to do pen testing, find a way to get paid for it before you do it. Security is crucial. Let's start treating it like that, and build business models that show how seriously it should be taken.

[Did you miss any of the InformationWeek Conference in Las Vegas last month? Don't worry: We have you covered. Check out what our speakers had to say and see tweets from the show. Let's keep the conversation going.]

David has been writing on business and technology for over 10 years and was most recently Managing Editor at Enterpriseefficiency.com. Before that he was an Assistant Editor at MIT Sloan Management Review, where he covered a wide range of business topics including IT, ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jastroff
50%
50%
jastroff,
User Rank: Ninja
5/19/2015 | 4:08:00 PM
White Hat Hacking -- role of, place of
Should white hat hacking  be part of every  development cycle, i.e., over here, we are building this new navigation system, and at x point we stop and go to the people who can break it and ask them to do so. And we continually have people who build, and people who try to break, even after rollout.

If breaking it is considered the opposite number to building it, then it's part of the development and support cycle, and white hat, per se, doesn't exist anymore

>> At the heart of the issue is this idea that we accept white hat hacking.

When people meddle in stuff without being paid or invited to do so, then make a reputation and eventually a business from it, it seems like things are running backwards. It's like telling someone he or she can break into your house, steal your jewelry and, as long as the person gives it back and explains how it was done, you'll pay for the knowledge. In that setting it is called a ransom. In cyber-security it's seen as normal.
jastroff
50%
50%
jastroff,
User Rank: Ninja
5/19/2015 | 4:01:38 PM
Re: Reproduce the results
@dave, et. al

Let's get the answer as to whether this happened.

 

I don't like the idea of a box under my seat to control entertainment -- but if you asked the passengers would they do without the movie, they would say no...

>> 

According to him, this all a way to give more attention to vulnerabilities he's found in Boeing and Airbus planes, including tiny boxes under our seats which he claims allow him to use a simple Ethernet cable to connect his computer to the system.

Several aviation experts say this is impossible. They point out that the two systems are isolated. Roberts is either lying or he did something else to compromise the plane, they claim.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
5/19/2015 | 7:41:36 AM
Re: Reproduce the results
I too read that he had tried a more quiet approach to airing this issue. I think this is something a lot of white hats end up doing. I know a few people who have presented major companies with big security problems with their products. Often they are aware of the issue but consider it unfixable so would rather keep a lid on it. 

Sometimes outing a company's disinterest in fixing major issues is the only way to get a decent response. 
Gary_EL
50%
50%
Gary_EL,
User Rank: Ninja
5/18/2015 | 10:49:53 PM
Out on a limb
I don't know whether he's a good guy or a bad guy, but I think as an industry and as a society, we're putting too much on line before we can protect it. If my computer gets zapped by a virus, it's a major inconvenience, but if an airliner gets zapped by a hacker, it's a major tragedy.

I think we're in too much of a hurry to save that last gallon of gas, to put out one less gram of pollutant, and to eliminate the most jobs that we possibly can in order to save the last penny. We're also just too much in love with gadgetry.

Things are just too automated, too out of control and too unprotected. More emphasis has to be put on security, and security first. All types of lapses of these sorts are happening every day. Will we learn the easy way, or, whether by accident or otherwise, will some Chris Roberts teach us the hard way?
mod.ular
50%
50%
mod.ular,
User Rank: Apprentice
5/18/2015 | 7:41:37 PM
Reproduce the results
From what I understand, he had gone to several of these companies beforehand to warn them about the vulnerability.  Sensing he was being brushed off, he went for a more sensational approach.  Testing whether or not you can monkey with the avionics from the middle of the cabin while mid-flight is wreckless and irresponsible.  My sense of self-preservation would have prevented such an experiment.

If he was able to do this, his technique needs to be put to the test.  Airlines should be particularly interested in seeing him do it.  If he can, there are teams of engineers that need to be fired because there is no sane reason for there to be any connection between the entertainment network, and the deterministic avionics network.  This is an exceptionally important piece of the puzzle.  If he can do it, serious inquiries need to be made regarding the design process that linked these two systems.

If he can't reproduce it under observation, he should be vilified and run out of town on a rail.  Flight safety is a sensitive topic, so shame on the airlines if he can, or shame on him if he can't.
News
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Commentary
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
Slideshows
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Slideshows
Flash Poll