Some things are just so predictable. A retailer is told about a mobile security hole and dismisses it, saying it could never happen in real life — and then it happens. A manufacturer of passenger jets ridicules the risk posed by a wireless security hole in its aircraft, saying defensive mechanisms wouldn’t let it happen — and then it happens.
An example of that second thing came to light last week, and it illustrates the folly of ignoring security holes because they seem to have a very low probability of ever being a real-world problem. Our ability to measure the likelihood of security holes being exploited just isn’t that good. You can ask United Air Lines.
Last month, a security researcher tweeted from a United plane that security controls were so lax that he could hack into the system and make the oxygen masks fall. At the time, Airbus, the maker of the plane in question, said there wasn’t any real security issue. “Airbus and Boeing said that “there are security measures in place, such as firewalls that restrict access,” said a CNN story last month. “Airbus said it ‘constantly assesses and revisits the system architecture’ to make sure planes are safe. Boeing also noted that pilots rely on more than one navigation system — so even if a hacker disrupts one of them, pilots can still rely on others to make safe decisions overall.”
Uh-huh. Would it surprise you to learn that, during an earlier flight, the security researcher actually did seize control of the aircraft and caused it to briefly fly sideways, according to an FBI search warrant application?
The researcher, Chris Roberts of One World Labs, had a decidedly simple attack procedure. The trick is to be on an aircraft with an in-flight entertainment system (IFE). Roberts told the FBI, according to the federal filing, that he had taken over IFE systems “approximately 15-20 times” from 2011 through 2014. Note that this was long before Boeing and Airbus said that it couldn’t be done.
Was any large or unwieldy equipment needed to access the inner workings? Not quite. “He would get physical access to the IFE system through the Seat Electronic Box (SEB) installed under the passenger seat on airplanes. He said he was able to remove the cover” by “wiggling and squeezing the box.”
Then? “He would use a Cat6 Ethernet cable with a modified connector to connect his laptop computer to the IFE system while in flight,” the filing said. Roberts “overrode code on the airplane’s Thrust Management Computer while aboard a flight. He stated that he successfully commanded the system he had accessed to issue the CLB, or climb, command. He stated that he thereby caused one of the airplane engines to climb, resulting in a lateral or sideways movement of the plane during one of these flights.” How did he log in? It’s embarrassing: He used the system’s default IDs and passwords.
I risk being assaulted for saying this, but Roberts is not the bad guy here. He told the airlines what the hole was and they chose to either not believe him or at least play dumb. The only way to prevent real bad guys — actual terrorists — from doing this is for Roberts to do it himself. Why do companies refuse to take security holes seriously?
A few years ago, a security specialist at one of the largest big-box chains described a straightforward ROI mechanism that is used to decide which security holes and bugs get IT attention and which do not. Given that there are always IT projects that the team doesn’t have time for, triage is being done constantly.
With security, the questions include: Realistically, how much fraud — in terms of dollars — is likely to result from this issue near term? How many hours of IT work will it take to fix? How much revenue will be likely generated from whatever project has to be put on hold to make room for this fix? Which execs are behind which projects? (There were other issues too, such as “Who is our boss angry with this week?” and “Who do we owe a favor to?”)
The problem with using those kinds of questions to arrive at a project ROI is that it doesn’t consider other factors. Let’s say, theoretically, that a security hole was projected to result in $100,000 worth of fraud while costing $200,000 worth of IT time to fix. The missing factor is the media. Even if the fraud is small, coverage in the news media and social media will leave a far greater number of people worried.
In the case of the airplane, will consumers actually avoid using the kind of aircraft susceptible to this attack? The fact is that as long as travel sites make it easy to do so — “Show me all flights that do not use planes from these two aircraft manufacturers” — I think this one has potential. If a bad guy can steer the plane — even briefly — the consequences could be devastating. What if it’s done at a crucial instant during landing? What if the attacks are coordinated and two planes are quickly turned to collide?
If an engine can be taken over, Airbus and Boeing have some explaining to do. The explaining is not about how this hole was allowed to exist. It’s why it wasn’t dealt with the instant this security guy screamed about it.
Evan Schuman has covered IT issues for a lot longer than he’ll ever admit. The founding editor of retail technology site StorefrontBacktalk, he’s been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at firstname.lastname@example.org and he can be followed at twitter.com/eschuman. Look for his column every other Tuesday.