Headlines and infosec pros alike have been going mental over security researcher Chris Roberts' alleged mid-flight hacking of a commercial airplane, and his subsequent detainment by the FBI in April.
Things got hysterical last weekend when a month-old FBI search warrant application surfaced in headlines hyping the FBI's belief that Roberts tried to fly the plane by hacking in through the in-flight entertainment system.
It remains to be seen whether or not a hacker can make a 747 "do a barrel roll" a la the maddeningly impossible fantasies of CSI Cyber.
But as a result, the world is openly wondering whether there's truth to the assurances from manufacturers and officials that aviation systems are as secure as claimed -- and if the warnings of information security professionals are going ignored.
Passcode reported last Friday that Roberts is one of many who've reported airline security findings to authorities, and have gone ignored:
In public presentations going back more than four years, Roberts and other researchers have demonstrated methods for hacking into onboard computer networks used to operate in-flight entertainment systems.
(...) According to Roberts, the substance of his research was shared with aircraft makers Boeing and Airbus, as well as the Federal Aviation Administration, but garnered little attention.
As seen in the warrant request, Roberts was first summoned to discuss his work at the Denver FBI office in February and March; he'd identified alleged vulnerabilities with in-flight entertainment (IFE) systems on Boeing 737-800, 737-900, 757-200, and Airbus A320 aircraft.
The FBI noted, "Chris Roberts furnished the information because he would like the vulnerabilities to be fixed."
Boeing disputed last weekend's media frenzy, which was riding high on the suggestion that hackers were messing with plane controls for lulz; a Boeing rep told Security Week that internal system access simply wasn't possible.
Boeing said, "IFE systems on commercial airplanes are isolated from flight and navigation systems," a Boeing rep explained. "While these systems receive position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions."
It's probably a good thing for Boeing that this tempest waited until now to spill out of its teapot.
An FAA request to change Boeing 777 security filed on the US Federal Register website in 2013, and another one last year on Boeing's 737 line, tell us more about Boeing and the FAA's relationship with onboard network security.
Boeing requested the Federal Aviation Administration for permission to add a "network extension device" to separate the various systems from each other, stating:
The existing regulations and guidance material did not anticipate this type of system architecture or electronic access to aircraft systems.
Furthermore, regulations and current system safety assessment policy and techniques do not address potential security vulnerabilities, which could be caused by unauthorized access to aircraft data buses and servers.
In June 2014, another FAA/Boeing modifications under special conditions filing -- a request for comment on security proposals -- addressed the Boeing models of interest to Chris Roberts: The 737 line.
In the filing, Boeing proposed special conditions and a means of compliance to "ensure that the security (i.e., confidentiality, integrity, and availability) of airplane systems is not compromised by unauthorized wired or wireless electronic connections."
It specifically acknowledged that, "The architecture and network configuration may allow the exploitation of network security vulnerabilities resulting in intentional or unintentional destruction, disruption, degradation, or exploitation of data, systems, and networks critical to the safety and maintenance of the airplane."
The comment urged FAA and Boeing to adopt some security industry basics: Namely, independent evaluation and penetration testing.
The 737 filing was subsequently withdrawn from public comment because the FAA didn't want to "delay issuance of the design approval and thus delivery of the affected aircraft."
Unfortunately, the FAA also said that dismissing the comment period was acceptable because there weren't any important comments anyway. It stated, "these special conditions has been subject to the public comment process in several prior instances with no substantive comments received."
A legacy of dismissing security research
When Roberts found himself at the center of headlines about plane hacking, he told media, "This has been a known issue for four or five years, where a bunch of us have been stood up and pounding our chest and saying, 'This has to be fixed.'"
He wasn't wrong. In May 2009, a government airline security report revealed that security tests identified 763 "high risk" vulnerabilities that could allow hackers access to administrative systems. In response, the FAA rejected that report's conclusions, telling the Wall Street Journal "It's not possible to use the administrative and mission support network to access the air-traffic control network."
Referencing the FAA's denial, security researcher and pilot Righter Kunkel presented Air Traffic Control Insecurity 2.0 at both Defcon 17 (August 2009) and again at Defcon 18 (August 2010). The basis of his talks were that Air Traffic Control systems are "not focused on network security of equipment being used," and he explicitly stated that he wasn't advocating these hacks, but was trying to get the FAA to listen to him.
At Black Hat USA 2012, researcher Andrei Costin warned in a a detailed talk that the FAA's then-new air traffic control system, the Automatic Dependent Surveillance Broadcast System (ADS-B) set for 2014 deployment, was vulnerable to spoofing attacks.
Responding to Costin's findings, the president of ADS-B Technologies downplayed the issue to CNN saying that spoofing was just an old theory. "We are quite familiar with the theory that ADS-B could be 'spoofed,' or barrage jammed by false targets. There's little new here. In fact, just about any radio frequency device can be interfered with somewhat. I obviously can't comment on countermeasures, but you should know that this issue has been thoroughly investigated and international aviation does have a plan."
Teso's talk, based on his three years of research in the aviation security field, was "a practical demonstration on how to remotely attack and take full control of an aircraft" and "the complete attack [was] accomplished remotely, without needing physical access to the target aircraft at any time."
Earlier this year, principal security consultant for IOActive Ruben Santamarta talked to press about his August 2014 presentation on SATCOM (Satellite communications) equipment, which "allowed unauthenticated users to hack into the SATCOM equipment when it is accessible through WiFi or In-Flight entertainment networks."
Santamarta told Fox News in March that if any patch or fix had been implemented, he hadn't heard about it. Still, "Four months after Santamarta presented his research, several international aviation organizations signed The Civil Aviation Cyber Security Action Plan, a pact aimed at boosting cooperation among the normally competitive industry leaders to improve their cyber security capabilities."
Because CSI Cyber is bad enough
Chris Roberts hasn't been charged for any crime, and the search warrant application's allegations, the combination of multiple FBI interviews with Roberts in February and March, haven't been proven in court (.PDF here).
Important debates about "stunt hacking" and raising awareness are being had in and out of infosec circles, and this is a good thing.
But it's as if suddenly, authorities and news media alike are freaking out about research that has been a matter of public record since airlines started using in-flight networks.
Perhaps this can be a watershed moment, where government, commerce and infosec can hammer out a way for everyone to work together, and security can blossom as something that isn't a blame game, but instead is an evolving set of practices that are, by nature, socially informed.