Some things are just so predictable. A retailer is told about a mobile security hole and dismisses it, saying it could never happen in real life -- and then it happens. A manufacturer of passenger jets ridicules the risk posed by a wireless security hole in its aircraft, saying defensive mechanisms wouldn't let it happen -- and then it happens.
An example of that second thing came to light last week, and it illustrates the folly of ignoring security holes because they seem to have a very low probability of ever being a real-world problem. Our ability to measure the likelihood of security holes being exploited just isn't that good. You can ask United Air Lines.
Last month, a security researcher tweeted from a United plane that security controls were so lax that he could hack into the system and make the oxygen masks fall. At the time, Airbus, the maker of the plane in question, said there wasn't any real security issue. "Airbus and Boeing said that "there are security measures in place, such as firewalls that restrict access," said a CNN story last month. "Airbus said it constantly assesses and revisits the system architecture' to make sure planes are safe. Boeing also noted that pilots rely on more than one navigation system -- so even if a hacker disrupts one of them, pilots can still rely on others to make safe decisions overall."
Uh-huh. Would it surprise you to learn that, during an earlier flight, the security researcher actually did seize control of the aircraft and caused it to briefly fly sideways, according to an FBI search warrant application?
The researcher, Chris Roberts of One World Labs, had a decidedly simple attack procedure. The trick is to be on an aircraft with an in-flight entertainment system (IFE). Roberts told the FBI, according to the federal filing, that he had taken over IFE systems "approximately 15-20 times" from 2011 through 2014. Note that this was long before Boeing and Airbus said that it couldn't be done.
Was any large or unwieldy equipment needed to access the inner workings? Not quite. "He would get physical access to the IFE system through the Seat Electronic Box (SEB) installed under the passenger seat on airplanes. He said he was able to remove the cover" by "wiggling and squeezing the box."
Then? "He would use a Cat6 Ethernet cable with a modified connector to connect his laptop computer to the IFE system while in flight," the filing said. Roberts "overrode code on the airplane's Thrust Management Computer while aboard a flight. He stated that he successfully commanded the system he had accessed to issue the CLB, or climb, command. He stated that he thereby caused one of the airplane engines to climb, resulting in a lateral or sideways movement of the plane during one of these flights." How did he log in? It's embarrassing: He used the system's default IDs and passwords.
Sign up for CIO Asia eNewsletters.