Forget cars, what’s happening with airplanes?
Vehicular hacking burst on to the scene in 2015 and grabbed a lot of security headlines, but we should be worried about all the things we don’t know regarding attacks on airplanes. About the time researchers Charlie Miller and Chris Valasek were exploiting a Chrysler’s UConnect infotainment system to remotely control a 2014 Chrysler Jeep Cherokee, there were reports the group behind the OPM breach had successfully obtained records of origins and destinations of United Airlines passengers, as well as passenger manifests. Another group of attackers also disrupted the IT systems for LOT Polish Airways, which resulted in the airline canceling 20 flights and grounding 1,400 passengers.
Then of course there’s the FBI’s claim that security researcher Chris Roberts caused a plane’s engine to climb when he was poking around aircraft systems while on a United Airlines flight. The jury’s out on whether Roberts actually managed to take over the jet.
Should these attacks concern us? Are airplanes at risk? Both United and LOT have refused to provide any information on the issues.
“The scary answer here is that we don’t know, and that’s both surprising and unsurprising at the same time,” said Johnathan Kuskos, manager of the threat research center at WhiteHat Security.
There are two different types of attacks to worry about. One targets IT systems, such as the airline website and check-in kiosks at the airport. The other targets onboard systems that actually power and control the aircraft. The onboard systems tend to be heavily sandboxed and are locked down. IT systems are more at risk. And according to WhiteHat’s vulnerability statistics report, every online application has at least one serious vulnerability.
“It’s hard to imagine that a professional criminal syndicate or state-sponsored hackers haven’t targeted these major airlines yet,” Kuskos said.
Getting around Apple’s walled garden
Palo Alto Networks this year uncovered XcodeGhost, a malware attack that infected iOS applications and existed in the App Store for months before being detected. The attack relied on iOS developers downloading a compromised version of Xcode, the iOS dev kit. Compromising a toolchain is not a new attack method, and XcodeGhost was extremely successful at infecting developers on a wide scale. The real danger lies in what lessons the XcodeGhost team learned from its success and how it will try again.
The way the malware infected iOS apps before they were distributed into the App Store was completely new, said Ryan Olson, intelligence director at Palo Alto Networks. Developers are vulnerable and attackers can piggy-back on their apps into the App Store, past Apple’s vaunted security measures.
“While the XcodeGhost malware was not particularly dangerous, it was groundbreaking in the way it gained access to millions of devices,” Olson said.
Sign up for CIO Asia eNewsletters.