If someone can create a secure system, it’s probable that someone else can hack it.
The last couple of months have seen some interesting blips pop up on the security radar screen. To me, the most interesting on is the claim by Hugo Teso, a commercial pilot and security consultant and trained commercial pilot who claims to have developed an Android app that can remotely attack and take full control of an aircraft. The story goes that he was able to cobble together hardware and software, he got on eBay.
Using the application, dubbed PlaneSploit, he demonstrated how to, virtually, hijack flight desk computers, and gain control over certain mechanisms that can alter the course of a simulated jet.
Well, as the story aged, it turns out that hacking a sim is a lot easier than hacking the actual plane. As far as I have been able to determine, there is no data to show it actually works, but who know what the government is or isn’t telling us.
He claims he was just trying to point out security holes in the system, and whether his motivations were innocent or not, is immaterial. What is material is that someone was able to come up with a successful, potential malevolent attack vector against airplanes – and all it took was a few measly eBay parts and a bit of knowledge.
Now, the FAA came out in a statement something like, “…the hacking technique described … does not pose a flight safety concern because it does not work on certified flight hardware. A hacker cannot obtain ‘full control of an aircraft’ as the technology consultant has claimed.” OK, so can he get partial control? I don’t want to be on the jet that is the guinea pig.
With as many concerted, hard-core hacking efforts going on by numerous well-funded groups that have acquired a pool of nefarious talent, the FAA’s statement just isn’t all that reassuring. In fact, I’ll bet—and I say this with total trepidation—that I just know it is a matter of time before either a plane gets electronically hacked or a control system on the ground gets hacked.
What Teso did should be a wake-up call. Even if all it did was hack a sim, the fact that someone can so easily get the hardware and software and develop a tool that can hack such a mission-critical system is a bit frightening.
If I recall, there was also a brief missive that the train controls on that Philadelphia Amtrak train might have been hijacked. That turned out to be a rumor, because, except for the high-speed version of the trains, they are still operator-controlled.
There are two things that come to mind when I think about these things. One, if they can be contrived by someone who isn’t malicious, what do you think the high-end dark side can do? And two, once the world becomes hopelessly interconnected and everything is run by computer, how long do you suppose it will be before “Die Hard, With A Vengeance” goes from fantasy to some semblance of reality?
Do you have a different take? Ping me and let’s discuss.