“I really believe in this. This is serious shit,” exclaimed The Security Awareness Company CEO and veteran cybersecurity guru Winn Schwartau in response to recent concerns terrorists or malicious actors could hack into the computerized systems of passenger aircraft and take control of them.
Schwartau should be listened to, too. Considered “The Civilian Architect of Information Warfare," he coined the phrase, “digital Pearl Harbor," more than 20 years ago. His seminal 1994 book, Information Warfare: Chaos on the Electronic Superhighway, first introduced the concepts of cyberterrorism to the public. In 2002, he was honored as a “Power Thinker” and one of the 50 most powerful people in networking by Network World. In 2008, he was voted one of the 25 Most Influential People in the Security Industry by Security Magazine.
On June 27, 1991, Schwartau testified before two congressional committees about the state of computer and network security in the private sector and government. “Government and commercial computer systems are so poorly protected today they can essentially be considered defenseless – an Electronic Pearl Harbor waiting to happen,” he told lawmakers. “As a result of inadequate security planning on the part of both the government and the private sector, theprivacy of most Americans has virtually disappeared.”
At the time, detractors said Schwartau was screaming, “the sky is falling.” They also said he was “overstating the condition” because “cyber-terrorism simply doesn’t exist.”
Government officials agree “we now know better,” as one told Homeland Security Today on background.
Is the FBI killing the messenger?
Very serious concerns over the ability to hack into and take control of modern passenger planes was broached when Denver-based One World Labs founder and CTO Chris Roberts made news by tweeting what was assumed to be a joke about “playing” with a United Airlines plane’s in-flight entertainment and crew-alerting system on April 15.
Roberts’ tweeted, “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :).”
On the ground waiting for Roberts at the United Airlines flight’s final destination in Syracuse, New York were FBI agents who wanted to talk to him, which they did for several hours. The FBI also seized some of his computer equipment and prevented him from boarding another United flight.
“Lesson from this evening, don’t mention planes,” Roberts later tweeted. “The Feds are listening, nice crew in Syracuse, left there naked of electronics.”
Asserting Roberts had earlier told FBI agents he’d taken control of aircraft, the following day, April 17, the FBI obtained a search warrant to seize a variety of computers and related equipment owned by Roberts, basing its application for the search warrant on the basis the technology will reveal “evidence of a crime;” “contraband, fruits of crime, or other items illegally possessed;” and “property designed for use, intended for use, or used in committing a crime.”
“[Roberts] stated that he … caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” FBI Special Agent Mark Hurley wrote in his warrant application. He also stated Roberts “used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks [and] used the software to monitor traffic from the cockpit system.”
In interviews with an FBI agent on February 13 and again on March 5, according to the application for the search warrant, Hurley stated “to obtain information about vulnerabilities with In Flight Entertainment (IFE) systems on airplanes … Roberts advised that he had identified vulnerabilities with IFE systems on Boeing 737-800, 737-900, 757-200 and Airbus A-320 aircraft.”
Hurley then stated “Chris Roberts furnished the information because he would like the vulnerabilities to be fixed.”
Continuing, the search warrant stated that, “During these conversations, Mr. Roberts stated … he had exploited vulnerabilities with IFE systems on aircraft while in flight. He compromised the IFE systems approximately 15 to 30 times during the time period 2011 through 2014. He last exploited an IFE system during the middle of 2014. Each of the compromises occurred on airplanes equipped with IFE systems with video monitors installed in the passenger seatbacks.”
Continuing, the warrant application stated “the IFE systems he compromised were Thales and Panasonic systems … he was able to exploit/gain access to, or ‘hack’ the IFE system after he would get physical access to the IFE system through the Seat Electronic Box (SEB) installed under the passenger seat on airplanes. He said he was able to remove the cover for the SEB under the seat in front of him by wiggling and squeezing the box.”
“After removing the cover to the SEB … he would use a Cat6 ethernet cable with amodified connector to connect his laptop computer to the IFE system while in flight.”
Roberts, according to the FBI warrant application, “then connected to other systems on the airplane network after he exploited/gained access to, or ‘hacked’ the IFE system. He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. He also stated he used Vortex software after compromising/exploiting or ‘hacking’ the airplane’s networks.”
On Saturday, Roberts tweeted, “Over last 5 years my only interest has been to improve aircraft security … given the current situation I’ve been advised against saying much.”
He later tweeted, “Sorry it’s so generic, but there’s a whole 5 years of stuff that the affidavit incorrectly compressed into 1 paragraph … lots to untangle.”
Experts warns of possible aircraft cyber vulnerabilities
“I, and many of my security professional colleagues, are not so sure that it’s safe to fly anymore. I know I cannot, without any level of confidence, say whether inflight onboard networks are secure, or whether they present a clear and present danger to the flying public,” Schwartau told Homeland Security Today.
“What I am saying, is let’s take a pause,” he said.
“In light of the myriad cybersecurity questions about the differing current implementations of onboard entertainment on commercial aircraft, I ask that, in the name of passenger safety first, airlines voluntarily shut off their aircraft WiFi and entertainment systems until proper open-source security reviews can establish their safety for the flying public,” Schwartau said.
“The evolution of passenger comfort and profit via onboard electronic systems, raises questions about the potential for miscreant and cyber-terrorist actions,” Schwartau cautioned.
“Defensive protestations about ‘no known vulnerabilities,’” he said, “invokes a level of arrogance that cyber history has proven to be profoundly wrong, and a guaranteed recipe for failure. Political and profit driven hubris must not be permitted to dominate while thousands of planes hurtle millions of passengers around the world at 530 mph.”
Continuing, Schwartau said, “I do not question the need for inflight distraction or the profit incentive of for-pay entertainment. I, for myself, read a book. I merely believe that it is incumbent upon the cybersecurity industry in association with appropriate air industry legislative and regulatory bodies to create and enforce tougher criteria for onboard commercial aircraft networks, where the cost of failure is unacceptable. The vendors cannot and should not self-certify any cybersecurity criteria for commercial aircraft. There is just too much room for self-serving agendas.”
Schwartau said the following needs to be done — now:
- “Shut down all inflight entertainment and WiFi capabilities immediately until proper opensource evaluations are conducted. Yes, that means turning off Skype, Facebook, eMail and streaming in the air while a secure workable method is designed;
- “Stringent security guidelines and minimum specifications are necessary for the public safety;
- “Security by obscurity will not be tolerated. It has been suggested that onboard systems cannot be disclosed for security reasons. There are only two possible concerns here: the entertainment and avionics systems are in fact connected, and fear of flaw and exposure hinders open source security efforts, and the entertainment/internet system is indeed isolated, but for fear of loss of profits, refuses to discuss security controls. Either approach, when it comes to public safety first is unacceptable. Security controls should be a public relation benefit. A plus. A big positive. These guys have a lot to learn;
- “Avionics, airplane communications and other onboard systems must be isolated from any customer or Internet facing services. Public networks may not be physically connected nor connected by any wireless means to any other onboard aircraft navigation or control systems. Separate physical wiring shall be used for each system. Air-to-ground communications and those from the aircraft to public systems shall be electronically isolated from aircraft communications, via separate channels and through acceptable cryptographic isolation where physical isolation is not possible. Both solutions will be subject to the same level of assurance verification;
- “Validation of the cybersecurity of onboard systems shall be performed on a periodic basis, and prior to any onboard upgrades of either public or internal systems. At least two third parties, non-affiliated with any aircraft manufacturing concerns, will ‘red-team’ a benign environment, fully functional aircraft, to assess vulnerabilities prior to deployment. Aircraft manufacturers and their suppliers will be required to ‘open source’ their security protocols, for peer review, just as cryptographic algorithms do. All systems should be subject to a common criteria evaluation and certification, in addition to Red Teaming, for each revision and deployment;
- “Reporting of any aircraft network system vulnerability shall not be considered a crime, until specific intent of harm is implicit; and
- “We will aggressively attempt to assemble the Red Teams to verify the security of targeted aircraft and systems. All activities will be documented. All activities will be made public. Aircraft suppliers will cooperate in any way requested in the interest of public safety.
“I believe I have the moral imperative, and offer an effective zero-cost method to solve a problem and restore public confidence before it becomes deadly,” Schwartau said, adding, “Would someone give me the mathematics of human life for the bullshit mantra, ‘It hasn’t happened yet, so why should I worry?’ Been there. Done that. We know that doesn’t work."
"With aircraft, ‘hacking’ the electronics is only one vector of concern. In the mid-1990s, long discussions were held about the influence of EMI, accidental or incidental electromagnetic interference caused by portable electronics on the plane’s electronic integrity," he continued. "Today, we are permitted to use certain devices throughout a flight. EMI breeds the potential for intentional electronic disruption of flight systems through the intentional introduction of EMI using a variety of high power discharge technologies.”
“Additionally,” he said, “an open source investigation into the security of GPS and communications systems, using a Red Team approach is in the best interest of the flying public, and should occur in tandem with the onboard systems security review. While these two vectors may be of low probability, any discussion about cybersecurity and air safety belongs in the public view.”
Joining Schwartau in his concerns is Robert David Steele, a legendary former career CIA officer and co-founder with Schwartau of the Information Warfare Conference and opening speaker at Hackers on Planet Earth in 1994.
Steele said, “I still remember some early papers from the US Air War College laying out very clearly how hackable all electronic systems are — indeed, [the] National Security Agency’s [NSA] greatest non-secret is that the Chinese have been riding the electrical circuits into US government computers that are not linked directly to the Internet. Bottom line — as I said … recently — is the US government has been criminally irresponsible in allowing industry to buy its way out of fundamental code level security — our entire cyber-world is a house of cards, and it is legislative corruption and corporate malfeasance that makes it so."
Steele said on his website that, "Although NSA was tasked in 1994 with protecting US commercial communications and computers, they chose instead to create infantile back-doors with the active connivance of the CEOs of Google, HP, Dell, Microsoft and others (this is all a matter of public record). I have to wonder why those CEOs are not being made destitute by their betrayed stakeholders.”
“Cars — and airplanes — can indeed be hacked,” Steele stated, noting that, “They can also be electromagentic pulse-bombed. I make these statements with the hope that some real investigative journalism will occur, and that the FBI will sound a proper alarm that leads Congress and the executive [branch] to mandate a Manhattan-scale project toward open source everything engineering. If you live by lies, you die by lies. It’s time the public got upset about this.”
“If the entertainment and flight control systems are connected, obviously that creates a situation where ‘bad guys’ will try to find a way to bypass any cybersecurity protection that the aircraft has,” Mark Gazit, CEO of ThetaRay, told Homeland Security Today.
One of the top cyber security experts in Israel with a longstanding reputation dating back to his cybersecurity service in the Israeli Air Force, and former managing director of Cyber and Intelligence Solutions at NICE Systems, where he provided cyber security services to homeland security and classified sectors, Gazit added that, “I was troubled to read Airbus’s statement that they use firewalls to protect their systems, because that means they are connected. Airplanes do have one advantage in that, if somebody tries to gain physical access to sensitive systems, it will probably be observed and identified by other passengers.”
“The FBI has not released the details of [Chris Roberts’] case, but there are actually multiple ways in which a hacker might affect the course of an aircraft,” Gazit said. “He could access the engine, as Chris Roberts claims to have done, or, he could hack into the sensors connecting to the flight systems, which would cause the automatic pilot to kick in and steer the airplane. And if the flight control systems aren’t connected to the aircraft’s entertainment network, he could simply hack into the air conditioner system (which definitely is connected to the entertainment network). If a flight’s aircraft system is shut down, the airplane is forced to land.”
Gazit said, “We have no doubt that our enemies will become more innovative in developing types of attacks that are currently not even considered possible. That’s why it’s not enough to put protection systems like firewalls in place. There is a very strong need for installed devices that can detect dangerous behavior not only by looking at network traffic (an old and ineffective method), but by reviewing operational data and flight data continuously in order to identify in real time the slightest signs of an attack, notify the crew, and allow them to take action before damage to safety and security can occur.”
Dr. Gabriel "Gabi" Siboni, a colonel in the Israel Defense Forces Reserve service and a senior research fellow and director of the Military Affairs & Cyber Program at Israel’s Institute for National Security Studies (INSS) that computer hackers targeting critical infrastructure around the world could cause “attacks on airplanes or air traffic control towers” which “could cause accidents, or even to paralyze entire flight systems,” said "The disruption and possible infiltration of critical infrastructure is the most severe form of cyber-attack.”
“As of now, this area of capabilities is the exclusive domain of developed states,” Siboni said, however, he warned that he “strongly believe[s] the next 9/11 will happen without suicide bombers aboard the plane with box-cutters but will occur because of a cyber-incident perpetrated by a terror organization."
Siboni warned though that “Computer hackers have begun targeting electric and nuclear power plants and other critical operations around the world in audacious and continuous efforts to take control of them.”
Unfortunately, Siboni said, the strategic partnership between Israel and the US has not been taken advantage of in the field of cybersecurity to the detriment of both nations.
"Establishing a bilateral apparatus that combines the technological capabilities of civil and military intelligence is currently one of the most pressing issues of the day in light of both the magnitude and severity of the threats we face,” he stated. “Furthermore, cyber attacks are not the exclusive domain of the private sector. Cyber aggression is widely utilized and has become a basic weapon used in international conflicts. Countries are responsible for attacks on most national infrastructure, and governments across the Western world have understood that they must allocate resources not only to purchase new tanks and aerial defense systems but also in defensive cyber infrastructure.”
Government auditor isn’t convinced all’s hunky dory, either
Homeland Security Today recently reported that a new Government Accountability Office (GAO) audit reported the Federal Aviation Administration (FAA) needs to conduct a more comprehensive approach to addressing cybersecurity vulnerabilities as the agency transitions to NextGen,” noting that “the increasing interconnectedness of “modern aircraft … to the Internet” presents the potential for “unauthorized remote access to aircraft avionics systems.”
The FAA’s NextGen program, as GAO explained, “is a modernization effort begun in 2004 by FAA to transform the nation’s ground-based Air Traffic Control (ATC) system into a system that uses satellite-based navigation and other advanced technology. This effort is a multiyear, incremental transformation that will introduce new technologies and leverage existing technologies to affect every part of the NAS. These new technologies will use an Internet Protocol (IP)based network to communicate.
But, according to FAA and experts GAO interviewed, modern communications technologies, including IP connectivity, that are increasingly used in aircraft systems are also “creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems.”
Aircraft information systems consist of avionics systems used for flight and in-flight entertainment. Historically, aircraft in flight and their avionics systems used for flight guidance and control functioned as isolated and self-contained units, which protected their avionics systems from remote attack. However, according to FAA and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them,” GAO stated in its audit report released this week.
Continuing, GAO said, “Firewalls protect avionics systems located in the cockpit from intrusion by cabin system users, such as passengers who use in-flight entertainment services onboard,” but “Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented. The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin.”
Not surprisingly, GAO said, “An FAA official said that additional security controls implemented onboard could strengthen the system.”
“While it’s true that firewalls could potentially be bypassed by those with ill intent, we have to remember that aircraft systems are built with safety in mind. These systems, which we deem life- or safety-critical, have redundancies in place to lessen the chances of tragic outcomes should they be compromised,” said Jovi Umawing, malware intelligence analyst for Malwarebytes Labs, the research arm of the anti-malware company. But, he added, because “the GAO report does not clearly elaborate if this new threat via cabin Wi-Fi takes into account such systems, we can’t know for sure if an attack like this would be successful.”
“This doesn’t mean that vulnerabilities found in Wi-Fi and aviation systems shouldn’t be taken seriously,” Umawing said. “Travelers must still adhere to safe computing practices and treat the plane Wi-Fi in the same way they would free public Wi-Fi in a coffee shop. That means avoiding logging into websites that contain lots of sensitive information like online banking or social media accounts. Airplane Wi-Fi may be password protected, but that doesn’t mean there isn’t someone logged onto the network sniffing around for packets and looking to take advantage of travelers’ trust in the system.”
As part of the aircraft certification process, GAO said the FAA’s Office of Safety (AVS) currently certifies new interconnected systems through rules for specific aircraft and has started reviewing rules for certifying the cybersecurity of all new aircraft systems.
Still, GAO said, “FAA officials and experts we interviewed said that modern aircraft are … increasingly connected to the Internet, which also uses IP networking technology and can potentially provide an attacker with remote access to aircraft information systems. According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors.”
GAO said, “FAA officials and cybersecurity and aviation experts we spoke to said that increasingly passengers in the cabin can access the Internet via onboard wireless broadband systems. One cybersecurity expert noted that a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines.”
According to five cybersecurity experts GAO interviewed, “the threat of malicious activity by trusted insiders also grows with the ease of access to avionics systems afforded by IP connectivity if proper controls, such as role-based access, are not in place. For example, the presence of personal smart phones and tablets in the cockpit increases the risk of a system’s being compromised by trusted insiders, both malicious and non-malicious, if these devices have the capability to transmit information to aircraft avionics systems.”
Continuing, GAO reported that the “FAA’s Office of Safety (AVS) is responsible for certifying the airworthiness of new aircraft and aviation equipment, including software components for avionics systems,” but that “FAA’s aircraft airworthiness certification does not currently include assurance that cybersecurity is addressed.”
According to FAA officials and the Radio Technical Commission for Aeronautics (RTCA), GAO stated, “FAA currently issues rules with limited scope, called Special Conditions, to aircraft manufacturers when aircraft employ new technologies where IP interconnectivity could present cybersecurity risks. FAA views Special Conditions as an integral part of the certification process, which gives the manufacturer approval to design and manufacture the aircraft, engine, or propeller with additional capabilities not referred to in FAA regulations.”
“For example,” GAO pointed out, “FAA issued Special Conditions to address the increased connectivity among aircraft cockpit and cabin systems for the Boeing 787 and Airbus A350 to provide systems cybersecurity and computer network protection from unauthorized external and internal access.”
FAA officials also told GAO auditors that “research supporting cybersecurity-related Special Conditions could be aggregated and used to support portions of a new rule, and industry experts we spoke with said they would support the certainty rulemaking would bring” with regard to protecting modern aircraft interconnectivity from hacking.
In its audit, GAO further reported that the “FAA has taken steps to protect its ATC systems from cyber-based threats; however, significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system. FAA has agreed to address these weaknesses. Nevertheless, FAA will continue to be challenged in protecting ATC systems because it has not developed a cybersecurity threat model.”
National Institute of Standards and Technology (NIST) guidance, as well as experts GAO consulted, “recommend such modeling to identify potential threats to information systems, and as a basis for aligning cybersecurity efforts and limited resources.”
But, “While FAA has taken some steps toward developing such a model, it has no plans to produce one and has not assessed the funding or time that would be needed to do so,” GAO determined. And, “Without such a model, FAA may not be allocating resources properly to guard against the most significant cybersecurity threats,” GAO concluded.
“Please, spend 1 hour in the next week making some noise. I really don’t want to see the headlines,” Schwartau said.