Imagine this. You’re onboard an airplane watching a movie at 35000 feet. The guy sitting next to you looks like he’s playing a video game. But he’s really hacking into the plane’s flight control system. One researcher claims he did just that on a flight from Chicago to Syracuse, New York. A number of articles including one in Wired Magazine cite comments by security researcher Chris Roberts claiming he hacked into the thrust control system of a United Airlines flight by manipulating the plane’s in-flight entertainment system. United has banned Roberts from its airplanes. Security experts have differing views of how real this threat really might be and how much of Robert’s story may be credible. But security expert James Ryan of LitmusLogic tells us he’s not surprised, “This is more evidence that companies and regulators have underestimated cyber risk for over a decade and security strategies are outdated. The root cause is not vulnerability in the IFE (in-flight entertainment system). The root cause is almost certainly a few choices made years ago on how to design and integrate an in-flight entertainment system and along the way someone chose to cut costs or increase revenues by taking on more cyber risk and not sufficiently isolating entertainment from plane operations. Unfortunately, I expect to see many more of these attacks and takeovers before things get better. Copycat attacks will almost certainly grow over the coming weeks and upgrading the airplane may take time which means airplanes and air flight will be vulnerable for months if not years.”
This story comes within days of U.S. Secretary of Transportation Anthony Foxx calling for a speedup in the development of Vehicle to Vehicle Communications (V2V). Foxx believes that giving cars the ability to talk to each other without human intervention will be essential to developing the self-driving car. The idea is that when two cars are approaching the same space, their V2V systems will talk to each other and determine which car should take what action. But there have already been stories of hackers getting into connected systems in cars. The notion of some 16 year old with the right gear looking out over an intersection and deciding to play bumper cars scares the daylights out of me.
Judith Bitterli, Vice President of anti-virus software maker AVG says the automotive industry needs to take measures to deal with cyber-security issues, she notes, “According to a recent congressional inquiry by Senator Ed Markey, there is a widespread absence of security and privacy protection being taken into consideration as automakers race to embrace the technology without considering the implications. Clearly, the automotive and cybersecurity industries need to monitor autonomous technology very carefully, and adapt where needed. Put simply, cars are another piece…a big piece… of the entire landscape of the Internet of Things, and if we are going to leave the driving to technology, we must make sure that it’s safe and secure.”
For older drivers, the concept of the self-driving car could prove to be a dilemma. On one hand they may be reluctant to get into a vehicle with no steering wheel or pedals, a la Google. On the other hand, the self-driving car may help them add years of mobility. But it would be nice to know either way that they won’t be car hacked.
Security expert James Ryan claims that both in industry and government, cyber-security is often an afterthought. In most cases he feels that businesses regard hacking as just another cost of doing business, and far less expensive than putting in place systems that could actually stop cyberattacks beforehand. If one day an airliner falls from the sky because its flight controls were hacked, then what? Technology is amazing. But every advance comes with trade-offs. And wouldn’t we be better off making them by choice and not by accident?