Wednesday, July 31, 2019

Planes are in danger ! Not this false news again.... U.S. Issues Hacking Security Alert for Small Planes

U.S. Issues Hacking Security Alert for Small Planes

Attention all shoppers.  A plane left unattended can be sabotaged!  

Hide your children, the Germans are coming!

These stories are such bullshit!

Sure... someone could develop an attack that involves flashing the memory of my Garmin 430.  Aside from the fact that it takes a special dongle, is a royal pain in the ass to do legitimately, takes a seriously long time when you are waiting under the cover of the night trying not to get caught..... and since you would have to do it to many many planes for this to become an overnight issue.......not really likely unless you're part of a "dumb" terrorist group.

Keep in mind that if one such event happens it would spark an entire investigation and countermeasures would be dictated.

Even if you are trying to off your ex-wife it would be an extremely complexe endeavour with seriously uncertain outcomes mostly falling back to you going to jail to enjoy a stainless steal potty.

Lets look at the countermeasures in place.

As I mentioned many times, planes (especially small ones) have a nervous pilot sitting in that seat that is constantly checking numerous instruments and mentally correlating data from numerous sources, looking for.... you guessed it....anomalies!  Pilots also perform preflight checks:  Brake lines=dry (check),  oil level=check, avionics=check, altimeter calibration=check....

Second countermeasure lies in the hands of our dear friends at ATC (Air Traffic Control) who would let you know.... trust me.... if you are off track or at the wrong altitude.  

Third risk reduction factor goes back to the pilot, who looks out the windows.  If your flight computer (for lack of a better term) tells you that you are at 5500 feet and your physical altimeter indicates 1000 feet....  you would notice.  Same goes for when you glance out the window.

Novices will argue that the attacker could also hack the physical altimeter, which simply indicates they have no clue how one works since making the readings match on both the physical altimeter and the flight computer simply is not attainable without swapping the entire unit out which involves partial disassembly of the planes dashboard and a replacement that would have to communicate with the onboard basically not achievable. 

Also most pilots of small planes use a flight application like ForeFlight on their iPads... well guess what.... the iPad also indicates your altitude and the screen turns red when the terrain becomes dangerously low.

So all in all, this news story is meant to grab headlines, but is mostly meaningless.

Where it is not meaningless is for the security industry.  We (along with the aviation industry) must continuously stay alert and be aware of these short comings and ensure that they do not translate into "safety" issues.  Doing research like this helps understand the complex interactions between aviation systems and helps build roadmaps for better technology.

That is the big difference between news articles and real life.  Does it really matter in context?

In the aviation world, security issues are common, however mitigation mechanisms exists to bring these risks to acceptable levels and in ensuring they do not become "safety" issues.  

In the business world for many cases this is true, and in equally many cases, this is not true.  Because business is about making money not safety.

In the aviation world, aside from a clear screw up by the FAA & Boeing with their questionnable certification of the 737 MAX 8, safety remains paramount and all involve do a superb job at keeping passengers and pilots "safe". 

Cyber Security as a whole can learn a lot from the aviation industry in that respect.

So to my nervous friends who thinks little planes will start falling out of the sky... relax....  it just isn't going to happen.

My airplane is parked at a low security field near Montreal.  I have absolutely ZERO stress about my avionics safety even with my frequent speeches about how powerful people are failing society.

News like this, one week before the worlds largest security conferences, reminds me of the year that someone reported that planes had been hacked to fly sideways.   Yes, folks the laws of physiques can be hacked (just kidding....).  Always be cautious and curious about news headlines as they rarely reflect true facts.

To any curious security friends, please join me at the DefCon Aviation Village next week where we can have a long discussion about context and safety in aviation.

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...