 |
| Chris Roberts, of cyber security firm One World Labs Picture: FoxNEWS |
Julian Bray writes: Fox News are reporting - and its being picked up by TV and newspapers in Europe - that Chris Roberts, of cyber security firm One World Labs, claims he managed to hack into the plane’s computer systems through the electronic access box under his seat. Mr Roberts apparently made the claim in an FBI interview released in the USA .
Comments attributed to an FBI Agent Mike Hurley need to be treated with caution, for example: "He said he caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights." If this is true it would be a miracle, as engines don't climb but just go faster or slower. However flaps on the wings being manipulated would cause the aircraft to gain or lose altitude.
"He also stated (says Hurley), Roberts used software after comprising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system."
True there is in older fly-by-wire aircraft, an access box under seat positions for aircraft entertainment systems but these aircraft have multiple computer arrays and not all are linked. The seatback hospitality TV unit would be on its own subset.
The cyber security technician says he "exploited security [software] weaknesses to override computer control systems by connecting an ethernet cable to his laptop and connecting into the below seat access port using default passwords to access systems.
The FBI claims Mr Roberts hacked the entertainment systems on US flights more than a dozen times between 2011 and 2014.
.
This comes after he was removed from a United Airlines flight last month for tweeting he might hack into the plane and make the oxygen masks deploy. Although FBI have confiscated his kit they are said to have taken his claims seriously.
A closer examination of the FBI document however suggests Roberts might not have actually 'hacked' the aircraft or any aircraft but did so in a closed virtual replication environment;" "Roberts said he used Kali Linux to perform penetration testing of the IFE system. He used the default IDs and passwords to compromise the IFE systems. He also said that he used VBox which is a virtualized environment to build his own version of the airplane network. The virtual environment would replicate airplane network, and that he used virtual machine's on his laptop while compromising the airplane network...." A form of Pie in the Sky, perhaps?
Tellingly Mr Roberts has not been charged with any crime, but has gained worldwide 'free' publicity and possible aviation consultancy offers from aircraft manufacturers. If any of this is true then existing IT teams and layers of expensive computer consultants can expect their employment to be rapidly terminated... Control, Alt, Delete.
MEANWHILE:
United Airlines is offering up to a million air miles to hackers who can find security bugs in its network.
The move by United Airlines comes amid increasing cybersecurity threats to businesses, with the cost of data breaches likely to hit $2.1 trillion globally by 2019, four times the 2015 figure, according to Juniper Research.
United Airlines website lists the types of threats that are eligible for submission into its "bug bounty program". These include finding bugs on customer facing websites, flaws in the United app, and attacks that compromise the private credentials of users, reports NBC NEWS.
The amount of air miles awarded depends on the severity of the bug discovered. For a so-called "ethical hacker" to receive a million air miles, they must uncover what is known as a "remote execution code" -- a security flaw that allows hackers to infiltrate a network from a remote location.
The reward for uncovering a medium severity bug is 250,000 air miles, and people who discover low level bugs will receive 50,000 air miles.
But United is not keen on ethical hackers playing around with its in-plane systems and said that bugs found on "onboard Wi-Fi, entertainment systems or avionics" were not eligible for submission.
Asking professional hackers to find flaws in a business's network is not a new tactic, but United is one of the first airlines to try it. Last year, the Bank of England employed ethical hackers -- also known as "white hat" hackers -- to test the defenses of Britain's biggest banks.
Often companies struggle to find the required expertise to deal with the increasingly complex landscape of cybersecurity. By letting external hackers have a pop at a network, a company can tap this experience and find flaws that can then be patched up.
"This is a really smart move by United Airlines, as crowdsource testing for security weaknesses can be hugely valuable to organizations," Jason Steer, chief security strategist at FireEye, said in a statement.
"Its bug bounty is a novel way to incentivize white hat hackers to look for weaknesses in its system, and a great way to save them money whilst increasing its security."
But United warned that hackers should not attempt such things as injecting malicious code into live systems, coercion or extortion of the airline's employees. Anyone who did would face disqualification from the bug bounty program and a possible legal investigation.
JULIAN BRAY ++44(0)1733 345581, Journalist, Broadcaster, Aviation Security & Operations Expert, Travel / Cruise Industry, EQUITY, NUJ, Broadcast COOBE ISDN ++44 (0)1733 345020 (DUAL CODEC) SKYPE: JULIAN.BRAY.UK e&oe Cell: 07944 217476 or iPhone 0743 530 3145 #VENDOR 10476453 http://feeds.feedburner.com/BraysDuckhouseBlog
No comments:
Post a Comment