The best approach the airlines should follow in securing their onboard networks is to prevent the hackers among their passengers from doing any damage with the assumption they are going to find a way to break in.
That's the advice provided by Dave Bennett, CTO of IONU Security, a company that provides secure network technology for government agencies and others where the need for security is critical.
"It's pretty much impossible to keep people out," Bennett said in response to the discussion about the reported hacking of engine management systems on a United Airlines flight by security researcher Chris Roberts last year.
This is almost exactly the same advice that former U.S. Cyber Security Coordinator Richard Clark offered in a conversation back in April.
Bennett also noted that it's not just the airplanes that are vulnerable to hacking on a flight, it's also the passengers. He said that now that people can use WiFi on airplanes, their computers are vulnerable to penetration, especially if they don't have their security set up properly. "Don't call it a home network," he said, referring to a popular setting on Windows computers.
But there are other traps as well, such as leaving your music sharing turned on while you're using your WiFi connection to the airplane. Bennett said that it's important to make sure that any possible peer-to-peer connections to your computer are turned off.
Otherwise, he said, a hacker on the same plane can implant malware such as Poison Ivy, which will provide a backdoor into your computer. The reason it's a vulnerability on a plane is because people are likely to be seated for hours with their WiFi turned on and aren't likely to be suspecting an intrusion attempt.
Bennett said that much of the problem with vulnerabilities on airliners is due to the desire by the airlines to cut costs. Such cost-cutting is why the airlines are offering WiFi in the first place, because it provides a means to offer entertainment without incurring the cost and fuel-wasting weight of the old entertainment systems.
"I see this as an effort for them to save costs. They could create an in-flight WiFi that's totally separate, and they'd have to have a whole separate antenna system," Bennett said. He said that if the airline entertainment system and other airplane systems have any common components including antennas and radios, there's a vulnerability at that point.
Fortunately, there are some things that users and the airline can do to make the whole system safer. "The best practice for security data in-flight is to use a VPN [virtual private network] for everything," he said. Bennett said that a VPN that's properly set up will also prevent peer-to-peer connections.