The best approach the airlines should follow in securing their onboard networks is to prevent the hackers among their passengers from doing any damage with the assumption they are going to find a way to break in.
That’s the advice provided by Dave Bennett, CTO of IONU Security, a company that provides secure network technology for government agencies and others where the need for security is critical.
“It’s pretty much impossible to keep people out,” Bennett said in response to the discussion about the reported hacking of engine management systems on a United Airlines flight by security researcher Chris Roberts last year.
This is almost exactly the same advice that former U.S. Cyber Security Coordinator Richard Clark offered in a conversation back in April.
Bennett also noted that it’s not just the airplanes that are vulnerable to hacking on a flight, it’s also the passengers. He said that now that people can use WiFi on airplanes, their computers are vulnerable to penetration, especially if they don’t have their security set up properly. “Don’t call it a home network,” he said, referring to a popular setting on Windows computers.
But there are other traps as well, such as leaving your music sharing turned on while you’re using your WiFi connection to the airplane. Bennett said that it’s important to make sure that any possible peer-to-peer connections to your computer are turned off.
Otherwise, he said, a hacker on the same plane can implant malware such as Poison Ivy, which will provide a backdoor into your computer. The reason it’s a vulnerability on a plane is because people are likely to be seated for hours with their WiFi turned on and aren’t likely to be suspecting an intrusion attempt.
Bennett said that much of the problem with vulnerabilities on airliners is due to the desire by the airlines to cut costs. Such cost-cutting is why the airlines are offering WiFi in the first place, because it provides a means to offer entertainment without incurring the cost and fuel-wasting weight of the old entertainment systems.
“I see this as an effort for them to save costs. They could create an in-flight WiFi that’s totally separate, and they’d have to have a whole separate antenna system,” Bennett said. He said that if the airline entertainment system and other airplane systems have any common components including antennas and radios, there’s a vulnerability at that point.
Fortunately, there are some things that users and the airline can do to make the whole system safer. “The best practice for security data in-flight is to use a VPN [virtual private network] for everything,” he said. Bennett said that a VPN that’s properly set up will also prevent peer-to-peer connections.
Security Expert Says Blocking Access to Airliner Networks Impossible
Bennett also suggests that VPNs are a very good idea for the airplane’s own networks as a way to limit the damage that someone can do if they get into the network.
The airlines, unfortunately, are caught in a difficult position. On one hand, they’re trying to reduce the cost of providing a flight to the public. To accomplish this at the prices the public is demanding, airlines need to provide the level of service that passengers have come to expect. Now that the airlines have started offering WiFi, passengers have come to expect it.
But the airlines also need to provide flights as cheaply as possible. That means cutting fuel use to the minimum. Cutting fuel use ultimately means cutting weight, since the weight of an airplane directly impacts fuel use and the cost of fuel is the major expense in flying an airliner from one place to another.
By offering onboard WiFi services, the airlines were able to significantly reduce aircraft weight by eliminating thousands of feet of wire and fiber along with some hefty legacy electronics gear needed to operate entertainment systems for the passengers. Now all that the airlines need to do is provide WiFi and some onboard storage.
The problem with that arrangement is that by giving WiFi to the passengers, you also invite those passengers onto the airplane’s data network. As we have seen, once you let passengers onto a plane with a WiFi network, a few of them will get the bright idea to try to hack that network.
Bennett points out that the airlines could have provided totally separate networks, which would mean not providing things like in-flight maps, but would also mean getting another set of satellite radios, another set of antennas and another set of everything else, which add more weight.
Another factor that the airlines need to consider, Bennett said, is that given enough time, any system, including networks, can be reverse-engineered to understand how they work and therefore how to break in.
Bennett said that reverse-engineering networks is something he does regularly in his security work. He recalled one former client telling him that their security system was impossible to reverse-engineer. “At that point,” he said, “we had already done it.”
What this means is that the airlines will never be able to keep motivated passengers out of their networks, whether they’re on the ground or in the air. The best practice is one that organizations that need real security already do, which is to stop pretending that it’s impossible to hack their networks and start finding ways to protect their data with the assumption that their network has already been penetrated.