Page 379

Hacking Airplanes

Imagine this: A terrorist hacks into a commercial airplane from the ground, takes over the controls from the pilots and flies the plane into the ground. It sounds like the plot of some “Die Hard” reboot, but it’s actually one of the possible scenarios outlined in a new Government Accountability Office report on security vulnerabilities in modern airplanes.

It’s certainly possible, but in the scheme of Internet risks I worry about, it’s not very high. I’m more worried about the more pedestrian attacks against more common Internet-connected devices. I’m more worried, for example, about a multination cyber arms race that stockpiles capabilities such as this, and prioritizes attack over defense in an effort to gain relative advantage. I worry about the democratization of cyberattack techniques, and who might have the capabilities currently reserved for nation-states. And I worry about a future a decade from now if these problems aren’t addressed.

First, the airplanes. The problem the GAO identifies is one computer security experts have talked about for years. Newer planes such as the Boeing 787 Dreamliner and the Airbus A350 and A380 have a single network that is used both by pilots to fly the plane and passengers for their Wi-Fi connections. The risk is that a hacker sitting in the back of the plane, or even one on the ground, could use the Wi-Fi connection to hack into the avionics and then remotely fly the plane.

The report doesn’t explain how someone could do this, and there are currently no known vulnerabilities that a hacker could exploit. But all systems are vulnerable—we simply don’t have the engineering expertise to design and build perfectly secure computers and networks—so of course we believe this kind of attack is theoretically possible.

Previous planes had separate networks, which is much more secure.

As terrifying as this movie-plot threat is—and it has been the plot of several recent works of fiction—this is just one example of an increasingly critical problem: As the computers already critical to running our infrastructure become connected, our vulnerability to cyberattack grows. We’ve already seen vulnerabilities in baby monitors, cars, medical equipment and all sorts of other Internet-connected devices. In February, Toyota recalled 1.9 million Prius cars because of a software vulnerability. Expect similar vulnerabilities in our smart thermostats, smart light bulbs and everything else connected to the smart power grid. The Internet of Things will bring computers into every aspect of our life and society. Those computers will be on the network and will be vulnerable to attack.

And because they’ll all be networked together, a vulnerability in one device will affect the security of everything else. Right now, a vulnerability in your home router can compromise the security of your entire home network. A vulnerability in your Internet-enabled refrigerator can reportedly be used as a launching pad for further attacks.

Future attacks will be exactly like what’s happening on the Internet today with your computer and smartphones, only they will be with everything. It’s all one network, and it’s all critical infrastructure.

Some of these attacks will require sufficient budget and organization to limit them to nation-state aggressors. But that’s hardly comforting. North Korea is last year believed to have launched a massive cyberattack against Sony Pictures. Last month, China used a cyberweapon called the “Great Cannon” against the website GitHub. In 2010, the U.S. and Israeli governments launched a sophisticated cyberweapon called Stuxnet against the Iranian Natanz nuclear power plant; it used a series of vulnerabilities to cripple centrifuges critical for separating nuclear material. In fact, the United States has done more to weaponize the Internet than any other country.

Governments only have a fleeting advantage over everyone else, though. Today’s top-secret National Security Agency programs become tomorrow’s Ph.D. theses and the next day’s hacker’s tools. So while remotely hacking the 787 Dreamliner’s avionics might be well beyond the capabilities of anyone except Boeing engineers today, that’s not going to be true forever.

What this all means is that we have to start thinking about the security of the Internet of Things—whether the issue in question is today’s airplanes or tomorrow’s smart clothing. We can’t repeat the mistakes of the early days of the PC and then the Internet, where we initially ignored security and then spent years playing catch-up. We have to build security into everything that is going to be connected to the Internet.

This is going to require both significant research and major commitments by companies. It’s also going to require legislation mandating certain levels of security on devices connecting to the Internet, and at network providers that make the Internet work. This isn’t something the market can solve on its own, because there are just too many incentives to ignore security and hope that someone else will solve it.

As a nation, we need to prioritize defense over offense. Right now, the NSA and U.S. Cyber Command have a strong interest in keeping the Internet insecure so they can better eavesdrop on and attack our enemies. But this prioritization cuts both ways: We can’t leave others’ networks vulnerable without also leaving our own vulnerable. And as one of the most networked countries on the planet, we are highly vulnerable to attack. It would be better to focus the NSA’s mission on defense and harden our infrastructure against attack.

Remember the GAO’s nightmare scenario: A hacker on the ground exploits a vulnerability in the airplane’s Wi-Fi system to gain access to the airplane’s network. Then he exploits a vulnerability in the firewall that separates the passengers’ network from the avionics to gain access to the flight controls. Then he uses other vulnerabilities both to lock the pilots out of the cockpit controls and take control of the plane himself.

It’s a scenario made possible by insecure computers and insecure networks. And while it might take a government-led secret project on the order of Stuxnet to pull it off today, that won’t always be true.

Of course, this particular movie-plot threat might never become a real one. But it is almost certain that some equally unlikely scenario will. I just hope we have enough security expertise to deal with whatever it ends up being.

This essay originally appeared on CNN.com.

EDITED TO ADD: News articles.

Tags: , , , , ,

Posted on April 21, 2015 at 1:40 PMView Comments

Hacker Detained by FBI after Tweeting about Airplane Software Vulnerabilities

This is troubling:

Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane’s engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft’s functions, including temperatures of various equipment, fuel flow and quantity, and oil pressure. In the tweet, Roberts jested: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone ? :)” FBI agents questioned Roberts for four hours and confiscated his iPad, MacBook Pro, and storage devices.

Yes, the real issue here is the chilling effects on security research. Security researchers who point out security flaws is a good thing, and should be encouraged.

But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There’s some serious surveillance going on.

Now, it is possible that Roberts was being specifically monitored. He is already known as a security researcher who is working on avionics hacking. But still…

Slashdot thread. Hacker News thread.

EDITED TO ADD (4/22): Another article, this one about the debate over disclosing security vulnerabilities.

Tags: , , , , , ,

Posted on April 21, 2015 at 5:26 AMView Comments

Counting the US Intelligence Community Leakers

It’s getting hard to keep track of the US intelligence community leakers without a scorecard. So here’s my attempt:

  • Leaker #1: Chelsea Manning.
  • Leaker #2: Edward Snowden.
  • Leaker #3: The person who leaked secret documents to Jake Appelbaum, Laura Poitras, and others in Germany: the Angela Merkel surveillance story, the TAO catalog, the X-KEYSCORE rules. My guess is that this is either an NSA employee or contractor working in Germany, or someone from German intelligence who has access to NSA documents. Snowden has said that he is not the source for the Merkel story, and Greenwald has confirmed that the Snowden documents are not the source for the X-KEYSCORE rules. This might be the “high-ranking NSA employee in Germany” from this story—or maybe that’s someone else entirely.
  • Leaker #4: “A source in the intelligence community,” according to the Intercept, who leaked information about the Terrorist Screening Database, the “second leaker” from the movie Citizen Four. Greenwald promises a lot from him: “Snowden, at a meeting with Greenwald in Moscow, expresses surprise at the level of information apparently coming from this new source. Greenwald, fearing he will be overheard, writes the details on scraps of paper.” We have seen nothing since, though. This is probably the leaker the FBI identified, although we have heard nothing further about that, either.
  • Leaker #5: Someone who is leaking CIA documents.
  • Leaker #6: The person who leaked secret information about WTO spying to the Intercept and the New Zealand Herald. This isn’t Snowden; the Intercept is very careful to identify him as the source when it writes about the documents he provided. Neither publication give any indication of how it was obtained. This might be Leaker #3, since it contains X-KEYSCORE rules.
  • Leaker #7: The person who just leaked secret information about the US drone program to the Intercept and Der Spiegel. This also might be Leaker #3, since there is a Germany connection. According to the Intercept: “The slides were provided by a source with knowledge of the U.S. government’s drone program who declined to be identified because of fears of retribution.” That implies someone new.

Am I missing anyone?

Harvard Law School professor Yochai Benkler has written an excellent law review article on the need for a whistleblower defense. And there’s this excellent article by David Pozen on why government leaks are, in general, a good thing. I wrote about the value of whistleblowers in Data and Goliath.

Way back in June 2013, Glenn Greenwald said that “courage is contagious.” He seems to be correct.

This post was originally published on the Lawfare blog.

EDITED TO ADD (4/22): News article.

In retrospect, I shouldn’t have included Manning in this list. I wanted it to be a list of active leaks, not historical leaks. And while Snowden is no longer leaking information, the reporters who received his documents are still releasing bits and pieces.

Tags: , , , ,

Posted on April 20, 2015 at 11:18 AMView Comments

Metal Detectors at Sports Stadiums

Fans attending Major League Baseball games are being greeted in a new way this year: with metal detectors at the ballparks. Touted as a counterterrorism measure, they’re nothing of the sort. They’re pure security theater: They look good without doing anything to make us safer. We’re stuck with them because of a combination of buck passing, CYA thinking, and fear.

As a security measure, the new devices are laughable. The ballpark metal detectors are much more lax than the ones at an airport checkpoint. They aren’t very sensitive—people with phones and keys in their pockets are sailing through—and there are no X-ray machines. Bags get the same cursory search they’ve gotten for years. And fans wanting to avoid the detectors can opt for a “light pat-down search” instead.

There’s no evidence that this new measure makes anyone safer. A halfway competent ticketholder would have no trouble sneaking a gun into the stadium. For that matter, a bomb exploded at a crowded checkpoint would be no less deadly than one exploded in the stands. These measures will, at best, be effective at stopping the random baseball fan who’s carrying a gun or knife into the stadium. That may be a good idea, but unless there’s been a recent spate of fan shootings and stabbings at baseball games—and there hasn’t—this is a whole lot of time and money being spent to combat an imaginary threat.

But imaginary threats are the only ones baseball executives have to stop this season; there’s been no specific terrorist threat or actual intelligence to be concerned about. MLB executives forced this change on ballparks based on unspecified discussions with the Department of Homeland Security after the Boston Marathon bombing in 2013. Because, you know, that was also a sporting event.

This system of vague consultations and equally vague threats ensure that no one organization can be seen as responsible for the change. MLB can claim that the league and teams “work closely” with DHS. DHS can claim that it was MLB’s initiative. And both can safely relax because if something happens, at least they did something.

It’s an attitude I’ve seen before: “Something must be done. This is something. Therefore, we must do it.” Never mind if the something makes any sense or not.

In reality, this is CYA security, and it’s pervasive in post-9/11 America. It no longer matters if a security measure makes sense, if it’s cost-effective or if it mitigates any actual threats. All that matters is that you took the threat seriously, so if something happens you won’t be blamed for inaction. It’s security, all right—security for the careers of those in charge.

I’m not saying that these officials care only about their jobs and not at all about preventing terrorism, only that their priorities are skewed. They imagine vague threats, and come up with correspondingly vague security measures intended to address them. They experience none of the costs. They’re not the ones who have to deal with the long lines and confusion at the gates. They’re not the ones who have to arrive early to avoid the messes the new policies have caused around the league. And if fans spend more money at the concession stands because they’ve arrived an hour early and have had the food and drinks they tried to bring along confiscated, so much the better, from the team owners’ point of view.

I can hear the objections to this as I write. You don’t know these measures won’t be effective! What if something happens? Don’t we have to do everything possible to protect ourselves against terrorism?

That’s worst-case thinking, and it’s dangerous. It leads to bad decisions, bad design and bad security. A better approach is to realistically assess the threats, judge security measures on their effectiveness and take their costs into account. And the result of that calm, rational look will be the realization that there will always be places where we pack ourselves densely together, and that we should spend less time trying to secure those places and more time finding terrorist plots before they can be carried out.

So far, fans have been exasperated but mostly accepting of these new security measures. And this is precisely the problem—most of us don’t care all that much. Our options are to put up with these measures, or stay home. Going to a baseball game is not a political act, and metal detectors aren’t worth a boycott. But there’s an undercurrent of fear as well. If it’s in the name of security, we’ll accept it. As long as our leaders are scared of the terrorists, they’re going to continue the security theater. And we’re similarly going to accept whatever measures are forced upon us in the name of security. We’re going to accept the National Security Agency’s surveillance of every American, airport security procedures that make no sense and metal detectors at baseball and football stadiums. We’re going to continue to waste money overreacting to irrational fears.

We no longer need the terrorists. We’re now so good at terrorizing ourselves.

This essay previously appeared in the Washington Post.

Tags: , , , , , , , ,

Posted on April 15, 2015 at 6:58 AMView Comments

Two Thoughtful Essays on the Future of Privacy

Paul Krugman argues that we’ll give up our privacy because we want to emulate the rich, who are surrounded by servants who know everything about them:

Consider the Varian rule, which says that you can forecast the future by looking at what the rich have today—that is, that what affluent people will want in the future is, in general, something like what only the truly rich can afford right now. Well, one thing that’s very clear if you spend any time around the rich—and one of the very few things that I, who by and large never worry about money, sometimes envy—is that rich people don’t wait in line. They have minions who ensure that there’s a car waiting at the curb, that the maitre-d escorts them straight to their table, that there’s a staff member to hand them their keys and their bags are already in the room.

And it’s fairly obvious how smart wristbands could replicate some of that for the merely affluent. Your reservation app provides the restaurant with the data it needs to recognize your wristband, and maybe causes your table to flash up on your watch, so you don’t mill around at the entrance, you just walk in and sit down (which already happens in Disney World.) You walk straight into the concert or movie you’ve bought tickets for, no need even to have your phone scanned. And I’m sure there’s much more—all kinds of context-specific services that you won’t even have to ask for, because systems that track you know what you’re up to and what you’re about to need.

Daniel C. Dennett and Deb Roy look at our loss of privacy in evolutionary terms, and see all sorts of adaptations coming:

The tremendous change in our world triggered by this media inundation can be summed up in a word: transparency. We can now see further, faster, and more cheaply and easily than ever before—and we can be seen. And you and I can see that everyone can see what we see, in a recursive hall of mirrors of mutual knowledge that both enables and hobbles. The age-old game of hide-and-seek that has shaped all life on the planet has suddenly shifted its playing field, its equipment and its rules. The players who cannot adjust will not last long.

The impact on our organizations and institutions will be profound. Governments, armies, churches, universities, banks and companies all evolved to thrive in a relatively murky epistemological environment, in which most knowledge was local, secrets were easily kept, and individuals were, if not blind, myopic. When these organizations suddenly find themselves exposed to daylight, they quickly discover that they can no longer rely on old methods; they must respond to the new transparency or go extinct. Just as a living cell needs an effective membrane to protect its internal machinery from the vicissitudes of the outside world, so human organizations need a protective interface between their internal affairs and the public world, and the old interfaces are losing their effectiveness.

Tags: , ,

Posted on April 14, 2015 at 6:32 AMView Comments

← Earlier EntriesLater Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.