Recently, a security researcher commandeered a plane through the entertainment system and Winn Schwartau was interviewed in an article that asked for his opinion on the matter. See below.
“I really believe in this. This is serious shit,”
“I, and many of my security professional colleagues, are not so sure that it’s safe to fly anymore. I know I cannot, without any level of confidence, say whether inflight onboard networks are secure, or whether they present a clear and present danger to the flying public,”
“In light of the myriad cybersecurity questions about the differing current implementations of onboard entertainment on commercial aircraft, I ask that, in the name of passenger safety first, airlines voluntarily shut off their aircraft WiFi and entertainment systems until proper open-source security reviews can establish their safety for the flying public,”
“Defensive protestations about ‘no known vulnerabilities invokes a level of arrogance that cyber history has proven to be profoundly wrong, and a guaranteed recipe for failure…”
There were some skeptical responses and negative feedback to the article and Winn’s comments:
So below, he responds to their comments:
To those folks who might disagree with my assessment:
I am not a Doomsayer anymore today than when I wrote ‘Information Warfare’ in 1992; it’s about security, systems and capabilities. (I have rarely dealt with intent. That’s for other folks.)
I am saying something very simple: I don’t know, and I don’t know anyone else who really does know, for absolutely sure, how secure the various networks and systems on airplanes are. I do know that when an IT person says they are secure because they use a firewall, I am skeptical. I am not a fan of security by obscurity, often favoring open source reporting by an independent security review on a periodic basis. I also know that physically isolated networks are sure a whole lot more secure than two network segments that are electronically isolated. Lastly, I know, for absolutely sure, I would be a boatload more comfortable really knowing that airplanes, of all things, maintain the highest level of security possible.
If you call that Doomsday thinking, fine. I call it serious engineering-based security in mission-critical life-or-death situations. I put hospital networks and nuke plants in that same category.
No, I am not saying it’s a vulnerability. I am saying, maybe it’s a ‘potential’ vulnerability; I don’t know all the facts, but I am suspicious. I never used the word ‘threat’, which is generally accepted to mean, a suspected or known intent to inflict harm or act with hostility. I just want this seriously checked out by people other than the vendors or airlines or others with vested interests. This has to be 100% agnostic.
Lastly, you are right. This topic is not new (and for me, at least, has nothing to do with any news cycle).
Hugo Teso, a pilot, gives technical briefings on security aspects of air born avionics and communications.
Aircraft Hacking: Practical Aero Series
Renderman has also spoken on similar topics.
Hackers + Plaines: No Good Can Come Of This
So, when I say this is serious shit, I mean it and stand by it. The sky is not falling, no; but damn, I don’t want any planes falling out of the sky because we screwed up cyber-security at 37,000 feet.