Planes, trains and automobiles—which are the easiest to hack?
When passengers at Warsaw's Frederic Chopin Airport found themselves seriously delayed on June 21, they may have first suspected adverse weather conditions or mechanical trouble. But the reason planes were grounded was because the airline, Poland's LOT, was being attacked by hackers, in an unprecedented cyber breach which could have repercussions far beyond the airline industry.
In recent months computer security experts have also voiced concerns over vulnerabilities in both cars and trains. Hacking airplanes may attract the most headlines, but which form of transport is the most vulnerable to a cyber attack?
The attack in Poland affected 10 flights and planes were back in the air by the same evening, but this is not the first time airline cyber security has hit the news in recent months.
In April Chris Roberts, a security expert and founder of One World Labs, was detained by the F.B.I. after Tweeting about his ability to take over the systems of the aircraft he was traveling on. Roberts has been researching airline security since 2009 and has brought up security concerns about the vulnerabilities in the systems on Airbus and Boeing aircraft. During his journey from Denver to Syracuse with United Airlines, Roberts mentioned manipulating the Engine Indicator Crew Alert System and deploying the oxygen masks. The tweet was signed off with a smiling face and Roberts said later it was a joke.
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)— Chris Roberts (@Sidragon1) April 15, 2015
Afterwards, United claimed there was evidence of tampering under Roberts’ seat on the first leg of his journey, between Denver and Chicago, although in an interview with Wired he denied he hacked the network on that particular flight but has explored an airplane’s systems on 20 or 30 other occasions.
Roberts was questioned by the F.B.I. when he arrived in Syracuse. A search warrant application filed in U.S. Federal court, unearthed by Canadian news agency APTN, claimed he told agents he was able to take control of a plane via the entertainment system. “He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” read the affidavit, signed by F.B.I. agent Mike Hurley.
Roberts maintains that his responses were taken out of context, and he had only taken command of a system during a simulation. United Airlines denied the hack was possible, although the company did ban Roberts from flying.
Boeing, one of the aircraft manufacturers Roberts has criticized, denies the entertainment system vulnerability exists. “IFE [In flight entertainment] systems on commercial airplanes are isolated from flight and navigation systems. While these systems receive position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions,” the company said in an emailed statement.
Roberts’ claims have come under great scrutiny, and some security experts have voiced their disbelief that the vulnerability exists. But others, such as Joshua Corman, founder of I Am The Cavalry, an organization focusing on issues where computer security intersects with public safety, feels the furor over Roberts has overshadowed a potentially serious problem. “Everyone is focused on what Chris Roberts did or did not do, and I think it distracted from a simple question – what can any one passenger do from the passenger cabin to affect the flight of the airplane? If the answer is anything except “absolutely nothing” then it’s the wrong answer.”
Patrick Nielsen, senior security researcher at Kaspersky Lab, says the real issue is researcher being shut out. “It’s very hard to do research on airplanes or any critical infrastructure security because it requires you to get access to those systems in a safe environment, so you don’t have to play with them in the air like Chris Roberts said he did.”
Trains are often seen as low tech forms of transport, but the mechanisms used to manage them can be highly technical and increasingly digital. The rail industry has faced few cyber threats in the past, but digitization will bring new threats and a similar pattern of attack other industries have experienced after increasing connectivity.
In the U.K., security fears have been raised over an upgrade to the signalling system. In April Professor David Stupples of the University of London claimed the new digital signals could be manipulated crash trains. Network Rail, the company in charge of the upgrade, said in response to the concerns that it is aware of the increasing cybersecurity threat as improvements are made. The rail operator has pledged to work with external cybersecurity specialists to understand the dangers.
Jason Healey, director of the Atlantic Council’s Cyber Statecraft Initiative, says the first attacks usually come from hackers with no malicious intent who are curious at what they can do. The next step is ‘lone wolves’ out to cause mischief, followed by cyber criminals looking to profit from vulnerabilities. The most dangerous iteration is either a terrorist or state sponsored attack.
In full cyber warfare, Healey says the U.S. would be worried about attacks on its transport infrastructure, especially if there was a conflict with China. “If the U.S. military was forced into the Pacific, China saw what happened with the first Iraq war when you give the U.S. military time to build up. So rather than let that happen, China would try and disrupt the time of mobilization,” says Healey.
Chinese hackers could target the military contractors used to handle the logistics of moving a large number of soldiers overseas, using attacks similar to the LOT Polish Airlines incident, he adds.
Almost every new car has 100 million lines of code built into it, and is connected to the outside world in many different ways. The ever increasing amount of software in cars has not only turned them into computers on wheels, but also made them more vulnerable to cyberattacks.
A report released in February by Senator Ed Markey of Massachusetts found that nearly all the vehicles on the market today included wireless technologies that were vulnerable to hacking or privacy intrusions.
These wireless technologies include anything connected to the internet from inside the car. In January security researchers claimed a dongle device installed in more than 2 million cars by auto insurance company Progressive to monitor driving habits was not secure and easily hacked.
“Because cars are poorly segmented…that compromised insurance dongle can then send a command to shut off the brakes or bleed the brake line, and if it goes to automatic parallel parking it can turn the steering wheel,” says Corman.
And a hacker does not need a faulty insurance dongle to gain access to a car’s main systems. They can get in through an app store or even the Wi-Fi hotspot a lot of new cars offer today, Corman warns.
Change is coming in the U.S. auto industry, albeit slow. Corman’s I Am The Cavalry has published a five point guide on automotive cyber safety, based on the principle that the world’s dependence on software has grown faster than its ability to secure it. He says very few car manufacturers would be able to even partially adhere to the guidelines currently.
Senator Markey, along with Senator Richard Blumenthal of Connecticut, announced plans to introduce legislation that would establish federal standards for auto security. “We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century,” said Senator Markey.
“Car manufacturers will be demanded to have real time monitoring and to be able to react in real time to cyber attacks, similar to what is going on in the banking industry for example,” says Yoni Heilbronn, VP of marketing at Argus Cyber Security, an Israeli company focused on auto cyber protection. “This is something that is going to be regulated, I don’t know when, but this is the direction in which things are going.”
Until such regulation is passed, the auto industry is playing a dangerous game of wait-and-see. “In drug trials, before we will let someone ingest a new drug, we want to prove it’s safe. And what we’re doing instead in cybersecurity is we’re assuming it’s safe until there are dead bodies in the morgue,” says Corman.