Hacking planes, trains and automobiles
Davey Winder looks at the security threats facing connected transport - and it isn't funny
Planes, trains and automobiles: I never thought the 1987 movie starring John Candy and Steve Martin was funny, and nor do find stories about hacking them amusing.
Recent report suggest connected transport could become a target for hackers, but some of it may well be little more than hype. Here's my look at planes, trains and automobiles - as hacker targets, not a source of comedy - and whether you should be concerned.
While on a flight, a security researcher was reading about new warnings that planes were hackable via their Wi-Fi network - and tried to add to the debate by pointing out flaws on the aircraft he was sitting in.
So he tweeted from the United Airlines aircraft that he could hack into the plane's Wi-Fi network and as a result gain access to the flight's communications systems.
Being a security researcher the chap didn't exploit the vulnerability, instead he published his rather astonished tweet. Guess what happened? Yep, rather than the airline giving the chap a pat on the back for revealing a hole and promising to fix it pronto, the FBI were waiting to question him when the plane landed and confiscated his laptop and other devices.
Now you could say that by not taking a path of responsible disclosure this chap brought it on himself. You could say he should have reported the vulnerability to the airline and let them secure it before going public. However, these kind of vulnerabilities have been well known for many years and there's been precious little effort putting into securing on-board Wi-Fi, so responsible disclosure doesn't seem very effective.
I'd say it was more responsible to disclose publicly and hopefully force the airline into acting than allow it to do nothing. If an organisation ignores reports of security vulnerabilities, I have no problem with researchers forcing their hands with public disclosure.
The actions of the FBI, and the airlines by implication (United Airlines later banned the researcher from flying with them), will just scare people off from reporting vulnerabilities when they find them. And how does that make the skies a safer place to be, exactly?
That said, does any of this mean I won't fly again? Nope, in the overall scheme of things there are other in-flight risks which are more immediate and which still do not deter me as a business user.
The trains threat is a little more complicated, according to Professor David Stupples who told the BBC that the new European Rail Traffic Management System (ERIMS) is potentially a weak point in railway security.
Stupples is concerned that malware could be introduced into the system, either externally or perhaps more likely internally via rogue staff, which could cause trains across Europe to crash.
It's all a bit vague but the threat is real enough when you consider that ERIMS is replacing the railway signals we are all used to with an in-cab computer display instead. Although tests have been underway since 2008, the full ERIMS system is expected to be rolled out and running sometime in the next decade. Which should give plenty of time for weaknesses to be found and closed down, but also plenty of time for the bad guys to find ways around the defences and new malware to exploit the system.
That, of course, is nothing new and is the same fight that every enterprise has when it comes to protecting networks, systems and data. The difference being that when an enterprise system crashes it doesn't, ordinarily, have the potential to cause loss of life.
Personally, I think that the Professor is doing the right thing in highlighting potential dangers to the ERIMS system, but equally I'm aware that the powers that be across Europe are also considering these potential threats and are building in safeguards against them.
My threat meter is not in the red here, not least because such digital in-cab signalling is already being used across Europe and on the underground in the UK and I have not heard of any (successful or otherwise) attempts to circumvent the security of the system with malware attack.
It doesn't mean it's impossible, but it also doesn't mean I'm not taking the train.
When it comes to cars, the security threat is perhaps the most over-hyped, but that doesn't mean it shouldn't be taken seriously. What it does mean is that you should take some of the scare stories that regularly do the media rounds with a pinch of salt.
Most of these seem to centre on an attacker taking over your car and assuming control of the steering or disabling the brakes. While the truth is that computer systems all have the potential to be hacked, including those in increasingly computer reliant cars, you have to ask yourself why would someone do that and how would they do that. I've not heard much noise on the hacker underground about targeting cars, there's just not enough money in it right now.
Cyber-criminals are driven, pardon the pun, by profit and that's the bottom line. If someone were to develop exploitable code for a vulnerability within an in-car system, that could then be sold back to the manufacturer. Call it blackmail or a bug bounty, if it makes money then it could be a route to take.
A hacked car could become the new version of the cut brake pipes scenario, but again this is all speculation right now. Very few drivers, or security industry folk, are taking this particularly seriously right now. That will change when self-driving cars become readily available of course.
When I say very few in the security industry are taking this seriously, that isn't the same as nobody. BT has just launched its Assure Ethical Hacking for Vehicles service designed to test how exposed connected automobiles actually are to cyber-attack and, by so doing, help manufacturers and security vendors develop solutions.
This, I believe, is a positive response to the hype and addresses such things as testing the attack surfaces of a vehicle including Bluetooth, USB, DVD drives as well as links to mobile networks and anything that may introduce malware that could impact upon the computer brains that help power your car. One leftfield example given by BT Global Services was of using a power charging station to infect an electric vehicle with malware.
So there you have it: a not very funny film which was over-hyped at the time and a not very funny threat to our transport mechanisms which is also largely over-hyped.
Unfortunately, the transport threat has the potential to be very scary, unlike the film - aside from the 'that's not a pillow' scene between John Candy and Steve Martin, which is indeed terrifying.
Four cyber security essentials that your board of directors wants to know
The insights to help you deliver what they needDownload now
Data: A resource much too valuable to leave unprotected
Protect your data to protect your companyDownload now
Improving cyber security for remote working
13 recommendations for security from any locationDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now