Quote:
Originally Posted by BigJimCalhoun
I am going from memory here, but am pretty sure I am recounting the story from last September correctly. I went to a computer security presentation by an individual whose is hired to hack systems. In a controlled lab with the flight sim stuff, he was able to connect in through the entertainment system and deploy the plane flaps at 30,000 feet and make the plane dive. This was because the networking protocol (the plane's version of TCP-IP) was shared between systems.
As part of the project, he researched all the pieces of the system via patent applications, online resumes of people, press releases, etc. He was also able to spoof some sort of air traffic system to make fake plane transponders appear. This would ( in the lab), cause the target plane to readjust course.
It was a pretty interesting talk. I tried to hire him to work on our systems but my company was not interested. I can get his name and company to anyone who PMs me.
|
http://blogs.computerworld.com/cyber...rities-flights
As far as I know, the infotainment systems and fly by wire systems are generally isolated, but that may not always be the case.
The bigger issue is that many of these systems fail at 2 of the 3 security principals in the CIA triad(Confidentiality, Integrity and Availability), namely confidentiality and integrity. While there may be redundancy built in, there is generally no mechanism(or whatever mechanisms there are, fail) to verify the information that is received. Basically, "no one would ever <insert favorite attack on ATC or fly by wire here>" becomes "wanna bet?". It's less security by obscurity and more relying on the consequences and penalties levied on the perpetrator to prevent such an attack, which is, well, an exercise in futility.
ETA: Hence the public "shaming" of software/hardware vendors. Unfortunately, with each technological iteration(take IPv6 for example), we repeat the same mistakes, especially on the security side.
My .02