In flight Wi-Fi! One of the little miracles of modern travel, might be leaving the planes themselves vulnerable to hack attacks.
A report published by the Government Accountability Office (GAO) has suggested that Wi-Fi and other internet-reliant services provide a new potential attack vector.
Specifically the report identifies a problem whereby cockpit controls and the passenger cabin are connected via a shared IP address.
I hasten to add that there are firewalls in place and the report admits that any nightmare hacker plane hijacking is extremely unlikely.
But any chance is pretty worrying considering the speed at which hacking tools and skills evolve and the often very outdated security measures that plague the consumer industry.
What really brings the report into sharp focus is that renowned Infosec researcher Chris Roberts joked about “playing” with a planes on-board communication systems during a flight on the very same day the report was released, as reported by Forbes.
Glacial pace
“The consumer industry often lags behind when it comes to keeping their systems up to date,” Mark James, ESET security specialist, explains.
This is certainly something we’ve seen in the retail sector: a seemingly endless number of POS based pieces of malware with various strains of each one.
“A lot of these organisations have offices or access points around the UK (or indeed the world) and it’s often just not a case of just running an update and done.
“As a customer we expect their uptime to be 100%, running updates and patches will cause downtime and possible problems so they tend to fall into the ‘if it ain’t broke, don’t fix it’ scenario.
“Patches will go through a rigorous testing process to ensure they do not break anything during install and ongoing testing to ensure its 100% stable, they will be updated but a lot slower than your average home or business PC.
“Cost is a major factor of course, but often availability and reliability will factor higher, the average person will favour ease of security and if their favourite website is down or too few tills are working at the checkout because of failed or incompatible updates then they will vote with their feet.”
Will this change?
Unfortunately we usually hear about widespread system updates being reactive rather than pre-emptive: after a large breach promises are made to improve customer security, rather than preventing the attack in the first place.
We do have to remember however that someone still abused a vulnerability, the fault is never entirely with the breached party: if you leave your car unlocked and someone steals it, it is still theft even though you should lock your doors.
Mark doesn’t think that we are likely to see the kind of change that we expect in the way we expect.
“It won’t change as such, we the consumers are too demanding, what I hope to see is a smoother integrated updating procedure with better quality control.
“At present every single update needs to be tested individually to ensure there are no problems as we the users/admins have no faith that it will be faultless.
“Only the industry can change our perception for update failures, and even then I doubt we will ever completely trust the software update process.”
It’s a real minefield: either you risk downtime to upgrade systems and annoy your user-base/customers or you don’t upgrade and inevitably suffer a breach and annoy your user-base/customers.
Join the ESET UK LinkedIn Group and stay up to date with the blog.
Would you trade downtime for data security?