From Fox News.
The risk of exposing risk is on the minds of top cybersecurity experts gathered for major conferences here, just days after one of their leading brethren was pulled off a plane by the FBI, banned by an airline and grilled for four hours after warning that passenger planes are vulnerable to hackers.
Several international tech security experts attending the annual, week-long RSA Conference 2015 said what happened last week to Chris Roberts of the Colorado-based One World Labs is not unusual given the “shoot-the-messenger” mentality they claim dominates law enforcement and some segments of industry. Roberts, who in March told FoxNews.com that commercial and military planes are vulnerable to hackers, was pulled from a United flight in Syracuse, N.Y. after tweeting, “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)”
Roberts, who has been a cyber-security consultant to the FBI, said it was out of frustration at his and others’ warnings going unheeded, but authorities took the digital missive seriously. The Electronic Frontier Foundation, a nonprofit legal organization defending Roberts and others who say they have been harassed for sounding the alarm, said United’s actions will cause a real chilling effect, and that researchers will be less likely to help United improve their security in the future.
“Security researchers are allies, not opponents, and their work makes us all more safe, not less,” said Nate Cardozo, staff attorney for the organization, who also is attending the RSA Conference, focused on Internet security and now in its 25th year. RSA is the security arm of the Massachusetts-based computer technology firm EMC.
According to Roberts and Cardozo, many other researchers on the cutting edge have been hassled for their research, and the Electronic Frontier Foundation has long been concerned that knee-jerk responses to legitimate researchers pointing out security flaws can create a chilling effect in the infosec community, Cardozo said.
One example of researchers whose activities drew the attention of the authorities happened in Boston in the summer of 2008, when a group of MIT students were scheduled to give a presentation at a security conference in Las Vegas regarding vulnerability in the MBTA’s fare card system.
“The MBTA wildly overreacted to the students’ proposed presentation, and obtained an 11th hour injunction from a federal court in Boston, preventing them from going on stage,” Cardozo said. “Electronic Frontier Foundation represented the students, and 10 days later we convinced the judge to reverse the earlier gag, as it was blatantly unconstitutional.”
In the summer of 2013, the UK’s High Court banned security researchers from publishing an academic paper detailing a critical flaw in Volkswagen’s keyless entry system that can allow a bad actor to crack any wireless key.
“Instead of working with the researchers to fix the problem, Volkswagen chose to bury its head in the sand and pretend that banning academic discussion of the flaw would somehow prevent thieves from learning of it and exploiting it,” Cardozo said. “Because of Volkswagen’s refusal to engage with the security researcher community, their cars may still be vulnerable to the attack and their customers are less secure.”
The organization would like to see companies recognize that researchers who identify problems with their products in order to have them fixed are their allies, Cardozo said.
“It would avoid a whole lot of trouble for researchers and make us all more secure,” he added.
As for Roberts, Cardozo said he had offered to work with United and the rest of the airline industry, as he has in the past, to improve their security.
“United should take this opportunity to improve the security of their systems, rather than punish those who have tried to work to make us safer,” Cardozo said.
A United official said Roberts is not welcome on the company’s planes.
If United wasn’t such a bunch of bureaucratic morons, they’d hire the guy.
Besides Roberts’ findings, along with those of another security expert quoted in an exclusive FoxNews.com report, the federal General Accounting Office also published a report on cyberhacking of planes released earlier this month that said the same Internet access now available on most commercial flights makes it possible for hackers to bring down a plane.
“According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors,” the GAO report states.
Ruben Santamarta, principal security consultant for IOActive, told FoxNews.com he also discovered a “back door” that allowed him to gain privileged access to the Satellite Data Unit, the most important piece of SATCOM equipment on aircraft.
If Santamarta can figure that out, so can the enemy.
Cyber experts like Roberts can be valuable assets to military and industrial facilities; they can identify vulnerabilities in hardware and software that threaten security. Instead of admitting their systems have gaps that can be penetrated by hostile entities (China, North Korea, Islamofascist countries, anyone?) they choose to circle the wagons out of embarrassment and lash out at these experts for exposing the risks. If there’s ever a massive cyber attack on America, you can thank idiots like United and MBTA.