GAO report on cybersecurity in Air Traffic Control is outright scary

aircraft-networksThe fact that the modern aircraft can be controlled from the ground is not widely publicized but known. There was though a lot of controversy, including among specialists, about how much of control could be intercepted by unauthorized 3rd parties. Well, now the extent of the problem is confirmed officially.

The U.S. Government Accountability Office (GAO), which is also called “watchdog of Congress”, usually oversees the federal government for the expenditure of public funds. However, the 56-page report “Air Traffic Control: FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen» (copy) published on April 14  tells a very interesting but scary story. For a document that is not classified as “secret”, in any case.

Apparently, the computers on board of contemporary aircraft could be susceptible for break-in and take over by using the on-board WiFi network or even from the ground. The computer systems that control the airplane communicate with each other and the systems on the ground using IP networking technologies and connecting through the same networks that are used on board for entertainment. This opens the aircraft control networks to a wide range of security threats.

FAA officials and experts we interviewed said that modern aircraft are also increasingly connected to the Internet, which also uses IP-networking technology and can potentially provide an attacker with remote access to aircraft information systems.

The “solution” entertained by FAA includes setting up a firewall to separate the operations network from that of “visitors”. And we all know it’s not going to help, we are past that point long ago. General purpose IP firewalling does not really correspond to the level of threat sophistication of today. The GAO report tells as much: “Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented.” Which means that the access to the cabin could be obtained from the same network being used by the passengers or even from a remote location outside the aircraft.

These networked systems are present in all modern airplanes, including Boeing 787, Airbus А350 и Airbus А380. Currently, the FAA certification of the aircraft does not include any cybersecurity assessment, so the security of the airplane systems is left to the discretion of the manufacturer. Until now, other security measures generally prevented the malicious actors from doing any harm to the airplane but the new threats that arise from networking and software-driven operation are not taken into account.

According to the CNN, the government investigators that wrote the report concluded that it would be possible for someone equipped with only a laptop to:

  • Commandeer the aircraft
  • Put a virus into flight control computers
  • Jeopardize the safety of the flight by taking control of computers
  • Take over the warning systems or even navigation systems

Basically, it is as bad as it gets. The flight systems are not protected as they are all legacy from the previous non-networked age and developed by the same people that developed the previous generations of systems. The only protection is the firewall that separates the cockpit from the rest of the world but that is a slight consolation.

They should put a sign at the airport: “Fly at your own risk”.

It is also really strange that this information is published at all. The Federal Aviation Administration is a governmental body of USA. United States of America, at least officially, are in a state of so-called “war on terror”. At such a time, when an investigative authority finds out some possibility for terrorists to execute attacks, such information is, I assume, immediately classified and the problem is solved between the government and the company quietly.

But at the moment this looks as if the US government strongly suggests to the terrorists: “why do you expose yourself to unnecessary risks trying to smuggle explosives on board, while there is a proven method to achieve the same results by connecting to the airplane control system with a laptop?”

Typically, in such cases, even the noble task of warning the public about the dangers of the situation is not taken into account. What should the audience do with it, anyway? Panic and do the ticket office run trying to cancel all reserved flights? Stage a mutiny on board, requiring immediate emergency landing? Or just remember that from this point on the use of air transport is at your own risk?

Unfortunately, it feels more like if US has planned to stage a series of new terrorist attacks against international air traffic that must be attributed to whomever finds this information useful.

Anyway, the illusion of safety of international air traffic is now officially dispelled. Fly at your own risk. Oh, and you are still not allowed to carry that bottle of mineral water on board.

Sony 2014 network breach, the most interesting question remains unanswered

The November 2014 breach of security at Sony Corporation remains the subject of conversation throughout the end of the year. Many interesting details have become known while even more remains hidden. Most claims and discussions only serve to create noise and diversion though.

Take the recent discussion of the antivirus software, for example. Sony Corporation uses antivirus software internally, it’s Norton, TrendMicro or McAfee depending on the model and country (Sony uses Vaio internally). So I would not put much stock into the claims of any of the competitors in the antivirus software market that their software would have stopped the attackers. And it’s irrelevant anyway. The breach was so widespread and the attackers had such totality of control that no single tool would have been enough.

The most interesting question remains unanswered though. Why did the attackers decide to reveal themselves? They were in the Sony networks for a long time, they extracted terabytes of information. What made them go for a wipeout and publicity?

Was publicity a part of a planned operation? Were the attackers detected? Were they accidentally locked out of some systems?

What happened is a very important question because in the former case the publicity is a part of the attack and the whole thing is much bigger than just a network break-in. In the latter cases Sony is lucky and it was then indeed “just” a security problem and an opportunistic break-in.

Any security specialist should be interested to know that bigger picture. Sony should be interested most of all, of course. For them, it’s a matter of survival. Given their miserable track record in security, I doubt they are able to answer this question internally though. So it’s up to the security community, whether represented by specialist companies or by researchers online, to answer this most important question. If they can.

a-colored-version-of-the-big-wave

Facebook “joins” Tor – good-bye, privacy!

Multiple publications are touting the announcement by Facebook of a Tor-enabled version of the social networking website as nothing short of a breakthrough for anonymous access from “repressed nations”. They think that the people around the world who wish their identity and activity online to remain hidden will now have a great time of using Facebook through Tor.

In my point of view, the result is just the opposite. The users of Facebook sign in and are tracked across a multitude of collaborating sites. Using Facebook through Tor will actually disclose completely the identity and the activity of the person using it. This information will become available across several user-tracking websites. The user will completely lose the anonymity they so strongly desired.

Mozilla Firefox Lightroom-578-80
Lightbeam for Firefox shows tracking of the user through different websites and tracking networks and how they share information with each other.

Facebook previously denied access to its social network through the Tor network citing security concerns. Surely, you do not think they decided to provide Tor access because they decided to be nice to those few who use Tor? Facebook is a commercial company under control of United States government and don’t you forget it. The move to bring in a few thousand Tor users is unlikely to have any positive impact on their business but will require to provide additional infrastructure. Therefore, Facebook is acting selflessly and causing themselves trouble for no commercial gain. I view such a move as extremely suspicious. Most likely, the company’s network will be used in online operations to unmask the identity of Tor users.

Of course, the proper way to keep your privacy online is to never use any social networks of any kind and discard every session after a short period and when switching activities. Searching for movie tickets? Use a session and discard it when done. Looking up the hospital’s admission hours? Discard when done. In any other case, the network of tracking sites will connect the dots on you. If you are to use the Facebook in the same session, your identity is revealed instantly and all of that activity will be linked to the real you.

We released too much of our privacy to the Internet companies already. They are now slowly dismantling the last bastions, one of which is the Tor network, under the pretense of fighting online crime. Facebook, having a history of abusing its customers, should not be trusted on these matters. Their interest is not in protecting your privacy, they will betray you for money, rest assured.

Strategy towards more IT security: the road paved with misconceptions

The strategy towards more IT security in the “Internet of Things” is based a little more than entirely on misconceptions and ignorance. The policy makers simply reinforce each other’s “ideas” without any awareness of where the road they follow is leading.

As I listened on in the K-ITS 2014 conference, it became painfully obvious that most speakers should not be speaking at all. They should be listening. The conference is supposed to discuss the strategies towards more IT security in the future industry that will have both factories and cars connected to the Internet. That future isn’t bright, far from. We are fighting battles on the internet for the web servers, personal computers and mobile phones now. We will be fighting battles for refrigerators, nuclear power plants and medical implants in the near future. We definitely need to have some better ideas for those battle plans. Instead, we hear, if anything, the ideas on improving the attitudes of buyers, i.e. “how can we convince the customers that our security is okay and they should pay more?”

I detail here five different misconceptions that were very obvious and widespread in the conference. Even security management at the top level shares this, though they should know better. And the worst part is, they all seem to believe that it will be all right if they throw some important sounding names and acronyms at it.

iot-140113.bigdata

Divide security into “levels”

A prominent theme is the division of the industrial landscape into various “areas” of differing security requirements. There is nothing wrong with the concept itself, of course, except that it is applied in a context where it will do more harm than good.

The policy makers seem to think that they can divide the industry into ‘critical infrastructure’, ‘things that need security’, and ‘things that do not need security’. Right, for the sake of an argument, assume we can. Then what? And then, they say, we will invest in security where it matters most. That, on the surface, looks like a sound plan.

The problems start when you try to apply the said concept to the software development. How do we distinguish between software written for ‘secure’ and ‘insecure’ applications? How do we make authors of libraries and tools to write their software to the highest standards to satisfy the ‘most secure’ part of the industry? What about the operating systems they use? What about people that wander from one company to another, bringing not only expertise but mistakes and security holes with them?

Once you start thinking about this approach in practical terms, it quickly becomes untenable.

The only way to improve the security of any software is to improve the security level of the whole software industry. The software not written specifically for a high security environment will end up there whether we want it or not. Developers not skilled and not trained for writing secure software will. It’s unavoidable.

But that is only one side of the problem. Why have the division in the first place? Yes, critical infrastructure is critical, but that stupid mirror with a network interface will also end up in a secure facility and how do we know what the next attack path will look like? The noncritical infrastructure will be used to attack critical infrastructure, isn’t it obvious? All infrastructure, all consumer devices need protection if we want to have a secure Internet of Things.

The software for all purposes is written by the same underpaid people that never had proper security education everywhere. The general tendency for software quality and security is, unfortunately, to get worse. As it gets worse everywhere it does, of course, get worse for the critical infrastructure as well as for consumer electronics.

Investment should be done into the state of software in general, not into the state of some particular software. Otherwise, it won’t work.

Security should not prevent innovation

Says who? Not that I am against innovation but security must sometimes prevent certain innovation, like tweaking of cryptographic algorithms that would break security. There is such thing as bad or ill-conceived innovation from the point of view of security (and, actually, from every other point of view, too). Wait, it gets worse.

‘Innovation’ has become the cornerstone of the industry, the false god that receives all our prayers. There is nothing wrong with innovation per se but it must not take over the industry. The innovation is there to serve us, not the other way around. We took it too far, we pray to innovation in places where it would not matter or be even harmful. Innovation by itself, without a purpose, is useless.

iot-construction-c13-3We know that this single-minded focus will result in security being ignored time and again. There is too much emphasis on short-term success and quick development resulting not only in low security but low quality overall.

Finding ways of doing things properly is the real innovation. Compare to civil engineering, building houses, bridges, nuclear power stations. What would happen if the construction industry was bent on innovation and innovation only, on delivering constructions now, without any regard to proper planning and execution? Well, examples are easy to find and the results are disastrous.

What makes the big difference? We can notice the bridge collapsing or a building falling down, we do not need to be experts in construction for that. Unfortunately, collapsing applications on the Internet are not that obvious. But they are there. We really need to slow down and finally put things in order. Or do we wait for things to collapse first?

Convince the customer

iot-fridgeWe are bent on convincing the customer that things are secure. Not making things secure but convincing everyone around that we are fine. Engaging in plays of smoke and mirrors that is. Instead of actually making things better we announce that pretending things are better will somehow make them better. And we try and succeed to convince ourselves that this is okay somehow.

Well, it is not okay. We all understand the desire of commercial companies to avoid security publicity. We know that eventually people do catch up anyway. There is such a rush to convince everyone and their grandma that things are going to be better precisely because people will be catching up on this foul play soon.

The market will shrink if people think that there are security problems but the market will crash when people find out they were lied to and your words are not worth the electrons they use to come across the internet. The deception of ourselves will lead to a disaster and we have no way of controlling that. This is simply a fast track to security by obscurity.

Secure components mean secure systems

There is a commonly shared misconception that using secure components will somehow automatically lead to secure systems. When confronted with this question directly, people usually quickly realise their folly and will likely fervently deny such thinking but it is sufficient to listen to a presentation to realise that that is exactly the assumption behind many plans.

Secure components are never secure unconditionally. They are what we call conditionally secure. They are secure as long as a certain set of assumptions remains valid. Once an assumption is broken, not met, the component is not any longer secure. Who checks for those assumptions? Who verifies whether the developers upheld all of the assumptions that the developers of underlying components specified? Who checks what assumptions remained undocumented?

When we combine the components together we create a new problem, the problem of composition. This is not an easy problem at all. By having two secure components put together, you don’t automatically obtain a secure system. It may well be. Or it may be not.

This problem of secure composition is well known to the developers and auditors of smart cards. And they do not claim to have a solution. And here we are, developers of systems orders of magnitude more complex, dismissing the problem out of our minds like if it’s not even worth our consideration. That’s a folly.

We need those things on the internet

Who said that factories need to be on the internet? Who said that every single small piece of electronics or an electric device really needs to be on the internet? Why do we think that having all of those things “talk” to each other would make us all suddenly happy?

The industry and the governments do not want to deal with any of the real problems plaguing the societies world over. Instead, they want to produce more and more useless stuff that allows them to appear like if they do something useful. They will earn lots of money and waste a lot more resources in the progress. Should they be worried?

iot_talking_carsTake “smart cars”, for example, cars that communicate to each other over some wireless protocol to tell about accidents, road condition, traffic jams. Think about it. A car cannot communicate very far away. On a highway, by the time you get news of a traffic jam from your neighbour cars, you will be standing in it. In the city, this information will be equally useless, because you will see the traffic jam and do what you always did: turn around and go look for another street around the block. What of accidents? Again, that information is not much use to you in the city, where you basically don’t need it. They say, cars will inform each other of the accidents but this information cannot be transmitted too far away. By the time your car has information about an accident on the highway ahead, displays it and you read it, you will be staring at it. The civil engineers are not that stupid, you know. They make highways so that you have enough time to see what is around the corner and react. Extra information would only distract the driver there. So this whole idea is completely useless from the point of view of driving but it will require enormous resources and some genius security solutions to artificially created problems.

And all of it is like that. We don’t need an “internet of things” in the first place. We should restrict what gets on the internet, not encourage the uncontrollable proliferation of devices arbitrarily connected to the network simply to show off. Yes, we can. But should we?