Sunday, January 6, 2008

Not Surprising? Boeing 787 flight controls vulnerable to hacking (FAA)

You don't have to be a computer security expert to see the problem presented in this revelation, reported by Wired. Heck, your average Internet-using consumer can see the flaw in this:
"The computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems, an FAA report reveals."

Shot of Boeing 787 via WikipediaLet us all take a moment to digest the staggering clue-less-ness of such a design.

But while this design flaw may come as a shock to consumers who know--from their own home networking and web surfing--that putting actual flight controls for a real airplane on, or anywhere near, the Internet is a really BAD idea, Boeing's decision to do so will not surprise seasoned security professionals. Why? Because we have learned that large organizations have a peculiar way of keeping their collective intelligence from being collective.

Consider the two very nice Boeing people I met in Paris in 2004...

...They were showcasing Boeing's in-flight Connexion Internet service at a conference where I happened to be speaking about data security issues for business travelers. I usually pepper my talks with hacking examples. I think I showed how easy it had been, just a few months earlier, to see the contents of a hard drive belonging to a surgeon, exposed by the in-room Internet service of the five star hotel he was staying at.

One of the Boeing people who had seen my presentation came up and asked a question I had heard before, but not for a while: "Do people really do that sort of thing?" Now I tend to think that one of the reasons I get invited back to conferences is that, unlike some people who are very good at security, I don't respond to such questions with statements like "Lady, where have you been for the last ten years?" Instead, I simply said, "Yes, they do." Her response was to introduce me to someone very high up in the Connexion program and relay to him some of my examples. Based on what I observed during that casual encounter, I decided that there was a good chance Boeing did not, collectively, get the point about mixing passenger Internet access and flight controls.

If you haven't seen this sort of thing in action, namely the collective stupidity of an entity which encompasses some brilliant minds, you might find it hard to believe. But think of some of the dumb things Microsoft has done despite having hired some of the brightest minds. That is not Microsoft being uniquely Microsoft, it is Microsoft being a large organization exhibiting large organization dysfunctionality.

Or consider the brightest and best of the U.S. intelligence agencies. How did they manage to get hit by some of the biggest email virus and worm outbreaks? Because some of their top management insisted--over the objections of their own security staff--on connecting the public Internet, including email services like Hotmail and AOL, to their super secret networks. Like I said, some organizations have a peculiar way of isolating knowledge, particularly when that knowledge is inconvenient.

Find it inconvenient to use two separate systems for yor super secret stuff and your personal email? If your organization is large enough (and your own understanding of the risks is small enough) you can probably persuade yourself and your organization that combining them is not a problem. Ditto for passenger web surfing and flight controls, if combining them saves weight and money, which it doubtless does.

My wife and I had already talked about not flying on the 787 for other reasons (it's being put together from heavily outsourced plastic pieces, assembled out of the originally intended order, under enormous time pressure). Until the ability of a passenger to hack the flight controls via the in-flight Internet is fully negated, we'll probably stick to older planes.

No comments:

Post a Comment