Interview "Plane Hacker" Chris Roberts has called for countries to pressure manufacturers into improving the lamentable state of transportation security.
Cars are turning into computers on wheels and airplanes have become flying data centres, but this increase in power and connectivity has largely happened without designing in adequate security controls.
Improving transportation security was a major strand of the recent Cyber Week security conference in Israel. A one-day event, Speed of Light, focused on transportation cybersecurity, where Roberts served as master of ceremonies.
El Reg caught up with the larger-than-life Highland Games participant at the conference to get a sitrep on the threats to transportation systems and the response from vendors. Progress is inconsistent and successes in the field are as much the result of countries, such as Israel, actively grappling with the issue as switched-on vendors.
Feds: Bloke 'HACKED PLANE controls' – from his PASSENGER seatREAD MORE
"Israel was here, not just a couple of companies. Israel is going, 'We as a state, we as a country, need to understand [about transportation security]'," Roberts said. "We need to learn."
"In other places it's the companies. GM is great. Ford is good. Some of the Germany companies are good. Fiat-Chrysler Group has got a lot of work to do."
Some industries are more advanced than others at understanding cybersecurity risks, Roberts claimed. For example, awareness in the automobile industry is ahead of that found in aviation.
"Boeing is in denial. Airbus is kind of on the fence. Some of the other industries are better."
El Reg offered all the firms cited by Roberts an opportunity to respond to his comments. We're yet to hear back from any of them.
"The challenge is in the US, the DHS [Department of Homeland Security] is saying [to the industry], 'Hey you've got problems'," Roberts told El Reg. "[Other regulators are] saying you need to listen. They are starting to listen and they are doing some of the work.
"But when you get a country [Israel] that is basically under threat 24/7 – saying that we as a country want to understand the state of security of systems that are transporting our citizens. It's a huge message. It makes a difference."
A country can apply pressure on manufacturers, Roberts said. The question should be how other governments follow the Israeli example.
Roberts said some European authorities are pushing positive cybersecurity improvements; others elsewhere are yet to step up.
Schneier warns of 'perfect storm': Tech is becoming autonomous, and security is garbageREAD MORE
"The port of Rotterdam is starting to take a more active look at shipping as a cybersecurity risk... that will start to push it.
"On the flip side, in the US the Association of American Railroads is saying we can't interfere, all we can do is broker discussions. Regulators are saying, well, we have to take a lead from the railroad association. Regulators need to get involved. C'mon, guys: stop the finger pointing. This is a problem that we all have to solve."
Transportation security threats collectively amount to a "clusterfuck", Roberts said.
DHS and NCCIC (National Cybersecurity and Communications Integration Center) have put out warnings on air security – ground control, satellite control and some other telemetry.
"Cars are better than most, which is scary because there's still a lot of work to be done," Roberts said. "It has obviously been in the media more.
"There's almost nothing you can do [as a user] to improve car security. The only thing you can do is go back to the garage every month for your Microsoft Patch Tuesday – updates from Ford or GM.
"You better come in once a month for your patches because if you don't, the damn thing is not going to work."
What about over-the-air updates? These may not always be reliable, Roberts warned.
"What happens if you're in the middle of a dead spot? Or you're in the middle of a developing country that doesn't have that? What about the Toyotas that get sold to the Middle East or Far East, to countries that don't have 4G or 5G coverage. And what happens when you move around countries?"
The Roberts family owns a mixture of modern and classic cars. Roberts said his awareness of cybersecurity hasn't much influenced his buying decisions but it has affected some of the things that he's done with his cars.
"I put a network sniffer on the big truck to see what it was sharing. Holy crap! The GPS, the telemetry, the tracking. There's a lot of data this thing is sharing.
"If you turn it off you might be voiding warranties or [bypassing] security controls," Roberts said, adding that there was also an issue about who owns the data a car generates. "Is it there to protect me or monitor me?" he mused.
Some insurance firms offer cheaper insurance to careful drivers, based on readings from telemetry devices and sensors. Roberts is dead set against this for privacy reasons. "Insurance can go to hell. For me, getting a 5 per cent discount on my insurance is not worth accepting a tracking device from an insurance company."
Three years ago the FBI questioned Roberts over suspicions he had hacked into the controls of a United Airlines plane midair via the inflight entertainment system. Roberts tweeted about airplane network security during a UA flight to Syracuse, New York, back in April 2015. He was questioned on landing and some of his equipment was temporarily seized.
No charges ever followed the incident, which increased Roberts' profile within the infosec community. Fellow hackers were quick to come to his defence and he has since become a trusted partner and expert consultant to various parties in the aviation industry, even though others seemingly remain reluctant to take his research on board. ®