As if we didn't have enough with crotchbombs and the TSA, the FAA is now saying that "[passenger networking] may result in security vulnerabilities" exposing flight systems to hackers. But, how serious is this danger?
The FAA says that their airworthiness tests "do not contain adequate or appropriate safety standards for these design features." So basically, it seems that there's a grey area for now, leaving the responsibility to the airplane manufacturers. They gave these guidelines to Boeing, but that's about it:
1. Boeing must ensure electronic system security protection for the aircraft control domain and airline information domain from access by unauthorized sources external to the airplane, including those possibly caused by maintenance activity.
2. Boeing must ensure that electronic system security threats from external sources are identified and assessed, and that effective electronic system security protection strategies are implemented to protect the airplane from all adverse impacts on safety, functionality, and continued airworthiness.
In theory, the flight systems and passenger networks on the Boeing 747-8 and the ever-delayed Dreamliner are separated. But Vijay Takanti, VP for Security for Exostar (which is partially owned by Boeing, according to Runway Girl Mary Kirby), says that "there is some crossover and [the industry] is trying very hard to make sure the number of crossover points are very limited."
What does Takanti mean with "crossovers points"? And why don't just keep both networks separated to avoid any potential hacking nightmares? That would fix any potential security breaches, right?
It seems that this may not be the case, which is what the FAA is hinting at in their guidelines: The mere existence of two networks in a plane—one accessible by the passengers—is a security hole in itself. The FAA says that Boeing should find a way to prevent "access by unauthorized sources external to the airplane, including those possibly caused by maintenance activity."
That's the key. While it could be quite difficult to do, tampering with the networking systems inside the plane is a possibility during the maintenance stage. And, if history has taught us anything, any security system can be broken, no matter how well engineered it is. Add to this the fact that planes are now being connected to the internet itself, and you have the potential ingredients for some remote hackers to do something bad.
As they admit themselves, the FAA doesn't have regulations for these inflight networking systems. This makes me a bit nervous. It is not that their regulations or tests could make things hacker-proof—nothing is hacker-proof—but the idea of leaving this responsibility to private companies is not good enough, as demonstrated in recent times.
The only 100% secure option is this: Fly without any kind of passenger networking. But then again, would you live without your newly-acquired habit of viewing YouTube cat videos during flights? Would you sacrifice your inflight mail or your web browsing, like you have already sacrificed your dignity at the security checkpoint? Should we stop running our always-connected lives because of a remote security threat?
Maybe we need to update the True Odds of Airborne Terror Attack chart. Maybe there's nothing to worry about. Do terrorist have the resources to coordinate a sophisticated attack like this, and take control of a plane in any meaningful or dangerous way? Given their crotchbomb plans, probably not. But I don't want to find out, FAA. Let's nail all these issues before they become a real problem. [Runway Girl — Photo by Jeff McNeill]