The US Government Accountability Office (GAO) publishes an eclectic range of documents at a fair clip.
Indeed, the GAO’s website is an impressive source of documents zeroing in on a wide range of public service issues.
In just the past week, for example, we’ve had coverage of: how to deal with the implementation of the Helium Stewardship Act of 2013; the adoption of an incremental approach to Amphibious Combat Vehicle Acquisition; management challenges for the National Nuclear Security Administration; and gender equality, or the lack of it, in STEM research (Science, Technology, Engineering and Mathematics).
But no recent document has caused quite as much media stir as GAO-15-370, boldly entitled Air Traffic Control: FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen.
NextGen, in case you are wondering, means, at least in this context, the Next Generation Air Transportation System, an extended project to update and improve the software, hardware and operational procedures surrounding air travel in the USA.
As a result of this report, published earlier this week, you’ve probably seen headlines all over the web giving prominence to concerns about hackers taking over planes, with various degrees of implied drama.
Wired had an eye-catching but reasonably non-commital headline:
So, what’s the truth?
Could a hacker *really* bring down a plane from a mobile phone in seat 12C?
The answer is, “That’s very, very, unlikely.”
Nevertheless, hats off to the GAO for adopting the computer security principle that we informally refer to as never say never.
The complete document, at 56 pages, is actually much more interesting than you might at first think, and doesn’t actually ask you to imagine planes raining out of the sky thanks to tablet-wielding terrorists in tourist class.
But, as the document points out, the Federal Aviation Administration (FAA) is now ten years into the abovementioned NextGen modernisation programme.
A detailed review of where the FAA has got to, where it is going, and how it ought to get there was requested, and the GAO obliged.
The ten-year timeframe seems particularly pertinent given the recent news that a voting system in Virginia, USA – one that you would have been forgiven for calling comically insecure ten years ago – has only just been reviewed, found wanting and decommissioned.
Ironically, one of the serious insecurities in the Virginia Comedy Voting Machine story was Wi-Fi related: the reliance on Wired Equivalent Privacy (WEP), a cryptographic protocol that seemed OK at first, but was soon found to be fundamentally flawed and automatically crackable in minutes.
Of course, on many modern airliners, passengers don’t need to hack into the Wi-Fi network at all, because it’s offered as a service you’re encouraged to connect to, albeit at the same sort of cost as a month’s worth of bandwidth on the ground.
In short, Wired’s headline pointing out that “in-flight Wi-Fi is a ‘direct link’ to hackers” is unexceptionable; what isn’t so certain is whether in-flight Wi-Fi is also a transitive ‘direct link’ to the control systems of the plane.
If that were so, perhaps hackers really could cause seriously scary situations, like unauthorised barrel rolls, right from their seats?
But with two completely separate networks for in-flight entertainment and for aircraft control, you might reasonably be willing to say “never” after all…
…at least, until you get to Page 23 of the GAO’s report, where you will find this network diagram:
I’m not alarmed – I have no doubt that occasional air travel is significantly safer than my daily rush-hour bicycle commute, which brings a whole new dimension to Warbiking – but that particular diagram did make me alert.
I don’t know about you, but a single blue box labelled “ethernet router” between seat 12C and the pointy end of the plane certainly gives me pause for thought.
When the GAO next produces a Cybersecurity in the NextGen Project report, I’d be a lot happier to see two separate red lines providing network service inside the plane.