Hacking planes, trains and automobiles

A photo of the back of a plane taking off at sunset

Planes, trains and automobiles: I never thought the 1987 movie starring John Candy and Steve Martin was funny, and nor do find stories about hacking them amusing.

Recent report suggest connected transport could become a target for hackers, but some of it may well be little more than hype. Here's my look at planes, trains and automobiles - as hacker targets, not a source of comedy - and whether you should be concerned.

Planes

While on a flight, a security researcher was reading about new warnings that planes were hackable via their Wi-Fi network - and tried to add to the debate by pointing out flaws on the aircraft he was sitting in.

So he tweeted from the United Airlines aircraft that he could hack into the plane's Wi-Fi network and as a result gain access to the flight's communications systems.

Being a security researcher the chap didn't exploit the vulnerability, instead he published his rather astonished tweet. Guess what happened? Yep, rather than the airline giving the chap a pat on the back for revealing a hole and promising to fix it pronto, the FBI were waiting to question him when the plane landed and confiscated his laptop and other devices.

Now you could say that by not taking a path of responsible disclosure this chap brought it on himself. You could say he should have reported the vulnerability to the airline and let them secure it before going public. However, these kind of vulnerabilities have been well known for many years and there's been precious little effort putting into securing on-board Wi-Fi, so responsible disclosure doesn't seem very effective.

I'd say it was more responsible to disclose publicly and hopefully force the airline into acting than allow it to do nothing. If an organisation ignores reports of security vulnerabilities, I have no problem with researchers forcing their hands with public disclosure.

The actions of the FBI, and the airlines by implication (United Airlines later banned the researcher from flying with them), will just scare people off from reporting vulnerabilities when they find them. And how does that make the skies a safer place to be, exactly?

That said, does any of this mean I won't fly again? Nope, in the overall scheme of things there are other in-flight risks which are more immediate and which still do not deter me as a business user.

Trains

The trains threat is a little more complicated, according to Professor David Stupples who told the BBC that the new European Rail Traffic Management System (ERIMS) is potentially a weak point in railway security.

Stupples is concerned that malware could be introduced into the system, either externally or perhaps more likely internally via rogue staff, which could cause trains across Europe to crash.

It's all a bit vague but the threat is real enough when you consider that ERIMS is replacing the railway signals we are all used to with an in-cab computer display instead. Although tests have been underway since 2008, the full ERIMS system is expected to be rolled out and running sometime in the next decade. Which should give plenty of time for weaknesses to be found and closed down, but also plenty of time for the bad guys to find ways around the defences and new malware to exploit the system.

That, of course, is nothing new and is the same fight that every enterprise has when it comes to protecting networks, systems and data. The difference being that when an enterprise system crashes it doesn't, ordinarily, have the potential to cause loss of life.

Personally, I think that the Professor is doing the right thing in highlighting potential dangers to the ERIMS system, but equally I'm aware that the powers that be across Europe are also considering these potential threats and are building in safeguards against them.

My threat meter is not in the red here, not least because such digital in-cab signalling is already being used across Europe and on the underground in the UK and I have not heard of any (successful or otherwise) attempts to circumvent the security of the system with malware attack.

It doesn't mean it's impossible, but it also doesn't mean I'm not taking the train.

Automobiles

When it comes to cars, the security threat is perhaps the most over-hyped, but that doesn't mean it shouldn't be taken seriously. What it does mean is that you should take some of the scare stories that regularly do the media rounds with a pinch of salt.

Most of these seem to centre on an attacker taking over your car and assuming control of the steering or disabling the brakes. While the truth is that computer systems all have the potential to be hacked, including those in increasingly computer reliant cars, you have to ask yourself why would someone do that and how would they do that. I've not heard much noise on the hacker underground about targeting cars, there's just not enough money in it right now.

Cyber-criminals are driven, pardon the pun, by profit and that's the bottom line. If someone were to develop exploitable code for a vulnerability within an in-car system, that could then be sold back to the manufacturer. Call it blackmail or a bug bounty, if it makes money then it could be a route to take.

A hacked car could become the new version of the cut brake pipes scenario, but again this is all speculation right now. Very few drivers, or security industry folk, are taking this particularly seriously right now. That will change when self-driving cars become readily available of course.

When I say very few in the security industry are taking this seriously, that isn't the same as nobody. BT has just launched its Assure Ethical Hacking for Vehicles service designed to test how exposed connected automobiles actually are to cyber-attack and, by so doing, help manufacturers and security vendors develop solutions.

This, I believe, is a positive response to the hype and addresses such things as testing the attack surfaces of a vehicle including Bluetooth, USB, DVD drives as well as links to mobile networks and anything that may introduce malware that could impact upon the computer brains that help power your car. One leftfield example given by BT Global Services was of using a power charging station to infect an electric vehicle with malware.

So there you have it: a not very funny film which was over-hyped at the time and a not very funny threat to our transport mechanisms which is also largely over-hyped.

Unfortunately, the transport threat has the potential to be very scary, unlike the film - aside from the 'that's not a pillow' scene between John Candy and Steve Martin, which is indeed terrifying.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.