Stunt Hacking: The Sad State of Our Security Industry

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, May 19, 2015

Follow me on Twitter as @mattiasgeniar

There’s a new term in the security industry: Stunt Hacking. And it isn’t positive.

In case you’ve missed the recent buzz on the internet, there’s a lot of response to an alleged hack of a plane, in mid-flight, by a security researcher. His goal was to indicate software vulnerabilities in the onboard entertainment system.

Obviously, what he did was wrong. There’s no disputing that.

Putting the lives of others at risk, while manipulating a plane in flight, is absolutely wrong.

Yet at the same time, we have to acknowledge that security news nowadays doesn’t get the attention it deserves without such stunt hacking.

Could he have done it differently? Yes.

Should he have done it differently? Absolutely.

Media Manipulation

This stunt got a lot of media coverage. From security professionals distancing themselves from the act to CNN covering it in prime time. People are aware that it happened.

This kind of media manipulation almost seems necessary nowadays. The recent VENOM vulnerability got a well-prepare website, with details of the vulnerability carefully explained. Someone took their time, whilst knowing about the vulnerability, to prepare that site.

They did so, because they know it’s necessary. Without it, the vulnerability wouldn’t get the attention it deserved. It would be noticed among hackers, but perhaps not by those in charge of updating their infrastructure (1).

Vulnerabilities fly under the radar all the time (pun intended).

OpenSSL CVE-2014-0160? It got a marketing name and a website: Heartbleed. Bash CVE-2014-6271? It got the ShellShock and BashBug labels pinned to it. CVE-2015-1635? The “Windows HTTP Packet Of Death”. Hell, I’m even guilty by naming a recent Drupal hack “The EngineHack”, just to draw attention to it.

Nowadays, security incidents just don’t get noticed without the necessary media buzz and fancy naming and logo’s. This is a sad trend our industry is moving towards.

Cover-ups

Back to the flying hacker. He’s not talking to the media as adviced by his lawyer. Probably a good idea, too. But that makes it a one-sided story. A story that’s being denied from ever having happened now, by authorities. (2)

Here’s the current state: the security researcher is under attack by the media. The fact that he uncovered major flaws in the entertainment system is no longer the primary focus of attention.

His plan failed. The attempt to get media coverage on the security of planes backfired. That’s a damn shame, because by the sound of it it’s necessary that it gets more attention.

Software On The Plane

Planes run on software. From autopilots to navigation to entertainment systems, it’s driven by software. And it has bugs, like buffer overflows. And bugs cause crashes with fatal results. This is what deserves attention.

Like any business, aviation is driven by profit. If there’s a way to make more profit, they’ll go for it. Apparently, that sometimes means taking shortcuts in software. Crucial software. They’re not alone though, medical equipment is far worse.

The aviation industry has strict norms that have to be followed for software in planes.

A recent HackerNews post has several developers who work/have worked in the aviation industry comment on this.

All safety critical software (every piece of code ran on-board is safety critical the least) in aerospace needs to pass the DO-178 standard 1.

alandarev

I worked at an avionics contractor for a number of years and that mirrors my experience as well. On Level A projects, the process was at least followed, but it was often under tight stressful deadlines. Testing was frequently off-shored to save money, but often resulted in low quality tests that had to be reworked at the last minute by in-house engineers.

Jayschwa

This is cause for concern.

I’m in no way approving nor endorsing what the security researcher did. It was wrong on every level. He got yelled at by the media and will have his hands full with all the legal action that follows. Good, he deserves that.

But shift the focus back on software security, please. It’s much needed.

(1) Yes, that’s their own fault. But let’s be honest, a lot of system administrators lack time and effort to monitor all security flaws all the time.

(2) Paranoid people would take the opportunity to refer to large-scale cover-ups.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.