While airlines find increasingly ingenious ways to inconvenience their customers in the name of security, the real threats are now coming from cyberspace.
by Tony Glover, Senior Consultant, Tony Glover Public Relations
This morning, I took a flight from Madrid to London. As the cab swept through the clean and architecturally stunning Spanish capital on the way to the airport, I experienced an unpleasant premonition. Like every air traveller, I would soon be standing in line clutching my laptop, tablet, smartphone and Ebook under one arm and my shoes in the other, with my belt between my teeth.
As the premonition became true, I flicked up my boarding pass QR code on the screen of my smartphone, placed it on the scanner and joined the end of a long and winding queue. By the time I finally reached the first security desk, the young Spanish woman ahead of me was being forced to empty her make-up kit onto the counter– presumably in case she had somehow planned to use its contents to hijack or blow up the airplane. Each tiny container of nail varnish, perfume and moisturizing cream was painstakingly inspected by a stern young security guard before being placed into a clear plastic bag.
The airlines’ overriding desire to ruffle through young women’s make-up bags for liquid containers of over 100ml, less than half a US cupful, dates back to 2006, when British police uncovered a terrorist plot to detonate liquid explosives, carried on board airliners travelling from the United Kingdom to the United States and Canada and disguised as soft drinks. We also remove our shoes, like the faithful entering a mosque, in memory of Richard Reid, the Islamic terrorist who tried to smuggle explosives onto a plane in his shoe but failed to detonate them almost two decades ago in 2001.
It could be worse. In 2009, in Airbus A330 flying from Amsterdam to Detroit, al-Qaeda terrorist Umar Farouk Abdulmutallab unsuccessfully attempted to detonate plastic explosives concealed in his underwear. Given the airlines’ increasing readiness to shine the searchlight of suspicion on their own customers, it is astonishing that we are not all ordered to strip naked while standing in the queue so that our assorted undergarments can also pass under the watchful gaze of the X-ray machine.
But, while we stand, be it clothed or unclothed, patiently in line at airports, real-life threat actors are sitting behind their computer screens planning new ways to exploit the airlines’ genuine and glaring cybersecurity flaws. This is not mere speculation as there is now no doubt that the airlines are ill-prepared for today’s increasingly sophisticated cyber-attacks.
About a year ago, experts working with Homeland Security remotely hacked into a 757 parked at the airport in Atlantic City, New Jersey. Robert Hickey of the Department of Homeland Security said his team used “typical stuff that could get through security” and hacked into the aircraft systems using “radio frequency communications.”
Terrorists now also have the choice of a growing range of subtler attack strategies exploiting new weaknesses constantly appearing in the airlines’ increasingly large digital footprint. According to a recent report from PA Consulting called: “Overcome the Silent Threat”, there is a “hyper-connected model” where passengers in airports who were originally encouraged to adopt fast internet and digital engagement with airlines and retailers have unwittingly spawned “a larger attack surface for cyber criminals to exploit”.
The European Aviation Safety Agency has admitted to 1,000 cyber-attacks each month on aviation systems in 2016, adding up to 120,000 per annum. And every time the airlines increase their digital footprint, their window of vulnerability grows. For instance, allowing people to use their phones to swipe their boarding passes on a scanner relies on the use of QR codes, those confusing-looking postage-stamp sized grey rectangles. As QR codes are built for scanning with a digital device and are indecipherable to the human eye, fake QR codes make ideal entry points through which to insert malicious code into an airline’s IT network.
Security services now privately admit that any determined hacker, located virtually anywhere in the world, can remotely break into and potentially control a poorly secured airline network with potentially lethal and devastating consequences. And terrorists are not the only threat actors lurking in cyberspace. Many organized criminal gangs (OCGs) would think little of hijacking an aircraft to demand a ransom in exchange for its passenger’s lives.
Nation states that would balk at shooting down the civilian aircraft of a rival state could also consider orchestrating cyber-attacks routed through servers in different countries while maintaining a high degree of plausible deniability. There is evidence that the Russians are already trying to do just that. Early last year, Russian hackers are reported to have attempted to penetrate the US civilian aviation industry as part of a broad assault on America’s sensitive infrastructure, although the Aviation Information Sharing and Analysis Center (A-ISAC) declined to reveal details about the breach or which companies were involved.
Perhaps it is time that the airlines stopped treating every single passenger as a potential terrorist and began to direct more of their considerable security budgets into where they are most needed – cyberspace. In particular, the encrypted depths of the Dark Web where hackers, cybercriminals and terrorists are now anonymously planning and orchestrating a new generation of cyber-attacks aimed at the increasingly poorly-defended airlines.
About the Author
Tony Glover is the senior consultant at TGPR. He heads a London-based international public relations consultancy based in London representing cybersecurity companies across several continents. Until becoming a PR consultant three years ago, he was an award-winning journalist specializing in IT and international crime and has been writing about IT security issues since the dawn of the internet. His articles have been published in Time Magazine, the Financial Times, Institutional Investor and many other newspapers and magazines. He has also made numerous TV and radio appearances on networks including the BBC and NBC. His current mission is to help the cybersecurity industry communicate effectively with those organizations that are most in need of its services.
Tony can be reached online at firstname.lastname@example.org