Is introducing Wi-Fi to airplanes is a good idea security-wise?

Is introducing Wi-Fi to airplanes is a good idea security-wise?

Do you think introducing Wi-Fi to airplanes is a good idea security-wise?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

You are no doubt referring to the article in Wired Magazine that appeared in January 2008 about the wireless functionality offered in Boeing's new 787 airliner. It's not the Wi-Fi itself that is a concern. Passengers surfing the Internet from the comfort of their own seats on a plane is no more or less dangerous than those same users doing the same thing at a coffee shop, provided that the network they use is isolated from other critical networks.

And that's what's so alarming about the Wired article, which describes an FAA document about special conditions in the new 787's wireless functionality. It appears that the networks associated with "flight-safety-related control and navigation" are "connected by electronics and embedded software" to the networks associated with "passenger entertainment, information and Internet services.".

Given the issues raised in the Wired article and the associated FAA document, consider this scenario. An innocent user on a plane surfs the Internet using an unpatched laptop machine, inadvertently accessing a website run by an attacker on the ground. The attacker delivers an exploit to the laptop, now controlling that one machine on the plane. The attacker may look at the IP address of the system he or she just compromised, realizing that it has come from an airline, possibly inferring that it is a machine on board a plane. Heck, the attacker might even look through the file system of the victim's machine and see the travel itinerary of the passenger stored in email. The attacker could then use the compromised laptop on the plane to try to pivot and attack the other network on the plane, associated with control and navigation. The attacker may attempt a denial of service attack, or perhaps system compromise of machines on the other network.

Call me old fashioned, but I don't think we should interconnect such things together. Each network should be completely isolated, and ideally each should use different protocols just in case they are accidentally connected together. Although using the same equipment and protocols likely lowers cost and weight, it introduces significant danger, in my opinion. Trying to isolate traffic on networks that are physically connected is difficult, and firewalls aren't perfect. To answer your question directly, I think this is a profoundly bad idea.

More information:

This was first published in June 2008