Breaking News

Could your plane be hacked?

By Bruce Schneier

Updated 1358 GMT (2158 HKT) April 16, 2015

Chat with us in Facebook Messenger. Find out what's happening in the world as it unfolds.

The rise of social media and mobile devices mean businesses are more vulnerable to hacking. In a bid to keep information secure, a new wave of body-centric devices are replacing passwords. The Nymi, pictured, authenticates identity by measuring your heartbeat.
Photos: How your body will be your password
Use your pulse as your password? The rise of social media and mobile devices mean businesses are more vulnerable to hacking. In a bid to keep information secure, a new wave of body-centric devices are replacing passwords. The Nymi, pictured, authenticates identity by measuring your heartbeat.
Hide Caption
1 of 10
Created by biomentrics technology company Bionym, The Nymi has a built-in sensor that detects the unique electrical pulse produced by your heartbeat. "By using this type of technology, we can establish a very high level of trust because it's so closely tied to the body," says Kevin Martin, CEO and founder of Bionym.
Photos: How your body will be your password
The NymiCreated by biomentrics technology company Bionym, The Nymi has a built-in sensor that detects the unique electrical pulse produced by your heartbeat. "By using this type of technology, we can establish a very high level of trust because it's so closely tied to the body," says Kevin Martin, CEO and founder of Bionym.
Hide Caption
2 of 10
Unveiled in 2014 by eyeLock -- an iris-based identity technology company -- Myris is a palm-size device that scans the unique features of your eye.
Photos: How your body will be your password
MyrisUnveiled in 2014 by eyeLock -- an iris-based identity technology company -- Myris is a palm-size device that scans the unique features of your eye.
Hide Caption
3 of 10
Fitted with a small mirror and camera, the Myris is able to scan the unique colors and vein patterns in your iris. Storing this information within its hardware, the Myris is able to identify its user accurately. EyeLock even claims that the device cannot be fooled by a video or photograph of your eye.
Photos: How your body will be your password
MyrisFitted with a small mirror and camera, the Myris is able to scan the unique colors and vein patterns in your iris. Storing this information within its hardware, the Myris is able to identify its user accurately. EyeLock even claims that the device cannot be fooled by a video or photograph of your eye.
Hide Caption
4 of 10
Using palm vein recognition, Quixter identifies users by scanning vein patterns with an infrared light. Quixter only works when blood is flowing through the veins, so there's no need to worry about someone cutting your hand off.
Photos: How your body will be your password
QuixterUsing palm vein recognition, Quixter identifies users by scanning vein patterns with an infrared light. Quixter only works when blood is flowing through the veins, so there's no need to worry about someone cutting your hand off.
Hide Caption
5 of 10
An identity and access management platform for the "post-password era," LaunchKey is part of a wave of mobile-based authentication apps that do away with passwords -- most of which are tied to personal information.
Photos: How your body will be your password
LaunchKeyAn identity and access management platform for the "post-password era," LaunchKey is part of a wave of mobile-based authentication apps that do away with passwords -- most of which are tied to personal information.
Hide Caption
6 of 10
The launchKey app allows for password-free login capabilities on your mobile phone, allowing users to access websites and applications by simply swiping the mobile phone interface. Security is provided by the simple fact that the mobile phone is in your possession -- a key deterrent for hackers.
Photos: How your body will be your password
LaunchKeyThe launchKey app allows for password-free login capabilities on your mobile phone, allowing users to access websites and applications by simply swiping the mobile phone interface. Security is provided by the simple fact that the mobile phone is in your possession -- a key deterrent for hackers.
Hide Caption
7 of 10
In light of these more secure developments, it looks as though fingerprint identification will be a thing of the past. Seeing as our fingerprints are left on a variety of surfaces on a day-to-day basis, iris scanners and heartbeat monitors could be a promising alternative.
Photos: How your body will be your password
Adios to fingerprints? In light of these more secure developments, it looks as though fingerprint identification will be a thing of the past. Seeing as our fingerprints are left on a variety of surfaces on a day-to-day basis, iris scanners and heartbeat monitors could be a promising alternative.
Hide Caption
8 of 10
While identity authentication is becoming more secure, many companies are looking to streamline transactions. Barclaycard's bPay wristband does away with PIN numbers and credit cards, allowing wearers to make contactless payments for items under £20 ($30).
Photos: How your body will be your password
Barclaycard bPay While identity authentication is becoming more secure, many companies are looking to streamline transactions. Barclaycard's bPay wristband does away with PIN numbers and credit cards, allowing wearers to make contactless payments for items under £20 ($30).
Hide Caption
9 of 10
Does your phone double up as a travel card? Digital communications company EE announced in 2014 that customers can use their mobile devices to travel on London bus routes.
Photos: How your body will be your password
EE Cash on TapDoes your phone double up as a travel card? Digital communications company EE announced in 2014 that customers can use their mobile devices to travel on London bus routes.
Hide Caption
10 of 10
cyber security bionym cyber security bionym 2eyelock cybersecurity eyelock cybersecurity 1new payment technologies quixterlaunchkey cyber security carcyber security launchkeyiphone fingerprintbpay cybersecurity 2new payment methods ee cash on tap

Story highlights

  • Bruce Schneier says plane being hacked is not his biggest concern
  • As computers key to infrastructure become connected, vulnerability to cyberattack grows, he says
  • Schneier: We have to build security into everything that is going to be connected to Internet

Bruce Schneier is a security technologist and author. He is the chief technology officer of Resilient Systems, and his latest book is "Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World." He blogs at schneier.com and tweets @schneierblog. The views expressed are his own.

(CNN)Imagine this: A terrorist hacks into a commercial airplane from the ground, takes over the controls from the pilots and flies the plane into the ground. It sounds like the plot of some "Die Hard" reboot, but it's actually one of the possible scenarios outlined in a new Government Accountability Office report on security vulnerabilities in modern airplanes.

It's certainly possible, but in the scheme of Internet risks I worry about, it's not very high. I'm more worried about the more pedestrian attacks against more common Internet-connected devices. I'm more worried, for example, about a multination cyber arms race that stockpiles capabilities such as this, and prioritizes attack over defense in an effort to gain relative advantage. I worry about the democratization of cyberattack techniques, and who might have the capabilities currently reserved for nation-states. And I worry about a future a decade from now if these problems aren't addressed.
    Bruce Schneier
    Bruce Schneier
    First, the airplanes. The problem the GAO identifies is one computer security experts have talked about for years. Newer planes such as the Boeing 787 Dreamliner and the Airbus A350 and A380 have a single network that is used both by pilots to fly the plane and passengers for their Wi-Fi connections. The risk is that a hacker sitting in the back of the plane, or even one on the ground, could use the Wi-Fi connection to hack into the avionics and then remotely fly the plane.
    The report doesn't explain how someone could do this, and there are currently no known vulnerabilities that a hacker could exploit. But all systems are vulnerable -- we simply don't have the engineering expertise to design and build perfectly secure computers and networks -- so of course we believe this kind of attack is theoretically possible.
    Previous planes had separate networks, which is much more secure.
    Read More
    As terrifying as this movie-plot threat is -- and it has been the plot of several recent works of fiction -- this is just one example of an increasingly critical problem: As the computers already critical to running our infrastructure become connected, our vulnerability to cyberattack grows. We've already seen vulnerabilities in baby monitors, cars, medical equipment and all sorts of other Internet-connected devices. In February, Toyota recalled 1.9 million Prius cars because of a software vulnerability. Expect similar vulnerabilities in our smart thermostats, smart light bulbs and everything else connected to the smart power grid. The Internet of Things will bring computers into every aspect of our life and society. Those computers will be on the network and will be vulnerable to attack.
    And because they'll all be networked together, a vulnerability in one device will affect the security of everything else. Right now, a vulnerability in your home router can compromise the security of your entire home network. A vulnerability in your Internet-enabled refrigerator can reportedly be used as a launching pad for further attacks.
    Future attacks will be exactly like what's happening on the Internet today with your computer and smartphones, only they will be with everything. It's all one network, and it's all critical infrastructure.
    Some of these attacks will require sufficient budget and organization to limit them to nation-state aggressors. But that's hardly comforting. North Korea is last year believed to have launched a massive cyberattack against Sony Pictures. Last month, China used a cyberweapon called the "Great Cannon" against the website GitHub. In 2010, the U.S. and Israeli governments launched a sophisticated cyberweapon called Stuxnet against the Iranian Natanz nuclear power plant; it used a series of vulnerabilities to cripple centrifuges critical for separating nuclear material. In fact, the United States has done more to weaponize the Internet than any other country.
    Governments only have a fleeting advantage over everyone else, though. Today's top-secret National Security Agency programs become tomorrow's Ph.D. theses and the next day's hacker's tools. So while remotely hacking the 787 Dreamliner's avionics might be well beyond the capabilities of anyone except Boeing engineers today, that's not going to be true forever.
    What this all means is that we have to start thinking about the security of the Internet of Things -- whether the issue in question is today's airplanes or tomorrow's smart clothing. We can't repeat the mistakes of the early days of the PC and then the Internet, where we initially ignored security and then spent years playing catch-up. We have to build security into everything that is going to be connected to the Internet.
    This is going to require both significant research and major commitments by companies. It's also going to require legislation mandating certain levels of security on devices connecting to the Internet, and at network providers that make the Internet work. This isn't something the market can solve on its own, because there are just too many incentives to ignore security and hope that someone else will solve it.
    As a nation, we need to prioritize defense over offense. Right now, the NSA and U.S. Cyber Command have a strong interest in keeping the Internet insecure so they can better eavesdrop on and attack our enemies. But this prioritization cuts both ways: We can't leave others' networks vulnerable without also leaving our own vulnerable. And as one of the most networked countries on the planet, we are highly vulnerable to attack. It would be better to focus the NSA's mission on defense and harden our infrastructure against attack.
    Remember the GAO's nightmare scenario: A hacker on the ground exploits a vulnerability in the airplane's Wi-Fi system to gain access to the airplane's network. Then he exploits a vulnerability in the firewall that separates the passengers' network from the avionics to gain access to the flight controls. Then he uses other vulnerabilities both to lock the pilots out of the cockpit controls and take control of the plane himself.
    It's a scenario made possible by insecure computers and insecure networks. And while it might take a government-led secret project on the order of Stuxnet to pull it off today, that won't always be true.
    Of course, this particular movie-plot threat might never become a real one. But it is almost certain that some equally unlikely scenario will. I just hope we have enough security expertise to deal with whatever it ends up being.
    Read CNNOpinion's new Flipboard magazine.
      Follow us on Twitter @CNNOpinion.
      Join us on Facebook.com/CNNOpinion.