How cyber (in)secure is civil aviation?


If you have a spare 15 minutes it is worth looking at the Israel Aerospace Industries (IAI) video presentation on the state of cyber within the civil aerospace industry. It is not all bad but there is a real need to step up investment to guard against ever more sophisticated attacks. Cyber used effectively can thwart attackers but so many systems within airports are connected – passenger data, baggage handling, airport security. Air Traffic Control (ATC) can be hacked with ghost planes by spoofing messages and pretending the hacker is airborne.

IATA predicts that the number of passengers travelling by plane is set to double by 2035. In the IATA 2017 Annual Report it notes,

In 2016 some 3.8 billion passengers safely took to the air and some 54.9 million tonnes of goods were delivered as air cargo… There was one major accident for every 2.56 million flights using jet aircraft in 2016. While this was a slight step back on the five-year average (one accident for every 2.77 million flights), flying remains the safest form of long-distance travel…Aviation’s importance goes far beyond the 63 million jobs and $2.7 trillion in economic activity that it supports. 

There is no question the quality and advancement of hardware technologies in aerospace has been a large factor in improving safety. Whether the use of carbon fibre composites in fuselages and wings or the growth in ceramic matrix composites in engines to allow higher temps in the engine to raise fuel economy and reduce emissions. If we think that getting drugs approved by the FDA is hard, getting hardware approved by the FAA is even more difficult. A drug can cause side effects. A plane can’t afford to have any problems for the life of it, usually 25 years or more.

Software (e.g. TCAS, automated landing) has played no small part in enhancing safety but providing adequate protection to ensure systems function as intended is the weakest link. As the speaker says in this video, “we need to collaborate“.

We can’t afford to wait for the first aircraft to go down by such cyber attack means before we act. Remember post 9/11 that impregnable cockpit doors were made mandatory. The doors also allowed the pilots to prevent activation of the entry code to prevent would be hijackers from entering by taking a stewardess hostage. In March 2015 a Germanwings co-pilot Andreas Lubitz, activated this function when his pilot took a restroom break  to commit suicide along with 150 passengers. The activation codes used by the pilot did not work. Technology can sometimes have unforeseen consequences.

Slightly off topic, though no less important, alcoholism and flying is also an issue. The FAA sites, a minimum “8 hours from “bottle to throttle.”” Between 2010 and 2015, FAA records show 64 pilots in the US were cited for violating the alcohol and drug provisions, and in 2015, some 1,546 personnel who must ensure airline safety, including 38 pilots, tested positive for one or more of five illegal drugs. In India, between 2011 and 2016, a total of 188 pilots across the country were found to have high blood alcohol levels during checks.

Coincheck wreck


Perhaps that was Coincheck’s greatest problem. Bragging rights to being the leading crypto exchange in Asia only made it (pardon the pun) a richer target. 58 billion yen ($560mn) was stolen. While bitcoin trading wasn’t halted many other cryptos were, exposing their fatal weakness. CM has been writing constantly that “hacking” was the biggest threat. Regulators will have to step in at some stage and the global trading element of crypto creates all the nasties of global policing against tax evasion and money laundering.

Coincheck claims it will compensate users of the exchange but at the same time is asking for financial support. The question is how the reactive forces within the Financial Services Agency will cope with protecting investors? Seems like cart before the horse.

Why should investors that willingly traded on an unregulated site be compensated?

Thoughts for the day – Group think, crypto and taxi drivers


It is important to challenge convention. I have had countless questions from people on bitcoin and crypto lately. Sort of reminded me of the above. Perhaps the golden rule of investing doesn’t lie in complex models and sci-fi scenario analysis but the simple question of whenever an overwhelming majority think something is great, it is time to take the opposing view and vice versa. I haven’t been in a taxi yet to confirm Bitcoin is overdone. As I put it – gold needs to be dug out of the ground with effort. The thing that spooks me about crypto (without trying to sound conspiracy theorist) is that state actors (most top end computer science grads in China end up working in the country’s cyber warfare teams), hackers or criminal minds (did you know 70% of top end computer science grads in Russia end up working for the mob (directly or indirectly) the value of coins in the system could be instantaneously wiped out at the stroke of a key. We’ve had small hiccups ($280m) only last week. So as much as the ‘security’ of these crypto currencies is often sold as bulletproof, none of them are ‘cyberproof’.

Think of why your Norton, Kaspersky or Trend Micro anti-virus software requires constant upgrading to prevent new threats trying to exploit new vulnerabilities in systems. We need only go back to the Stuxnet virus of 2010 which was installed inside computers controlling uranium centrifuges in Iran. The operators had no idea. The software told the brain of the centrifuges to spin at multiples faster than design spec could handle all the while the computer interface of the operators showed everything normal. After a while the machines melted down causing the complete destruction of the centrifuges which were controlled from a remote location.

So much in life is simple. Yet we have lawyers writing confusing sentences that carry on for pages and pages, politicians complicating simple tasks, oil companies trying to convince us their additives are superior to others and so on. The reality is we just have to ask ourselves that one question from Mark Twain,

It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.

Tricking the auto-pilot 73% of the time


So much faith is put in the hands of computers nowadays but the idea of driverless cars is still fraught with danger.  Car & Driver reports “Researchers at the University of Washington have shown they can get computer vision systems to misidentify road signs using nothing more than stickers made on a home printer. UW computer-security researcher Yoshi Kohno described an attack algorithm that uses printed images stuck on road signs. These images confuse the cameras on which most self-driving vehicles rely. In one example, explained in a document uploaded to the open-source scientific-paper site arXiv last week, small stickers attached to a standard stop sign…using an attack disguised as graffiti, researchers were able to get computer vision systems to misclassify stop signs at a 73.3 percent rate, causing them to be interpreted as Speed Limit 45 signs..”

Sure systems will improve over time but we already have a plethora of people already putting too much “blind” faith in systems being fool proof as this video demonstrates