Leaky web interfaces connecting directly to aviation applications. Weaponizing modern-day OT to take down cartels and dictatorships. Abusing decades-old legacy code behind transportation, power, and other safety-critical systems.
Chris Kubecka has hacked them all.
Check out our video interview here. Read on for a summary of our interview.
At age nine, Chris was caught hacking into the Department of Justice and the FBI. She explains, “I have a very, very curious mind. It was all about solving puzzles, figuring out things, finding loopholes some way that somebody else hasn’t.”
She was restricted by law from using computers until age 18, at which time she joined the U.S. Air Force and was selected to be among a first group of women loadmasters to serve on combat missions.
Author of several ethical hacking books, Chris is also founder and CEO of HypaSec, which offers nation-state incident management, ethical hacking training in IT, IOT, ICS SCADA, along with advisory services to governments.
Given her background in the U.S. Air Force and then U.S. Space Command, and with a degree in aviation, she went on to publish in-depth research on hacking airplane systems resulting from what she calls “general poor coding practices.” Many of her discoveries have put her in the crosshairs of unethical governments and corporate entities alike, but her work has won her many awards, including Cybersecurity woman Hacker of the year in 2020.
For example, Chris consulted on new protocols for modernizing communications systems between Canada and the U.S. where she uncovered a gaping hole that led to scrapping the project for something more secure.
When it comes to hacking airplanes, Chris describes them as “computers in the sky.”
“Aircraft depend on the flight control computers to do a huge amount of automation,” she says. “When we’re relying on software for our lives, it’s very important that this central computer that runs all this automation is tested properly.”
During a lengthy investigation into a large manufacturer, she reported that by easily hacking into pilot portal access from the Internet, she was able to traverse back to the manufacturer’s development servers, from which a bad actor could alter products, steal IP, and do bad things to inflight systems. For example, it doesn’t take much to extrapolate how determined saboteurs could leverage this pathway to install malware on development servers, pushing it to inflight systems during updates, in similar fashion to the SolarWinds hack.
“The last thing you want during these interesting geopolitical times … is getting planes blown up through sabotage,” Chris cautions. “So, be aware that the risk is increasing, the threats are accelerating, and people who are carrying out these threats are much more well-funded.”
Click here to learn more about Chris’s incredible background and findings.
Resources:
Learn how CodeSecure’s testing toolsets support development teams in meeting functional safety and cyber security requirements for Aerospace systems.
Read Chris’s new book, “How to Hack a Modern Dictatorship with AI.”
Read Deb’s previous blog on the importance of identifying AI-developed components in applications.
