Why We Don't Publish Passwords

It isn’t that they cannot find the solution. It is that they cannot see the problem.” – G.K Chesterton

And thus is the world of application security.

For years, #developers have been creating code without security in mind. Today, even with secure code development, researchers continue to find flaws in both the code and systems in which applications run. Researchers do not disclose #passwords to their computer systems; however, when they prematurely disclose the #vulnerability to a product, they are in effect, disclosing access to someone else’s system. With the increased complexity of digital eco-systems, premature disclosure can have significant negative consequences.

Typically, #whitehat and #greyhat researchers share their discoveries of vulnerabilities with the developers and operators of these critical systems. These coding and process flaws are shared either through goodwill or #bug bounty programs. The discoveries drive upgrades in design, privacy, security, and safety. In many cases, the vulnerability, after patched, is shared with the public to increase security awareness and in recognition of the good work done by the researcher. This process of private notification, patch, and public notification is considered “#ethically responsible” behavior by a researcher.

The Aviation ISAC believes there is a missing step in this process, and we are advocating for an increased level of #responsible #disclosure. Beyond contacting the company who owns the vulnerability, we believe there should be throttled disclosure throughout the industry, followed by public disclosure.

The #aviation industry has seen exponential growth in the integration of complex digital systems on planes, in airports, and in every space in between through functionality such as ADS-B, engine analytics, flight analytics, on-board WIFI, EFBs, entertainment systems, and more. Within these technological advancements, researchers have discovered aviation industry vulnerabilities. None of these vulnerabilities impacted systems critical to flight, however the researchers sensationalized their claims, stating these configuration errors put hundreds of in-flight craft at risk. In truth, exploiting these vulnerabilities would only have degraded the passenger experience by interrupting services or making data unavailable. Flight safety was not at risk but watching a movie on the screen in front of the flyer’s seat could have been a problem.

The #researchers engaged with A-ISAC for a few reasons. In one situation, the researchers advised they were struggling to contact the right person within the company and in another the company was nonresponsive. Through the A-ISAC, the researchers achieved their goal of responsible disclosure.

In another case, the researchers achieved responsible disclosure to the vulnerable company prior to contacting the A-ISAC. However, by working with the A-ISAC, the researchers were able to better comprehend the true outcomes and impacts of their research.

In each of these instances, industry benefited from these engagements as much as the developers and researchers. By notifying both the developer and industry, other companies relying on the same or similar processes were able to analyze the vulnerabilities found by the researchers and apply the vulnerability identification process to their own systems. These experiences drove increased security across the entire aviation industry—ahead of public disclosure.

Expanding responsible disclosure to include an industry-level disclosure prior to public disclosure ensures that companies who are valuable contributors to the safety and security of critical infrastructure can validate and continuously monitor and improve the security of their systems. Under this model, the global industries can better secure their systems from those who seek to looking to destroy, ransom, or disrupt services depended upon by millions.

Providing network attackers with vulnerability information is akin to providing them passwords to our networks. We must not enable those with bad intent to attack a technology, a process, a company, or a worldwide industry.

The Aviation ISAC welcomes researchers of all products in the aviation ecosystem. The mindset of researchers can identify software design flaws that software developers just cannot see. For more information, contact us.


© 2020. Aviation Information Sharing and Analysis Center. 

Privacy Policy Statement