, 12 tweets, 7 min read Read on Twitter
Airplanes rely on CANbus, a protocol designed in the 1980s with no adversarial threat modeling. Any device on that taps into that bus can send commands to any other device, which will happily execute them - without authentication or authorization other than presence on the bus.
For instance, we know cars’ engine, steering, and brakes, which use CANbus, can be controlled by sending commands from the radio. This should never happen in normal circumstances, yet it’s possible under adversarial conditions because of the CANbus architecture.
Of course in the 1980s that wasn’t a huge concern because anyone who could tamper with the wiring in your car could cut your brake lines too. So threats to drivers, passengers, and pedestrians through the CANbus were dismissed by industry. And rightly so.
Fast forward to 2010 when cars are connected to the internet and you can control a car remotely. This is when alarm bells should have been going off for the auto industry to put long-term fixes in place.

Narrator: They didn’t. autosec.org/publications.h…
Now it’s 2013. @0xcharlie and @nudehaberdasher presented their research showing that when plugged into the CANbus they could control the car. Again, no one in industry was shocked because the system was DESIGNED this way. ioactive.com/pdfs/IOActive_…
So when in 2015, when @0xcharlie and @nudehaberdasher killed @a_greenberg’s engine on video, the public and policymakers lost their minds. They felt unsafe and lied to. Automakers violated their trust.
In 2019, aftermarket afterthought cybersecurity products add a few billion dollars to the cost of cars...so we don’t have to FIX the actual problem. Good for VCs. Bad for public safety and the economy (see also, the broken window fallacy). marketsandmarkets.com/PressReleases/…
Don’t get me wrong, better car architectures, such as AutoSAR, exist And are being very slowly being rolled out. And things like FlexRAY can help replace CANbus. But it’ll still be DECADES before all cars on the road have these. autosar.org
News today that planes use the highly vulnerable CANbus protocol and the aviation industry reaction was reminiscent of the auto industry in 2010. That’s disappointing. It’s one more in a series of turning points for the aviation industry. apnews.com/6219f26c3ea145…
Using the computer and auto industries as guides, we know what’s in store for the aviation industry if they follow this track. A few more years in denial, delaying the inevitable. Then an existential crisis they can’t avoid. A scramble to respond, while taking a beating in press.
Settling into a steady state where they support a new dependent and intertangled industry, adding $billions to the cost of air travel and air freight. If that’s not the future the industry wants, perhaps there’s a better way...
Collaboration with security researchers fixed problems earlier than they would have been, with sustainable and inexpensive approaches. We offer that olive branch at the @AviationVillage. Not too late to come out to @defcon this year. aviationvillage.org
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Beau Woods
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!