The horrific Sept. 11, 2001, terrorist attacks involved weaponized airliners that were hijacked using brutal, low-tech tactics. But the rapid advances in technology of the last 10 years may mean that tomorrow's threats to planes, trains and automobiles could come not from armed terrorists, but from stealthy hackers.
The connection between terrorist organizations and cybercriminals exists, say experts, not only in online underground marketplaces where hacking tools are sold, but also in areas of recruitment and training.
Some unfriendly countries are working on so-called cyberwarfare programs, and there are also "al-Qaida cells that are acting as training centers for hackers," said Alan Paller, director of research at the SANS Institute, an information-security training firm based in Bethesda, Md.
Those attackers will have more targets than ever, security firm McAfee noted in a report released last week [ http://www.mcafee.com/us/resources/reports/rp-caution-malware-ahead.pdf ]. The report cited the mobile-phone maker Ericsson's estimate that by 2020, there will be roughly 50 billion devices connected to the Internet, including airport kiosks, industrial control systems and remote network-monitoring devices.
The perceived threat to these and other systems is rising.
Mounting evidence
Last week, the United States Department of Homeland Security (DHS) issued a security bulletin from the National Cybersecurity and Communications Integration Center warning the security community about new tools and new recruitment techniques being used by various hacker groups.
The report refers to such organizations as soliciting help from disaffected employees, as well as using more nefarious methods, including forcing people to cooperate with hackers using "unwilling coercion through embarrassment or blackmail."
While the possibility of actually incapacitating an individual plane and causing it to crash via computer remains remote, say experts, hackers can disrupt flights and create potentially life-threatening situations.
In 2004, malware known as the Sasser worm disrupted flights when it infected systems that Delta Air Lines relied upon. Since then, the tools for creating such havoc have become more sophisticated — and more accessible.
The DHS warning included references to new tools being used by politically motivated "hacktivist" groups such as Anonymous. Powerful administrative tools, such as the " Low Orbit Ion Cannon," have been repurposed to bring down systems using distributed denial-of-service attacks. While such attacks are rudimentary, they could cause serious problems if directed at critical transportation systems.
Gaping vulnerabilities
Such networks remain frighteningly vulnerable, say law enforcement watchers. As one example, a congressional report on cyberterrorism cited the 2002 case in which a major weakness in the Simple Network Management Protocol (SNMP) was discovered that could have been exploited to bring down "major portions of the Internet."
The vulnerability was kept a secret while security firms worked to protect telecommunications equipment around the world. According to FBI reports at the time, if the systems had not been patched, they could have been used to interrupt control information exchanged between ground and aircraft flight control systems.
Similar outages in telecommunications systems and embedded systems could be used to disrupt train and track switching information.
"For example, some rail systems are based on SCADA [supervisory control and data acquisition] control systems," said Tim Armstrong, a malware researcher at Moscow-based Kaspersky Lab. "These are similar to the types of control systems that were compromised in the Stuxnet attacks in 2010."
But the newest and most unpredictable weaknesses today appear to be in the connected systems embedded in late-model cars.
Several vulnerabilities in remote start, locking, tracking and other car systems have already been demonstrated. Computer security researchers at iSec Partners, for example, have shown how they can unlock a car and turn on its engine using a laptop computer.
The researchers managed this hack with a few hours' work tapping into the car's wireless connections. Another security expert has demonstrated how to tap into a police car's camera and video recorder.
Such attacks already have a name: war texting. Mobile car apps that use a driver's smartphone are potential targets in many of these cases as well, according to McAfee's report, "Caution: Malware Ahead."
Analysts at the firm stress that while no such cases have yet occurred, critical car systems could be vulnerable. One example: remote vehicle immobilization and slow-down systems, such as those used in GM's OnStar, could be hacked. Though they were intended as theft deterrents, if control of these systems fell into the wrong hands, it could lead to disastrous results.