As regular readers of this blog site willbe aware, I attended the Virus Bulletin 2006 conference in Montreal,Quebec last week. On my flight home to Calgary (aboard a major Canadiancarrier) they had something new for me. On the back of each seat therewas a touch-screen display for people to watch movies, television, andso on. Ok, so this may not be anything new (I probably just don’t getout enough) or all that interesting at first glance. However, a coupleof things relevant to computer security struck me about these screens.
Almost right after looking at the screen for the first time, my eyeswere drawn to a socket just to the left of it—a USB port. There weren’tany keyboards distributed during the flight, but I suspect the portsare there for a future video game option (when I tried selecting thisoption on the touch screen, I was greeted with a “This feature iscurrently unavailable” message). Now, there’s also a distinctpossibility that the operating system behind these screens would bejust as happy recognizing a USB keyboard as a gaming pad. I had a USBmouse with me, but not a keyboard with which to test this theory, andconsidering it was a full flight I’m sure the other people in my rowwould have gotten a little nervous about it.
“Well, that’s not very concerning” I can hear you saying. But, letme tell you why it could be. These display devices are definitelynetworked or directly connected to some central controller. I know thisbecause every time the flight crew made an announcement, messages onthe screen would change. Given that airlines have recently moved awayfrom free meals on flights and towards snacks and food that you payfor, it has to be getting a little annoying for the crew to constantlybe collecting cash and giving out change. And, what about thosepassengers who would love to give the airline some money for a snack orto play some video games, but forgot to stop at an ATM before boarding?I’ll bet they’d love to be able to pop a credit card number into one ofthese devices, either through a magnetic reader, or manually using thetouch screen. Do you see where I’m going with this yet?
Ok, for those of you who haven’t yet booked a flight and gone out topick up a USB keyboard and are still reading this, I’ll elaborate. Asystem that accepts credit card information for unattended purchasesalready exists. Since Web servers and shopping cart applications areabundant, why reinvent the wheel? As we also know, Web applicationslike shopping carts are frequently prone to easily exploitablevulnerabilities (if you don’t believe me, take a look at theVulnerabilities section of the most recent edition of the Symantec Internet Security Threat Report).What better way to recoup the cost of your airline ticket than to stealsome credit card numbers during the flight! If this is the way thingsare headed, then let’s hope that the airlines take their on-boardinformation security as seriously as they do physical security.