A few months ago, the news of Chris Roberts, a security expert, alleged hacking an inflight entertainment system and possibly other parts of the Boeing 737 sparked a wave of controversy. Public opinion was originally on Roberts’ side, but the recent publication of the FBI affidavit changed that drastically. According to the affidavit, Roberts admitted to doing a live “pen-test” of a plane network in mid-air.
Whether this is true or not, it raises some valid concerns over the ethical implications of white hat hacking. In the case of Roberts, who, according to the affidavit, was able to steer the airplane off the intended course, the consequences could have been dire. It is not believed that Roberts had any intention of hurting either himself or any of the passengers, but if the affidavit is in fact true, the possibility was real.
Some believe it all comes down to intentions. If a white hat hacker intends to do no harm and has no malicious agenda besides testing the security of the system in question – possibly looking to responsibly disclose any vulnerabilities discovered – many security professionals believe it to be ethical. After all, no harm was done, no data was stolen, and vulnerabilities were possibly discovered and reported.
But at what point does a white hat hacker cross the line? Where should the ethical lines need to be drawn?
It appears the term white hat means different things to different people. On one hand, there are professionals in the cybersecurity business who built their entire career on being strictly white hat. These security professionals must have strong principles and never do as much as scan, probe, or check without prior request and approval. They follow strict rules to protect both their reputation and their future earnings.
The definition, however, drifts when you move away from professional practitioners. Many people who consider themselves to be white hats would have no issue with, let’s say, checking to see if their bank has an open IPMI port, as long as their motive was to notify the bank. To them, it is ethically no different from checking to see if the door is locked at night at their local bank. After all, their motives are pure.
Herein lies the main issue. Pure intentions do not mean the actions are ethical. However noble their intentions are, white hat hackers can still, fairly easily, cause unintentional harm. Not to mention that they would be committing crimes against various legislations. Take the security assessments of SCADA systems and critical infrastructures as an example. If white hat hackers are conducting a penetration test on a critical system, such as the emergency hotline 911 – even with authorised access – it needs to be understood that the security professionals performing the penetration test can guarantee the system will be safe and 100 percent operational.
If the assessment was performed by an individual with a disregard for safety like Roberts on that plane, it might translate into a major threat. The same applies to a plethora of other scenarios, where an overly-eager security professional might forget – or ignore – certain precautions in search of flaws in the system they are testing.
Some organisations including Google, Facebook and Microsoft to name a few, are even offering a rewards programme for white hat hackers for discovering vulnerabilities. In fact, Google has recently announced an initiative for public discovery of Android vulnerabilities, offering successful white hat hackers up to $40,000 for submitting a high-quality, reproducible bug in the system.
These companies are prepared for public penetration testing and, presumably, have a plan in place in case an unforseen accident happens that results in a partial system malfunction. Alternatively, they are willing to take the risk and reap the benefits of crowdsourcing. For most organisations, however, this is not a viable model, and white hat hackers need to acknowledge and respect that. Not just because it is typically illegal, but because it’s unethical and can put people’s lives at risk.