Is there such a thing as ethical hacking?

A recent news report about hacking into a commercial jet raises concerns about how we view ethical hacking.

hacked hacker breach security
Credit: flickr/powtac

I remember the day the laptop arrived by UPS.

I was working in a summer office and had a view of a beautiful lake out my front window. The box looked inconspicuous. Inside, I found one of those slightly-out-of-date Windows models, a bit chunky and heavy like it was a year or two old. The packaging looked odd -- no colored brochures and stickers, no warranty notices -- just some crunched up newspaper and a card that listed a few of the apps and version numbers.

I took the system out of the box and powered it up. Instead of Windows, the system was running a special version of Linux with about two dozen pre-loaded apps. On the desktop wallpaper, the Grim Reaper held his scythe as a thinly-veiled encouragement about how to use the system. A company I won’t mention had sent me the laptop as a way to show how “ethical hacking” works in the real world. There were password generators and tools for sniffing out and breaking into Wi-Fi networks. I knew the laptop and pre-loaded apps were perfectly legal; what I could do with the laptop was totally up to me.

Over the past 14 years, I’ve interviewed countless security experts and heard about some of the craziest hacks possible. A few of the most memorable include the guy who redirected a GPS signal being sent to a car (ironically, he happened to work at a government lab) and another who could spoof an NFC signal from a smartphone during a financial transaction. I've also heard about a few drone hacks. All of them were conducted in a safe, controlled environment with no possibility of actual harm.

Recently, news reports about an ethical hacker named Chris Roberts claim he is under investigation by the FBI for an alleged hack on a commercial airplane, suggesting he tapped into the on-board entertainment system and made the plane climb and move sideways. He now claims he did no such thing, and maybe the whole incident was a joke or conducted in a virtual environment. At the very least, his tweets seem to poke fun at even the possibility of hacking into a real airplane in flight.

I know all about the technical definition of ethical hacking. It is when a company pays a security expert to hack into its own systems, which is perfectly legal. It’s a way to test out their security infrastructure and see if it is impenetrable (something that is rarely true).

I also know the term “hacking” has lost its original meaning, dating back to those movies starring Robert Redford that made it seem like a data center was some mythical, dark place in a basement with gleaming red lights and not a dull row of HP servers in a brightly-lit wing of a corporate office. You can now “hack” your microwave or “hack” travel. You can “hack” your sewing machine. Those are not bad things. In fact, the word “hack” is an extremely positive word, something you do to make the world a better place.

Yet, I wonder about the “ethics” of ethical hacking. Imagine that United Airlines really did pay someone to try and hack into the computer systems on an airplane in flight. Oops. Not so ethical anymore. Would an airline ever want someone to break into the flight controls of a real passenger jet? Would they really pay somemone to do that? Or, maybe it is an automaker that wants to find out if someone can tap into the accelerator of a car someone just purchased. (We know DARPA has proven this is possible.)

My issue is with the phrase “ethical hacking” and not with controlled tests meant to find out whether a system can be hacked. There are too many young and impressionable coders who may be drawn to the idea of hacking as a way to prove something can be done or to reveal the holes in a security system. Do we really think DARPA hacked into an Impala being driven on public roads by a private citizen? My concern is that people will misunderstand the phrase “ethical hacking” and think it gives them a license to hijack computer systems in an uncontrolled way and commit a crime.

Ever since that laptop came in a few years ago, I’ve wondered if it really makes sense. The tools are all legit. The laptop makes it much easier to perform security tests. But why the desktop wallpaper? What was the company really trying to promote? What ethos were they encouraging? Does making the tools for “ethical hacking” much easier to obtain mean that a company could be held liable when someone uses those tools for a real crime?

For me, the real issue is whether “nefarious hacking” and “ethical hacking” are roughly the same thing. The person doing the hacking might be ethical; the hack they are doing without the consent of the target in question is not all that ethical.

This article is published as part of the IDG Contributor Network. Want to Join?

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon