A team consisting of government, industry, and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting. The hack occurred in September 2016 and was recently announced at the 2017 CyberSat Summit in Tyson’s Corner, Virginia. Robert Hickey, aviation program manager within the Cyber Security Division of the DHS (Department of Homeland Security) Science and Technology (S&T) Directorate. Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate said that “We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,”
Obviously, due to the sensitive nature of the information details of the hack are classified. What has been detailed to the public is that the hack was accomplished by having no one actually touch the plane and there was no need to have an insider threat providing information or otherwise. In order to gain access to the aircraft, they accessed the aircraft’s systems through radio frequency communications that many aircraft use as a matter of course.
The aircraft hacked was a legacy Boeing 757 commercial plane purchased by the S&T branch. While for most readers the idea of having the plane you’re in hacked by a criminal is a nightmare suitable for Hollywood, most of the experts attending the summit response were tepid at best. Their response can be summarised “already knowing the problem exists”, and “no big deal”. While security experts are aware of how vulnerable systems on the 757 are to a potential hacker it appears pilots were not. In March 2017, at a technical exchange pilots from American Airlines and Delta Airlines were told of the potential vulnerabilities in planes they fly daily carry passengers across the Americas. They responded in a fittingly horrified manner questioning why despite the problem being known for years had they only been informed this year.
It appears that part of the problem is the focus applied by the DHS in implementing the Infrastructure Protection Plan. It appears the majority of the focus has been applied to terrestrial-based transportation systems. While terrestrial based systems may amount to a majority of the focus, there are still two other facets of critical infrastructure covered by the plan, those been maritime and aviation.
Patching vulnerabilities is cost prohibitive
Another problem encountered in looking to solve the vulnerabilities is the cost prohibitive nature of patching those vulnerabilities. Currently, to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For a lot of airlines who already run on incredibly tight margins, the cost would bankrupt them. This is particularly the case with airlines like Southwest Airlines whose fleet is primarily the 737. In this instance, if it was proved a cyber vulnerability was specific to systems onboard 737s it could bankrupt them and hurt the earnings of other airlines who also flew 737s. That being said other aircraft, like Boeing’s 787 and the Airbus Group A350, has been designed with security in mind. Sadly, legacy aircraft like the 757 make up more than 90% of the commercial planes in the sky, which do not have these protections.
As if the cost was not the only problem, aircraft pose a unique problem. There are no maintenance crews that can deal with ferreting out cyber threats aboard an aircraft whether those are commercial or military aircraft. Meaning that the traditional methods used to combat and prevent terrestrial-based networks will not be effective. Hickey's team for his work includes Massachusetts Institute of Technology, the Energy Department's Pacific Northwest National Laboratory, University of California San Diego, Sierra Nevada, SRI International and QED Secure Solutions. QED is led by Johnathan Butts, a former Air Force officer who has done cyber vulnerability assessments of Minuteman III intercontinental ballistic missiles and B-52 bombers. It is hoped that the team will be able to shed more light on the problem and develop better methods in combatting future attacks targeting the aviation industry.
Not the only time airplanes have been reported to be hacked
In 2015 a security consultant informed the FBI that he hacked into computer systems aboard airliners up to 20 times and managed to control an aircraft engine during a flight, according to federal court documents released to the public. Chris Roberts, the security researcher in question, was detained by the FBI in April that year following a United Airlines flight to Syracuse, New York after officials saw Twitter posts he made discussing hacking into the plane he was traveling on. The FBI document says the bureau's agents and technical specialists “believed that Roberts had the ability and the willingness to use the equipment than with him to access or attempt to access the in-flight entertainment systems and possibly the flight control systems on any aircraft equipped with an in-flight entertainment system, and that it would endanger public safety to allow him to leave the Syracuse airport that evening with that equipment.”
Roberts admitted to using a modified Ethernet cable to connect his laptop to an electronic box underneath his seat that controls the entertainment system. From there, he hacked into the airplane's computer. Upon his arrest, the FBI warrant included the seizure of computer equipment, including a laptop and an iPad, as well as thumb and external drives. Roberts admitted that the thumb drives contained “nasty malware”.
Despite Robert’s claims, Boeing issued a statement refuting his claims stating that the in-flight entertainment system is isolated from the flight and navigation systems. Boeing further stated, “It is worth noting that Boeing airplanes have more than one navigational system available to pilots. No changes to the flight plans loaded into the airplane systems can take place without pilot review and approval. In addition, other systems, multiple security measures, and flight deck operating procedures help ensure safe and secure airplane operations.”
Airbus, the other major player in the aeronautics industry has previously stated that it has security measures, such as firewalls, that restrict access and the company “constantly assesses and revisits the system architecture” to make sure planes are safe. So while possible it is unlikely that you may be re-enacting an awful action movie.