Hacker’s Claims Spotlight Vulnerabilities of Jetliners’ Systems

May 21, 2015

Even as the U.S. questioned a computer researcher’s claims of tampering with a jetliner in flight, his account spotlighted possible cybersecurity risks in commercial aviation.

The consultant told the Federal Bureau of Investigation that he hacked into in-flight networks more than a dozen times using onboard entertainment systems, Wired magazine reported over the weekend. While a U.S. official said that lacked credibility, the article drew attention to a U.S. report last month about digital threats to airliners.

Government officials flagged potential vulnerabilities in the U.S.’s pending shift to satellite-based air traffic control from current ground-based systems. They said there is a theoretical risk that an unauthorized person could gain access to sensitive aircraft systems, even though the computers running the controls are kept separate from in-flight entertainment technology.

Even with firewalls, a breach could occur if the cockpit controls system and entertainment technologies were connected to the same router or use the same networking platform, the U.S. Government Accountability Office wrote last month.

Hacking into cockpit controls would require a combination of expert skills and a network that is sufficiently vulnerable, said Jon Haass, chairman of Cyber Intelligence & Security at Embry-Riddle Aeronautical University’s Prescott, Arizona, campus. But it’s possible because of the interconnectivity of aircraft systems, he said.

“The networks are in some sense connected, even though they’re firewalled off from each other,” Haass said. “If I can trick a network computer or device into thinking I’m OK, that would allow me to then get to the controls which I’m not authorized to touch.”

Chris Roberts, founder of a cybersecurity consulting firm called One World Labs, claimed to have made that threat a reality after being pulled off a flight last month over provocative tweets about airline hacking.

Government officials remain skeptical.

There is no credible information to suggest an airplane’s flight control system can be accessed or manipulated from its in-flight entertainment system, a senior law enforcement official who asked not to be identified told Bloomberg News on Monday.

The risk of hacking is so low that airline passengers shouldn’t be concerned, Haass said.

If Roberts did access the unidentified plane’s controls, as he told federal agents according to a search warrant affidavit, it wouldn’t be the first time that “white hat” hackers — who break into computer systems to identify vulnerabilities and fix them — have resorted to extreme tactics. The cybersecurity industry, which Gartner Inc. projects will rise 8 percent this year to $78 billion, is a crowded marketplace where security concerns are a reliable selling point.

Even so, hacking a plane’s control systems in flight would represent a dangerous and likely illegal escalation, which has angered even fellow security researchers.

It also is a real concern for the airline industry.

While cockpit control systems have historically been isolated and self-contained units, airplane manufacturers have shifted to a concept called integrated modular avionics that run vital functions through fewer central processing units to save weight and increase the ease of software upgrades.

The approach shaved 2,000 pounds off Boeing Co.’s most advanced commercial jet, the 787 Dreamliner, while cutting in half the numbers of processor units for Airbus Group NV’s A380 superjumbo jet, according to Aviation Today.

Although separated from the entertainment systems by firewalls, security technologies could be breached if connected to the same router or use the same networking platform, the GAO wrote.

Some aircraft have controls that have an “air gap” with other airplane computer networks — meaning the different networks have separate wiring that prevents the sharing of information. That closes off that vulnerability, Embry-Riddle’s Haass said. It’s not clear that all planes have this closed-off system, he said.

The FBI is warning airline workers to watch for suspicious activities, such as passengers connecting cables or wires to the in-flight entertainment systems “or unusual parts of the airline seat,” and report any signs of tampering with the entertainment systems, according to Wired.

The Federal Aviation Administration last year ordered Boeing to ensure that computer networks on upgraded versions of its 737 aircraft are protected. Previous versions of the same plane “had very limited connectivity with external network sources” and weren’t at risk, the FAA said in the June 6 notice.

The agency has issued similar notices ordering Boeing, Airbus and other aircraft manufacturers to design electronics to protect them from outside interference.

Entertainment systems on Boeing’s commercial airplanes are isolated from flight and navigation systems, and pilots have more than one navigational system at their disposal, said company spokesman Doug Alder.

“No changes to the flight plans loaded into the airplane systems can take place without pilot review and approval,” he wrote.

Airbus has systems and procedures in place to ensure against potential cyberattacks, Mary Anne Greczyn, a spokesman for Toulouse, France-based Airbus, said in an e-mail. “We naturally do not discuss details on our security design and operations in public.”

Pilots form an additional layer of protection, John Cox, president of consulting firm Safety Operating Systems, said in an interview. On the off-chance that it was possible for a hacker to manipulate the flight controls, pilots are trained how to manually override a plane’s automatic systems, said Cox, a former pilot himself.

“The idea that you can somehow get in and take control of the airplane — it isn’t going to happen,” he said.

(With assistance from Michael Sasso in Atlanta and Chris Strohm in Washington.)