AviationIn-flight plane control systems vulnerable to remote hacking: Experts

Published 26 March 2015

Flaws in in-flight entertainment (IFE) systems and satellite communications leave commercial, private, and military planes vulnerable to hacking, according to cybersecurity experts. “We can still take planes out of the sky thanks to the flaws in the in-flight entertainment systems,” says one expert. “Quite simply put, we can theorize on how to turn the engines off at 35,000 feet and not have any of those damn flashing lights go off in the cockpit.” Terrorist groups are believed to lack the expertise to bring down a plane remotely, but it is their limitations, not aviation safeguards, which are keeping planes from being hacked.

Flaws in in-flight entertainment (IFE) systems and satellite communications leave commercial, private, and military planes vulnerable to hacking, according to cybersecurity expert and founder of OneWorldLabs, Chris Roberts. “We can still take planes out of the sky thanks to the flaws in the in-flight entertainment systems,” said Roberts. “Quite simply put, we can theorize on how to turn the engines off at 35,000 feet and not have any of those damn flashing lights go off in the cockpit.”

Terrorist groups are believed to lack the expertise to bring down a plane remotely, but it is their limitations, not aviation safeguards, which are keeping planes from being hacked.

IFE vulnerabilities exist on the Panasonic and Thales installations, the two main providers of IFEs. The systems can be breached remotely and once in, a hacker can gain access into other areas of the plane’s network. “Worst case would likely be the ability to access the avionics systems, monitor and possibly influence the control interfaces and other critical flight environments typically found on the private plane subnet,” giving the hacker the ability “to intercept and possibly modify the packets of data being sent from the controls to the actuators using readily available software,” Robert said.

Ruben Santamarta, principal security consultant for IOActive, a security consultancy with expertise in hardware, software, and wetware assessments, toldFox News that he discovered a backdoor that allowed him to gain privileged access to the Satellite Data Unit- the most important piece of SATCOM (satellite communications) equipment on an aircraft. “These vulnerabilities allowed unauthenticated users to hack into the SATCOM equipment when it is accessible through WiFi or In-Flight entertainment networks.”

Weak encryption algorithms or insecure protocols are just two of “multiple high risk vulnerabilities” in SATCOM technologies manufactured by some of the world’s largest providers. “These vulnerabilities have the potential to allow a malicious actor to intercept, manipulate or block communications, and in some cases, to remotely take control of the physical device,” Santamarta reported.

Santamarta shared his findings at the Black Hat cyber conference in Las Vegas last August, but as far as he knows, “the system may still be vulnerable. We are not aware of any official patch.”

Four months after Santamarta presented his research, a group of international aviation organizations signed “The Civil Aviation Cyber Security Action Plan,” aimed at increasing cooperation within the industry to improve cybersecurity.

DHS spokesman S. Y. Lee said the vulnerabilities highlighted by Roberts and Santamarta are similar to flaws in infrastructure communications equipment long known to the DHS National Cybersecurity and Communications Integration Center (NCCIC). “While the NCCIC is aware of this report, we have not independently verified the alleged vulnerabilities and we continue to work actively with stakeholder and industry partners to examine the claims made in the report,” Lee said.

John Harrison, senior analyst at Cyberpoint, is not convinced that terrorists will hack a plane. “Most terrorist groups do not appear to have the technical sophistication to hack into systems the way some describe,” Harrison said. He expects terrorists to stick with what they know: explosives and other conventional tactics.

State actors, on the other hand, do have access to the expertise needed to hack an aircraft as Roberts and Santamarta described, but the only known cyber-related breach on aviation still focused on physical security. In December 2014, there was a report of “Operation Cleaver” by Iran, aimed at finding cyber-enabled ways of bypassing airport physical security. “While there don’t appear to have been any actual attacks accomplished this way, Operation Cleaver appears to offer a disturbingly modern cyber alternative to hiding bombs in body cavities,” Harrison said.

Harrison adds that if there was a cyberattack on a plane, it could be stopped midair. “I suspect flight crews have an ability to recover from a hack in a variety of ways,” Harrison said. “While computers do a tremendous amount of the flying in modern aviation, humans are still capable of controlling aircraft if the technology fails or is disrupted.”

Meanwhile, the Federal Aviation Administration (FAA), charged with overseeing flight operations, has been citied for failure fully to protect its systems from cyberattacks. In a 2015 Government Accountability Officereport, the agency wrote that while the FAA has taken some cybersecurity measures, “significant security control weaknesses remain, threatening the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system.” Specifically, “weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA’s systems,” the report said.