Cyberjacking may be the new threat to air travel

In April this year, a security researcher was prevented from boarding a United Airlines flight after tweeting that he could hack the plane’s systems. So is it possible to cyberjack a modern civilian aircraft? Stupples says yes — but there is a very large “but.”

A tough nut to crack
“Cyberjacking by a passenger is going to be exceedingly difficult,” he says. “He can’t come through the Wi-Fi system, that’s not possible. He could perhaps interfere with the navigation but the aircraft would warn you. All the systems are totally integrated. How then could he take control of an aircraft? The only way is to get malware on board.”

Malware is software designed to cause harm to a computer system, for example to disrupt it or steal sensitive information. Most of us have received suspicious-looking emails asking us to open attached files: these are often malware viruses ready to infect our PCs.

“One way to get malware on board would be for the software developers to put it on when they develop the software,” he adds. Of course, this means having a rogue employee working for the software company. “For someone to develop the malware who is outside the aviation industry, that is again a difficult task because the systems are all totally integrated. The other way is to load the malware by accessing the aircraft’s on-board electronics bay. This is possible but access controls are very sophisticated.”

Stupples and his colleagues recently carried out research into the most likely ways that a system can become infected with malware. They calculated that the biggest threat came from a rogue or coerced employee, backed by serious organized crime or even a state.

So what can companies do to protect themselves? Can a system ever be totally safe? Stupples explains: “We’ve started working with Airbus and Cranfield University and what we’re doing is not looking at how we can protect a system from a cyberattack — because I think a great many of the controls are already in place and it’s debatable how much more secure we can get — but looking at cybersafety, which is something quite different. “If there’s malware on the system — and we’re talking about any system, whether it’s aircraft, trains or nuclear power stations — the system needs to recognize it’s behaving in an irrational manner and then revert to a safe state.”

Stupples gives the recent example of the Germanwings air tragedy, in which the co-pilot appeared deliberately to crash the plane. “The aircraft started to dive into a controlled but deep descent in an area with no landing facilities,” he says. “The system [if a proposed failsafe was in place] would recognize this is an unsafe situation and the aircraft would then take itself to a stable state. We’re looking at whether it’s possible to take any system affected by malware to a safe state.” It’s still early days for this research. But in such an increasingly connected world, a security system that detects abnormalities would be highly valued, particularly when the consequences of malware could be catastrophic.

The all-seeing radar
Another threat to the aviation industry comes from drones. Widely available for just a few hundred pounds, remote-controlled aircraft have become a popular gadget. Although relatively small, when willingly or accidentally misused in public spaces they can potentially cause harm.

More ominously, they can be armed with cameras, transmitters or even explosives and flown into controlled areas unnoticed. They could be used by terrorists for reconnaissance or flown into a descending passenger plane. There is also concern they may interfere with aircraft navigation or train controls.

Due to their size, drones often cannot be seen by conventional scanning radar, so for Stupples’ latest research he’s working with Cambridge-based company Aveillant to develop a new kind of radar. This collaboration has led to what Aveillant calls “the world’s first 3D holographic radar system.” What makes this so unique is that it’s able to “look” in all directions at once, rather than be on target once every few seconds. As a result it can pick up the tiny drones.

While this advancement may be good news for the likes of Airbus, Stupples says that it could have ramifications for the world’s most expensive plane: the multibillion-dollar F-35 Lightning II stealth fighter. Stupples says. “I believe this new radar will be able to see it, which makes you question whether [the F-35 is] the correct route to go down. Not only me but a lot of other people in the radar world take the view that this is not money well spent.”

The U.S. and U.K. governments, who have nailed their colors to the mast of the F-35, would probably beg to differ. Regardless, Stupples’ research raises an important issue. Undoubtedly, we are living in a world where increasing digitization and interconnectivity are bringing us many advantages. With those benefits, however, come new risks. The research done by Stupples and others makes it easier to understand those risks better and introduce measures that will protect us all.