IoT
1/7/2019
10:30 AM
Bruce Jackson
Bruce Jackson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Threat of a Remote Cyberattack on Today's Aircraft Is Real

We need more stringent controls and government action to prevent a catastrophic disaster.

The Federal Aviation Administration says today's aircraft is safe from cybercriminals. Major aircraft builders say the same thing. But the Department of Homeland Security (DHS) and the Department of Energy say "Not so fast." A few influential politicians and some experts in the aeronautics industry have also voiced their concerns in the past year.

It's not beyond the realm of possibility that a determined, properly prepared malicious actor could break into and compromise an airplane's network — without ever so much as entering the airport.

What's so exasperating is that policies, process, procedures, and tools exist to mitigate the risk. But the wheels of life-preserving change may not be turning quickly enough — a possibility exacerbated by the fact that a widespread skills gap is preventing change from being realized.

Motherboard, one of several Vice channels, reported in June that US government researchers think it's only "a matter of time before a cyber security breach on an airline occurs." Moreover, according to DHS documents the publication obtained via a Freedom of Information Act request, government officials believe aircraft still in use today lack sufficient cybersecurity protections — if they have them at all.

These concerns are not new. Last November, CBS News reported that cybersecurity experts working with DHS in September 2016 took only two days to remotely hack into a Boeing 757 at the Atlantic City (New Jersey) International Airport via radio frequency communications.

The attack was conducted by Robert Hickey, the aviation program manager for the Cyber Security Division of the DHS Science and Technology Directorate. He told Avionics Magazine, "I didn't have anybody touching the airplane. I didn't have an insider threat. I stood off using typical stuff that could get through security, and we were able to establish a presence on the systems of the aircraft." He added that, based on the how most aircraft radio frequencies are configured, "you can come to grips pretty quickly where we went."

A few notes about that attack:

  • The 757 first entered airline service in 1984, but it's been 15 years since one was built. Major airlines are still flying the narrow-body, twin-engine aircraft.
  • The 757 is far less networked than modern planes.
  • 757s have only a handful of software parts, whereas the modern e-enabled aircraft has hundreds of loadable software aircraft components that can be delivered to the aircraft wirelessly.
  • 757s have small numbers of potential entry points, while modern planes have dozens. That means the attack was the equivalent of performing a test on a 1985 Ford Escort instead of on a 2018 Tesla Model S.
  • President Trump's personal plane is a 757, and Air Force Two — the official jet of the vice president — is a Boeing C-32, the US Air Force transportation version of the 757.

Responding to the attack, Boeing issued a multiparagraph statement that included this passage: "Boeing is confident in the cyber-security measures of its airplanes. … Boeing's cyber-security measures … meet or exceed all applicable regulatory standards."

In 2015, the General Accounting Office (GAO) stated that the FAA needed a more comprehensive approach to address cybersecurity. That same year, the FAA initiated the Aviation Rulemaking Advisory Committee to provide industry recommendations regarding aircraft systems information security. The industry recommendations have not been acted upon.

So, Washington, we have a problem.

Addressing the Problem
To solve it, we need industry regulations that require updated cybersecurity policies and protocols, including mandatory penetration testing by aviation experts who are independent of manufacturers, vendors, service providers and aircraft operators. Be mindful of those who claim aviation expertise; few have the necessary experience, but many claim they do.

"Pen testing" is essentially what DHS experts were conducting during the Boeing 757 attack. A pen test is a simulated attack on a computer system that identifies its vulnerabilities and strengths. Pen testing is one of many ways to mitigate risk, and we need more trained aviation and cyber personnel to deal with the current and emerging cyber threats — those that haven't even been conceived of yet.

Unfortunately, a pen-testing skills gap exists. According to a recent SecureAuth survey of IT decision makers, only 43% of organizations say they think they are staffed to handle pen-testing workloads. The skill gap grows far wider when aviation expertise is added to the equation.

Clearly, that issue needs to be addressed by cybersecurity and aviation industry leaders. The FAA Reauthorization Act of 2018 includes language to address cybersecurity. But we need more training, education, and emphasis on preventing malevolent actors from having the ability to use aircraft as potential weapons.

As for government regulations, The Hill wrote on the 17th anniversary of 9/11 that New Jersey Congresswoman Bonnie Watson Coleman and her colleagues are working on a bill that would strengthen the Transportation Security Administration's basic cybersecurity standards. "We cannot allow [cybercriminals] access to cockpits via cyber means," she said.

Agreed. Because at the moment, we're sitting on a ticking time bomb.

Related Content:

Bruce Jackson, President and Managing Director of Air Informatics, has extensive experience with in-flight satellite and Wi-Fi connectivity and was a principal investigator for the NASA Advanced Communication Technology Satellite (ACTS). He was also the wireless architect for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bender-ici
67%
33%
Bender-ici,
User Rank: Apprentice
1/8/2019 | 10:31:37 AM
Threat of Hacking Aircraft is Exaggerated
The Hickey pentest has been used to make all sorts of claims, but nobody mentions that Hickey only made these claims once at a conference and they were unauthorized. As a result, he is no longer an emplloyee of DHS.

Hacking wi-fi on an aircraft is certainly feasible and when it has happened (on only a few occasions), the aircrew simply turned it off. These alarmist commentaries are not news and they fail to mention that wi-fi infrastructure on the aircraft is not related to operational infrastructure - at current, there is no danger to safety of flight. This threat is being grossly exaggerated by people who want to grab attention.

There are a host of technical issues that arer never mentioned by these type articles, who make it sound like it is easy to bring down an aircraft. Even if this were feasible, at some point, interfering with flight safety would get said hacker a very long prison sentence. If they were to bring down an aircraft, that's mass murder - which is a ticket to a lethal injection couch in the U.S. The "I didn't think the plane would crash defense" won't convince any jury.

Pentesting avionics and aircraft systems for vulnerabilities is a good idea and many companies have bug bounty programs. Stirring up fear based on unproven claims is not a good idea.

 
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
1/7/2019 | 1:24:49 PM
Indeed yes
A simple DOWN command would not be good. 
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He just showed up at my doorstep one day without a geotag."
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.