Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

10:30 AM
Bruce Jackson
Bruce Jackson
Connect Directly
E-Mail vvv

Threat of a Remote Cyberattack on Today's Aircraft Is Real

We need more stringent controls and government action to prevent a catastrophic disaster.

The Federal Aviation Administration says today's aircraft is safe from cybercriminals. Major aircraft builders say the same thing. But the Department of Homeland Security (DHS) and the Department of Energy say "Not so fast." A few influential politicians and some experts in the aeronautics industry have also voiced their concerns in the past year.

It's not beyond the realm of possibility that a determined, properly prepared malicious actor could break into and compromise an airplane's network — without ever so much as entering the airport.

What's so exasperating is that policies, process, procedures, and tools exist to mitigate the risk. But the wheels of life-preserving change may not be turning quickly enough — a possibility exacerbated by the fact that a widespread skills gap is preventing change from being realized.

Motherboard, one of several Vice channels, reported in June that US government researchers think it's only "a matter of time before a cyber security breach on an airline occurs." Moreover, according to DHS documents the publication obtained via a Freedom of Information Act request, government officials believe aircraft still in use today lack sufficient cybersecurity protections — if they have them at all.

These concerns are not new. Last November, CBS News reported that cybersecurity experts working with DHS in September 2016 took only two days to remotely hack into a Boeing 757 at the Atlantic City (New Jersey) International Airport via radio frequency communications.

The attack was conducted by Robert Hickey, the aviation program manager for the Cyber Security Division of the DHS Science and Technology Directorate. He told Avionics Magazine, "I didn't have anybody touching the airplane. I didn't have an insider threat. I stood off using typical stuff that could get through security, and we were able to establish a presence on the systems of the aircraft." He added that, based on the how most aircraft radio frequencies are configured, "you can come to grips pretty quickly where we went."

A few notes about that attack:

  • The 757 first entered airline service in 1984, but it's been 15 years since one was built. Major airlines are still flying the narrow-body, twin-engine aircraft.
  • The 757 is far less networked than modern planes.
  • 757s have only a handful of software parts, whereas the modern e-enabled aircraft has hundreds of loadable software aircraft components that can be delivered to the aircraft wirelessly.
  • 757s have small numbers of potential entry points, while modern planes have dozens. That means the attack was the equivalent of performing a test on a 1985 Ford Escort instead of on a 2018 Tesla Model S.
  • President Trump's personal plane is a 757, and Air Force Two — the official jet of the vice president — is a Boeing C-32, the US Air Force transportation version of the 757.

Responding to the attack, Boeing issued a multiparagraph statement that included this passage: "Boeing is confident in the cyber-security measures of its airplanes. … Boeing's cyber-security measures … meet or exceed all applicable regulatory standards."

In 2015, the General Accounting Office (GAO) stated that the FAA needed a more comprehensive approach to address cybersecurity. That same year, the FAA initiated the Aviation Rulemaking Advisory Committee to provide industry recommendations regarding aircraft systems information security. The industry recommendations have not been acted upon.

So, Washington, we have a problem.

Addressing the Problem
To solve it, we need industry regulations that require updated cybersecurity policies and protocols, including mandatory penetration testing by aviation experts who are independent of manufacturers, vendors, service providers and aircraft operators. Be mindful of those who claim aviation expertise; few have the necessary experience, but many claim they do.

"Pen testing" is essentially what DHS experts were conducting during the Boeing 757 attack. A pen test is a simulated attack on a computer system that identifies its vulnerabilities and strengths. Pen testing is one of many ways to mitigate risk, and we need more trained aviation and cyber personnel to deal with the current and emerging cyber threats — those that haven't even been conceived of yet.

Unfortunately, a pen-testing skills gap exists. According to a recent SecureAuth survey of IT decision makers, only 43% of organizations say they think they are staffed to handle pen-testing workloads. The skill gap grows far wider when aviation expertise is added to the equation.

Clearly, that issue needs to be addressed by cybersecurity and aviation industry leaders. The FAA Reauthorization Act of 2018 includes language to address cybersecurity. But we need more training, education, and emphasis on preventing malevolent actors from having the ability to use aircraft as potential weapons.

As for government regulations, The Hill wrote on the 17th anniversary of 9/11 that New Jersey Congresswoman Bonnie Watson Coleman and her colleagues are working on a bill that would strengthen the Transportation Security Administration's basic cybersecurity standards. "We cannot allow [cybercriminals] access to cockpits via cyber means," she said.

Agreed. Because at the moment, we're sitting on a ticking time bomb.

Related Content:

Bruce Jackson, President and Managing Director of Air Informatics, has extensive experience with in-flight satellite and Wi-Fi connectivity and was a principal investigator for the NASA Advanced Communication Technology Satellite (ACTS). He was also the wireless architect for ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/8/2019 | 10:31:37 AM
Threat of Hacking Aircraft is Exaggerated
The Hickey pentest has been used to make all sorts of claims, but nobody mentions that Hickey only made these claims once at a conference and they were unauthorized. As a result, he is no longer an emplloyee of DHS.

Hacking wi-fi on an aircraft is certainly feasible and when it has happened (on only a few occasions), the aircrew simply turned it off. These alarmist commentaries are not news and they fail to mention that wi-fi infrastructure on the aircraft is not related to operational infrastructure - at current, there is no danger to safety of flight. This threat is being grossly exaggerated by people who want to grab attention.

There are a host of technical issues that arer never mentioned by these type articles, who make it sound like it is easy to bring down an aircraft. Even if this were feasible, at some point, interfering with flight safety would get said hacker a very long prison sentence. If they were to bring down an aircraft, that's mass murder - which is a ticket to a lethal injection couch in the U.S. The "I didn't think the plane would crash defense" won't convince any jury.

Pentesting avionics and aircraft systems for vulnerabilities is a good idea and many companies have bug bounty programs. Stirring up fear based on unproven claims is not a good idea.

User Rank: Ninja
1/7/2019 | 1:24:49 PM
Indeed yes
A simple DOWN command would not be good. 
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Tough Love: Debunking Myths about DevOps & Security
Jeff Williams, CTO, Contrast Security,  8/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-21
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
PUBLISHED: 2019-08-21
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
PUBLISHED: 2019-08-21
KBPublisher has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
PUBLISHED: 2019-08-21
A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
PUBLISHED: 2019-08-21
Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.