Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

10:30 AM
Bruce Jackson
Bruce Jackson
Connect Directly
E-Mail vvv

Threat of a Remote Cyberattack on Today's Aircraft Is Real

We need more stringent controls and government action to prevent a catastrophic disaster.

The Federal Aviation Administration says today's aircraft is safe from cybercriminals. Major aircraft builders say the same thing. But the Department of Homeland Security (DHS) and the Department of Energy say "Not so fast." A few influential politicians and some experts in the aeronautics industry have also voiced their concerns in the past year.

It's not beyond the realm of possibility that a determined, properly prepared malicious actor could break into and compromise an airplane's network — without ever so much as entering the airport.

What's so exasperating is that policies, process, procedures, and tools exist to mitigate the risk. But the wheels of life-preserving change may not be turning quickly enough — a possibility exacerbated by the fact that a widespread skills gap is preventing change from being realized.

Motherboard, one of several Vice channels, reported in June that US government researchers think it's only "a matter of time before a cyber security breach on an airline occurs." Moreover, according to DHS documents the publication obtained via a Freedom of Information Act request, government officials believe aircraft still in use today lack sufficient cybersecurity protections — if they have them at all.

These concerns are not new. Last November, CBS News reported that cybersecurity experts working with DHS in September 2016 took only two days to remotely hack into a Boeing 757 at the Atlantic City (New Jersey) International Airport via radio frequency communications.

The attack was conducted by Robert Hickey, the aviation program manager for the Cyber Security Division of the DHS Science and Technology Directorate. He told Avionics Magazine, "I didn't have anybody touching the airplane. I didn't have an insider threat. I stood off using typical stuff that could get through security, and we were able to establish a presence on the systems of the aircraft." He added that, based on the how most aircraft radio frequencies are configured, "you can come to grips pretty quickly where we went."

A few notes about that attack:

  • The 757 first entered airline service in 1984, but it's been 15 years since one was built. Major airlines are still flying the narrow-body, twin-engine aircraft.
  • The 757 is far less networked than modern planes.
  • 757s have only a handful of software parts, whereas the modern e-enabled aircraft has hundreds of loadable software aircraft components that can be delivered to the aircraft wirelessly.
  • 757s have small numbers of potential entry points, while modern planes have dozens. That means the attack was the equivalent of performing a test on a 1985 Ford Escort instead of on a 2018 Tesla Model S.
  • President Trump's personal plane is a 757, and Air Force Two — the official jet of the vice president — is a Boeing C-32, the US Air Force transportation version of the 757.

Responding to the attack, Boeing issued a multiparagraph statement that included this passage: "Boeing is confident in the cyber-security measures of its airplanes. … Boeing's cyber-security measures … meet or exceed all applicable regulatory standards."

In 2015, the General Accounting Office (GAO) stated that the FAA needed a more comprehensive approach to address cybersecurity. That same year, the FAA initiated the Aviation Rulemaking Advisory Committee to provide industry recommendations regarding aircraft systems information security. The industry recommendations have not been acted upon.

So, Washington, we have a problem.

Addressing the Problem
To solve it, we need industry regulations that require updated cybersecurity policies and protocols, including mandatory penetration testing by aviation experts who are independent of manufacturers, vendors, service providers and aircraft operators. Be mindful of those who claim aviation expertise; few have the necessary experience, but many claim they do.

"Pen testing" is essentially what DHS experts were conducting during the Boeing 757 attack. A pen test is a simulated attack on a computer system that identifies its vulnerabilities and strengths. Pen testing is one of many ways to mitigate risk, and we need more trained aviation and cyber personnel to deal with the current and emerging cyber threats — those that haven't even been conceived of yet.

Unfortunately, a pen-testing skills gap exists. According to a recent SecureAuth survey of IT decision makers, only 43% of organizations say they think they are staffed to handle pen-testing workloads. The skill gap grows far wider when aviation expertise is added to the equation.

Clearly, that issue needs to be addressed by cybersecurity and aviation industry leaders. The FAA Reauthorization Act of 2018 includes language to address cybersecurity. But we need more training, education, and emphasis on preventing malevolent actors from having the ability to use aircraft as potential weapons.

As for government regulations, The Hill wrote on the 17th anniversary of 9/11 that New Jersey Congresswoman Bonnie Watson Coleman and her colleagues are working on a bill that would strengthen the Transportation Security Administration's basic cybersecurity standards. "We cannot allow [cybercriminals] access to cockpits via cyber means," she said.

Agreed. Because at the moment, we're sitting on a ticking time bomb.

Related Content:

Bruce Jackson, President and Managing Director of Air Informatics, has extensive experience with in-flight satellite and Wi-Fi connectivity and was a principal investigator for the NASA Advanced Communication Technology Satellite (ACTS). He was also the wireless architect for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
1/7/2019 | 1:24:49 PM
Indeed yes
A simple DOWN command would not be good. 
User Rank: Apprentice
1/8/2019 | 10:31:37 AM
Threat of Hacking Aircraft is Exaggerated
The Hickey pentest has been used to make all sorts of claims, but nobody mentions that Hickey only made these claims once at a conference and they were unauthorized. As a result, he is no longer an emplloyee of DHS.

Hacking wi-fi on an aircraft is certainly feasible and when it has happened (on only a few occasions), the aircrew simply turned it off. These alarmist commentaries are not news and they fail to mention that wi-fi infrastructure on the aircraft is not related to operational infrastructure - at current, there is no danger to safety of flight. This threat is being grossly exaggerated by people who want to grab attention.

There are a host of technical issues that arer never mentioned by these type articles, who make it sound like it is easy to bring down an aircraft. Even if this were feasible, at some point, interfering with flight safety would get said hacker a very long prison sentence. If they were to bring down an aircraft, that's mass murder - which is a ticket to a lethal injection couch in the U.S. The "I didn't think the plane would crash defense" won't convince any jury.

Pentesting avionics and aircraft systems for vulnerabilities is a good idea and many companies have bug bounty programs. Stirring up fear based on unproven claims is not a good idea.

US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...