Could terrorists hijack an airliner remotely by hacking into its cockpit controls, putting its fate in their hands?
This question is being asked because of the revelation that a team of cyber experts at the Department of Homeland Security successfully hacked into the avionics of a commercial airplane parked at an airport as part of a test.
The problem is that nobody with knowledge of aviation cyber security is sure of how vulnerable airplanes are to such an attack—and some believe that the DHS test has simply added to the confusion and created needless alarm.
A Boeing spokesman told The Daily Beast: “We witnessed the test and can say unequivocally that there was no hack of the airplane’s flight control systems.”
Information about the extent of the test is restricted and there is a strong feeling among hacking experts that the full extent of the threat will remain underestimated—as they claim it has been for years.
The issue ignited after Robert Hickey, from the Cyber Security Division of the DHS, told a meeting of cyber experts in Virginia that his team had “accomplished a remote, non-cooperative penetration” of a Boeing 757, owned by the department, while it was parked at Atlantic City airport.
Although the 757 is basically a 1970s design, hundreds of them are still flown by American carriers—and nine are operated by the U.S. Air Force for use by diplomats and officials including one used by the secretary of State—as well as Donald Trump’s personal jet that he used prominently during the presidential campaign.
Hickey said that his team’s work is classified but he revealed enough at the CyberSat Summit in Tysons Corner, Virginia, to make it clear that hacking the airplane had been swift and relatively simple and involved “typical stuff that could get through security.”
Hickey said that while the avionics in the latest generation of jets are designed with protections against hacking, 90 percent of commercial jets still flying lack those protections because the age of their systems prohibits upgrades—the Air Force’s 757s, for example, are 22 years old.
Scott McConnell, a spokesman for the DHS, told The Daily Beast: “The comments made during the 2017 CyberSat Summit lack important context, including an artificial testing environment and risk reduction measures already in place.
“The aviation industry, including manufacturers and airlines, has invested heavily in cybersecurity and built robust testing and maintenance procedures to manage risk.”
This is not the picture given by Hickey. He said that neither the airlines nor the Air Force had maintenance crews capable of detecting cyber threats to an airplane.
Cybersecurity experts who spoke to The Daily Beast believed that the “typical stuff” referred to by Hickey as the means he used to make the hack could be something as simple and cheap as a $20 dollar USB TV tuner.
One expert who has presented his own research into aviation hacking at conferences, Brad Haines, said, “Anyone with a TV tuner can listen in to raw position data and other telemetry from planes directly. The threat models never anticipated this.”
Haines has carried out tests himself to discover weak points in the cyber defenses of airplane systems in order to raise public awareness of the problem. He adds: “Manufacturers and airlines don’t let researchers, even with honest intentions, get access to find a very expensive problem. Their faith in the systems is never challenged.”
Ruben Santamarta, principal security consultant at cybersecurity firm IOActive, reviewing Hickey’s remarks, said, “You can get on board an airplane without much difficulty. It seems that they did not even have to be physically inside the aircraft, so a laptop, an antenna, and a radio device is probably enough—all can be bought on the internet, are perfectly legal and allowed to pass through airport security.”
Since the DHS tests were carried out on an airplane parked on the tarmac, and not in the air, an airline industry source cautioned that they were “done in a manner that was far from anything that would ever occur in real world conditions.” (The DHS declined a Daily Beast request to elaborate on the purpose and scope of the tests, while the Boeing spokesman said, “I can’t disclose the specifics of the test. But it obviously did not involve anything critical.”)
In any event, attacking an airplane in the air is far more challenging than, say, attacking fixed infrastructure like a power grid. Santamarta said, “Critical infrastructure in motion, such as aircraft or vessels, usually requires a different kind of communications channel.” He suggested that an airplane’s satellite communications or other radio links “can be leveraged to launch attacks.”
The use of those potentially vulnerable satellite communications channels has significantly increased in the last five years. Airliner navigation is moving from ground-based radar to GPS systems connecting the cockpit directly to satellites, particularly at critical parts of a flight during takeoff and landing. In-flight WiFi in cabins also links to satellites, creating another opening for a hacker to use to enter the airplane.
This leads to what is potentially the gravest potential threat posed by hacking—in effect, opening the possibility of remotely hijacking the controls from the pilots. Although specific details of how a particular airplane’s flight deck is defended from cyberattack are classified, the basic principle is that the critical flight controls are firewalled from interference—malignant or benign.
However, serious vulnerabilities in the cockpit have shown up from non-malignant interference.
In 2014 the Federal Aviation Administration warned that the screens displaying critical information to the pilots in more than 1,300 Boeing airplanes could flicker or even go blank during takeoffs and landings “which could result in loss of airplane control at an altitude insufficient for recovery.”
The display screens, manufactured by Honeywell, were vulnerable both to WiFi and cellphones being used in the passenger cabins and electronic interference from outside including from satellite communications and weather radar.
The airplanes involved were five versions of the world’s most ubiquitous airliner, the Boeing 737 and the large wide-body Boeing 777. An FAA ruling gave the airlines five years to replace the screens with updated versions not susceptible to interference.
An FAA spokesperson told The Daily Beast they had no record of how many airplanes have so far been brought into compliance with the ruling “because there was no reporting requirement” in the order.
It would be a lot more expensive to fix a weakness discovered in one of today’s most advanced and fully-automated cockpits if it was discovered and was suspected of being vulnerable to hacking. It has been estimated, for example, that re-writing one line of computer code in avionics equipment could cost $1 million and take a year to complete.
“The figures may vary slightly” says Santamarta, “but when a critical vulnerability is found in core avionics components the whole process to fix the issue is extremely complex.”
Haines says that for years independent researchers like him have pointed out that the testing of avionics systems by manufacturers is confined to looking for technical flaws designed into the systems, not for vulnerabilities to hacking where there is “an intelligence behind the failure.” He cites the ability of a hacker to enter data that might look legitimate but is malign.
Ironically, the vastly increased role of avionics in monitoring and controlling the vital functions of airplanes has made flying much safer, virtually eliminating areas where human error was a factor in crashes, like the euphemistically labeled “controlled flight into terrain.” When these systems were first being fully embraced, in the 1990s, nobody foresaw the possibility of an external threat like hacking.
That being said, the computers running an airplane’s flight controls are programmed to detect if data fed to them is anomalous and, if it is, to shut down so that the pilots can fly the airplane manually. For example, in 2009 the flight management system of Air France Flight 447, from Rio to Paris, shut down because of false data from an instrument that had failed due to icing.
The crew should have been able to take control manually. Because of poor training they never regained control and the Airbus A330 crashed into the South Atlantic with the loss of 228 lives. Since then all pilots have received new training to ensure that they are able to recover when the computers fail. But no crew has yet had to grapple with the consequences of their flight control protections being breached by a hacker, nor is there any training program to prepare them for that.
The basic premise behind cybersecurity defenses is that they should anticipate all threats and always be ahead of them. But when what is supposed to be the savviest and most secure of our national systems, the National Security Agency’s own secret cyber unit, has been successfully penetrated (whether by internal negligence or outside hacking remains unclear) aviation can suddenly seem a dangerously soft target.
Haines says, “The airline industry should have paid attention to hackers about half a decade ago. We were ahead of the curve and we were dismissed at their own peril.”
The use of hacking to attack aviation is another instance of the increasing spread of asymmetric warfare. Haines points out that not so long ago hacking an airplane would have required specialized equipment costing millions of dollars that was available from a limited number of vendors. Now, airplanes are moving closer to being fully automated with systems that have cost billions to develop—while the bad guys can attack them with off-the-shelf devices that may seem harmless but are, in fact, lethal weapons of an entirely new kind.