It is “only a matter of time” until a commercial aircraft is hacked, the Department of Homeland Security and other US government agencies have warned. Most planes lack cybersecurity protections to prevent such a hack.
Motherboard obtained internal DHS documents through a Freedom of Information Act request which detail vulnerabilities with commercial aircraft and risk assessments. A number of the documents are still being “withheld pursuant to exemption” of the FOIA.
The release includes a January presentation from Pacific Northwest National Laboratory (PNNL), part of the Department of Energy, outlining the group’s efforts to hack an aircraft via its wifi service as a security test.
The hacking test was to be carried out without any insider help, from a position of public access (for example, a passenger seat or the airport terminal), and without using hardware that would trigger airport security. According to the presentation, the hack allowed the researchers to “establish actionable and unauthorized presence on one or more onboard systems.”
Another document, from 2017, says testing indicates “viable attack vectors exist that could impact flight operations.” A DHS presentation included in the documents says“most commercial aircraft currently in use have little to no cyber protections in place.” It points to the fact that even a perceived successful cyber attack could have an “enormous impact on the global aviation industry.”
The DHS Science and Technology Directorate documents warn that current policies and practices are not adequate to deal with the “immediacy and devastating consequences that could result from a catastrophic cyber attack on an airborne commercial aircraft.”
The threat of airline hacks is something that has been known for some time. In 2015, the FBI warned staff to watch out for unusual behavior after computer security expert Chris Roberts said he accessed aircraft control systems to connect to the in-flight entertainment console as many as 20 times.
In November, DHS official Robert Hickey said the agency successfully hacked the avionics of a commercial Boeing 757 in 2016. He also claimed representatives from American Airlines and Delta Airlines were shocked to learn the government had been aware of the risk of such hacks for so long and hadn’t bothered to let them know.
However, a Boeing spokesperson told the Daily Beast that they witnessed the test and “can say unequivocally that there was no hack of the airplane’s flight control systems.”
In 2014, security expert Ruben Santamarta warned hackers could access a plane’s satellite communications equipment through Wifi and inflight entertainment systems, after he devised a way to do it himself. Santamarta said the vulnerable systems were not only used in airplanes, but also in “ships, military vehicles, as well as industrial facilities like oil rigs, gas pipelines, and wind turbines.”
At the 2018 Black Hat conference, Santamarta will demonstrate how it’s possible to hack an aircraft from the ground, accessing the wifi network and reaching the plane’s satellite communication, which could be weaponized as a radio frequency (RF) tool.
“These are real cases. They are no longer theoretical scenarios,” he told Dark Reading. “We are using [vulnerabilities] in satcom devices to turn those devices into weapons.”