Hijack hack: Modern planes vulnerable to remote midair takeover, says US govt watchdog
"Modern communications technologies, including IP connectivity, are increasingly used in aircraft systems, creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems,"the report states, quoting cyber security and aviation experts.
Modern aircraft systems use IP networking to communicate within the Federal Aviation Authority (FAA), and if one system connected to an IP network is compromised, damage can potentially spread to other systems on the network.
The report doesn’t provide any specifics on how the hacking and taking over could be done, but states that the person would have to get through the firewalls that divide the aircraft’s flight control and entertainment systems.
“Firewalls are software components, they could be hacked like any other software and circumvented,” the report cited experts as saying.
The report enumerates the ways that it could potentially be done by a hacker.
A “virus or malware planted in websites visited by passengers” could enable the attacker to get access to the onboard data system via the infected computers.
There is also the possibility of a physical connection, such as a USB plug in a passenger seat, should those wires be connected to the plane’s electronics.
However, there are ways to deal with such a threat: modern planes have a several redundancy mechanisms that can be used to deal with the potential issues.
The GAO report doesn’t specify if there has been actual testing or only theoretical mockups of such situations.
Older planes aren’t so internet-based, and this makes the risk less for the aircraft as old as 20 years or more.
The report concludes that FAA needs to work on certification of aircraft avionics that will account for these vulnerabilities and remove them as possible threats to commercial aviation.
In response, the agency drafted a letter, with Keith Washington, acting assistant secretary for administration with the FAA, saying the agency "recognizes that cyber-based threats to federal information systems are becoming a more significant risk and are rapidly evolving and increasingly difficult to detect and defend against. We take this risk very seriously."
Boeing and Airbus also reacted to the report, with the former stressing they aim to design secure aircraft.
The jets “have more than one navigational system available to pilots,” and then “no changes to the flight plans loaded into the airplane systems can take place without pilot review and approval.”
In addition, there are a few security measures in place that “help ensure safe and secure airplane operations.”
Airbus published a statement saying that they “constantly assess and revisits the system architecture of <…> products, with an eye to establishing and maintaining the highest standards of safety and security.”
However, they didn’t disclose any specifics beyond that.