Airlines and Hacking

The airline industry seems to be up in the clouds when it comes to addressing cyber issues and vulnerabilities in aircraft systems that are very interconnected and controlled digitally especially with the trend of offering online services for passengers in flight.

Most airlines today do not have any ‘real’ security plan other than acknowledging there is a threat and that they are dealing with it. A survey conducted by Airsight has concluded that 57% of those polled are operating without any plan or plans regarding EFBs (tablet based electronic flight bags) used by pilots, and supporting flight and ground crews. This leaves the door open to the potential for cyber attack. Attacks that could have devastating consequences.

Among airlines that do have a cybersecurity plan, in about half (52%) the cases, this is a part of a larger data security strategy.  Cybersecurity is mostly handled by IT (64%), which is traditional within corporate environments, with flight operations handling the rest (28%). This does not bode well.

Recently cyber security researcher Ruben Santamarta stated that he has devised a method (1) that can give hackers access to a passenger jet’s satellite communications equipment through the passenger Wi-Fi and in-flight entertainment systems. Potentially gaining control at their seat.

The concern is clear, and while theoretically possible the impact of such a potentially gaping hole in security cannot be dismissed due to counter arguments to the contrary. Time and again, industry experts have proclaimed a titanic like fascination that their systems are secure, ‘unsinkable’, and that precautions are made. However, those in the cybersecurity industry understand that there is no such thing as perfect security, no “Silver Bullet” cure to secure system(s), and that eventually time and cyberspace will catch up; leading to who knows what.

The bottom line here is that the hack targets the equipment’s firmware and gives hackers the ability to manipulate the avionics system, which in turn could affect navigation. After all, avionics is software.

The cause for concern is clear; If Santamarta’s claims check out, the exploit affects some of the most common off the shelf satellite communications equipment on the market. This translates to systemic problems spanning numerous industries. These systems are not industry specific they are not only used by airlines, their planes, and support equipment, but also ships, military vehicles, as well as industrial facilities like oil rigs, gas pipelines; essentially the energy sector.

Can this occur? Maybe yes, maybe no, but the potential is always there. There has been debate weather Spanair flight 5022 which crashed after takeoff from Barajas airport in 2008, killing 150+ people on board, was due to malware. This is an example of what happens when malware in mission critical systems is ignored.

Ultimately aircraft today are very sophisticated with systems running software to control components that if compromised at any seen or unforeseen level. Systems in place now, as far as my understanding goes, were not written with (cyber) security in mind. This leaves systems weakly protected and exposed. Some may argue that the skill level required to achieve such a hack would be very high. Many investigators agree that an attacker with a deep knowledge of the plane’s system could intentionally cause serious problems with its normal operation.

Fair enough, however that does not dispel the fact that it can happen and if Murphy’s law is correct, it is only a matter of time.

The recent incident to the Malaysia Airlines Flight MH370 has spawned a great deal of discussion with in security ranks of whether would be possible to compromise aircrafts systems and gain complete control of on-board systems, locking out the flight crew, excluding the pilots.   There has been discussion about this type of event taking place with many security experts presenting possible attack scenarios, but never has an attacker moved from theory to practical reality. While investigations continue so will the debate of what really happened to MH370 with some hypothesized that it could be the result of a cyber attack against the airplane.

While the search for evidence continues with a hope to provide more and clearer indications of what is really happened to the flight, some security experts have hypothesized that it could be the result of a cyber attack against the airplane. Theoretically some experts have warned of the possibility that it could have been an attack against the in-flight entertainment system that allowed the hackers to infiltrate the security software.

This theory was exposed by an British anti-terrorism expert who affirmed that similar attacks are possible due to the existence of specific exploits. The former scientific adviser to the UK’s Home Office, Sally Leivesley, revealed Boeing 777 controls could be accessed with a radio signal sent from a small device.

As the debate continues aircraft systems are remain open to attack with the potential of any real or theoretical threat present and growing as time moves on and systems become more connected.

The question is when will the first logic bomb bring down an aircraft.

Richard Zaluski, CSCSS President, CEO