How can airlines stop hackers pwning planes over the air? And don't say 'regular patches'

At least some commercial aircraft are vulnerable to wireless hacking, a US Department of Homeland Security official has admitted.

A plane was compromised as it sat on the tarmac at a New Jersey airport by a team of boffins from the worlds of government, industry and academia, we're told. During the hack – the details of which are classified – experts accessed systems on the Boeing 757 via radio-frequency communications.

“We got the airplane on September 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Robert Hickey, aviation program manager within the cyber-security division of the DHS's science and technology directorate, while speaking at the CyberSat Summit in Virginia earlier this month.

The research team was made up of eggheads from MIT; the US Department of Energy's Pacific Northwest National Laboratory; the University of California San Diego, SRI International, and QED Secure Solutions.

Initially, the team's findings were written off by computer security experts as old news, and “it’s not a big deal,” Hickey told Defense Daily. However, during a technical meeting in March to discuss the project's findings, a bunch of commercial airline pilots said they were unaware of the vulnerabilities exploited during the hack.

In other words, the wireless intrusion was old hat to infosec pros safely behind their desks, but news to the people flying and working on the actual things. It should come as no surprise that airplanes, like any computer-controlled electronic system, has bugs and these bugs can be exploited by meddling miscreants.

Previous work

A couple of years ago, security researcher Chris Roberts was accused of hacking into the controls of a United Airlines plane in midair via the inflight entertainment system. Roberts tweeted about airplane network security during the flight to Syracuse, New York. He was questioned on arrival by the Feds. However, there is no evidence he accessed flight control systems, and no charges were ever brought.

In 2014, Brad Haines poked air traffic control and ADS-B security, and found various threats to installations.

And back in 2013, infosec pro Hugo Teso claimed that some commercial aircraft could be compromised with little more than a mobile phone, which was disputed by America's aviation safety watchdog at the time.

Other researchers such as Ruben Santamarta have looked into the security of airplane satellite comms systems.

Steve Armstrong, an incident response expert and former lead of the UK's Royal Air Force penetration and TEMPEST testing teams, told El Reg that aircraft have benefited from what's known as security through obscurity – not that many IT security bods have scrutinized airplane technology nor are able to gain access into the systems or are able to interface with the connectors and other buses onboard. However, as wireless gadgets, such as Wi-Fi hotspots, are added to aircraft, this opens them up to remote hacking via common protocols.

Basically, it's now possible to be simply near a vulnerable piece of equipment and compromise it over the air using standard off-the-shelf tech, as opposed to having to physically expose interface ports, break into cabinets, wire up plugs, and so on, to tamper with stuff.

“Aircraft are perceived to be closed systems with the only interfaces being touch screens," said Armstrong. "On board Wi-Fi and other data-buses use standard IP [internet protocol connections]."

"Modern company networks have defenders constantly monitoring the network,” whereas planes simply don't. “Airplanes report their exact take off times and synchronize to servers. All these open up interfaces to attacks that most legacy aircraft are not equipped to protect,” he said.

Meanwhile, Hickey said research into aircraft security is ongoing. Homeland Security has yet to formulate specific advice for airplane manufacturers and airlines. Hickey also pointed out that patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive

Patching

Recently designed commercial aircraft – such as Boeing’s 787 and the Airbus Group A350 – were drafted with computer security in mind, we're told, but resisting or preventing cyber-attacks were not on the design criteria list for older aircraft, which still make up the vast majority of airline fleets.

Airplane communication and information technology systems are fundamentally different from conventional enterprise networks so attempting to address airplane cybersecurity the same way it is approached for land-based networks “is going to leave us short of the mark,” according to Hickey.

Armstrong agreed with this general assessment, adding that the rigorous requirements of aircraft safety testing and regular patching pulled in different directions.

“Companies that make aircraft components don’t like to do frequent updates to devices as the testing process is lengthy and thus costly. So with tight margins and the historic push for safety over everything, many components aren’t updated,” Armstrong explained. ®