Hackers could use the Wi-Fi systems on planes to take control of the latest generation of commercial jets, the Government Accountability Office warns. Released Tuesday, the GAO report cautions that the introduction of Wi-Fi systems for passenger use, the increasing prevalence of tablets and smart phone devices in cockpits, and the shift towards a new cloud-based, air traffic control system have all made commercial flights increasingly vulnerable to malicious attacks. As airlines have embraced greater in-flight connectivity for both passengers and the crew alike, protecting aircraft from unwanted cyber visitors has become a real but often overlooked concern.
Rep. Peter DeFazio (D-Ore.) called upon the Federal Aviation Administration to treat the cyber threats seriously and to draft stricter protocol for airplane manufacturers to follow that would minimize the risks. The Oregon representative is a ranking member on the House Transportation and Infrastructure Committee, which commissioned the GAO report.
"This report exposed a real and serious threat — cyberattacks on an aircraft in flight,” DeFazio told CNN. “[The FAA] must focus on aircraft certification standards that would prevent a terrorist with a laptop in the cabin or on the ground from taking control of an airplane through the passenger Wi-Fi system. That's a serious vulnerability."
According to the GAO, the newer commercial jets are vulnerable in a number of ways. First, the advent of passenger Wi-Fi systems on board makes it possible for hackers to infect the aircraft’s avionics. (Avionics is the mess of electrical systems that an aircraft uses to navigate, communicate, get off the ground, etc.) As long as the avionics and the Wi-Fi are sharing the same network, router and IP address, then the only thing keeping a hacker from accessing the plane’s systems is a firewall. And firewalls can always be breached, four cyber security experts told the GAO. The report added:
According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors.
In some instances, the hackers wouldn’t even need to be on the plane and using the Wi-Fi in order to do their work. The report’s authors also worried about hackers accessing the plane’s computers through passengers’ devices that had already become infected by viruses through external websites accessed in-flight.
The experts finally cautioned against the possibility that hackers could access the plane’s navigational systems through the presence of tablets and smartphones in the cockpit itself.
"The presence of personal smartphones and tablets in the cockpit increases the risk of a system’s being compromised by trusted insiders, both malicious and non-malicious, if these devices have the capability to transmit information to aircraft avionics systems," the report warned.
In 2013, a security professional showed how he could take control of a plane using simply his smartphone during a conference demonstration. By exploiting the GPS-based navigation system, he could manage the plane’s path and talk to air traffic control. (Hopefully, the aircraft manufacturers and industry regulators have since patched the cyber leak.)
But so far, there have not been any documented instances of malicious hacking that have exploited weaknesses in the Wi-Fi systems. Unless the FAA and other airline regulators change how aircraft manufacturers protect the avionics network from the broader Wi-Fi connectivity that the passengers can access, the risks remain very real. As commercial pilot John Barton told CNN:
We've had hackers get into the Pentagon, so getting into an airplane computer system I would think is probably quite easy at this point.
Those risks loom even larger as the U.S. airline industry begins to transition to a new, cloud-based system of air traffic control by 2025. Known as the Next Generation Air Transportation System, the new GPS-based model will centralize all of the data about flight and flight paths, aircrafts’ navigational systems and critical response, under one cloud in hopes of streamlining flight paths and cutting down on efficiencies. In turn, some security experts have expressed concerns that the shift from radar to GPS will leave the air traffic control system open to hackers because it is easier to manufacture “ghost” or fake GPS signals and confuse the system.
As the commercial airline industry — and the air traffic control mechanisms that guide it — has moved into the digital age, the interconnected cockpit offers both advantages and new security risks. On the one hand, aircraft manufacturers are exploring ways to control an aircraft from the ground, in the event of an emergency that leaves the pilots incapacitated in some way. (Or perhaps locked out of the cockpit?) But on the other, increasing the ways that we can control an aircraft, particularly outside of the cockpit itself, opens up just that many more avenues for enterprising hackers to steal the captain’s seat.
"The Dreamliner and the A350 were actually designed to have the technology in it going forward to be able to have remote control intervention between the pilot and the ground or if an emergency were to happen in the air," Barton told CNN. "It's going to take a long time before we get to the point where that technology is safe and secure."
Just how worried should we be as passengers when waiting to board our next flight?
If you are on an older aircraft that isn’t plugged into the global network, then don't worry. Models from 20 years ago don’t have the technology for remote access. Instead, it’s the newer models that hackers could theoretically target.
But as CNN notes, the GAO did not specify if the report’s authors tested their hypotheses to see how easy it would be to get around firewalls and into a commercial plane’s avionics system, or if they were simply laying out the theoretical possibilities. After all, hacking through firewalls with a number of security barriers and checks is no mean feat, and pilots are not just sitting ducks in the cockpit but can respond in real time. As Boeing noted in a statement about its newer planes, only pilots can see and approve any changes to the flight plan on its aircraft.
No changes to the flight plans loaded into the airplane systems can take place without pilot review and approval. In addition, other systems, multiple security measures, and flight deck operating procedures help ensure safe and secure airplane operations.
Yes, security experts should definitely be thinking about cyber risks to our planes. But I wouldn’t go out and trade your plane ticket for a Greyhound ticket just yet.
Images: Getty Images (4)