Demo hack shows how to crash a plane; air cyber-security being improved

In separate developments, a demo hack in Amsterdam shows how to crash a plane, while the US Federal Aviation Administration seeks to improve air cyber-security.

Hacking an aircraft is just an app away and modern aircraft with in-flight connectivity are particularly susceptible, as a demo this week (see below) demonstrated.

Separately, the US Federal Aviation Administration is setting up an industry working group on how to improve aircraft cyber-security.

Cyber-security vulnerabilities for aircraft operating in the US National Airspace System are not specifically addressed, and the FAA says that as a result vulnerabilities “may not be identified and mitigated, thus increasing exposure times to security threats”.

Threats include hackers gaining unauthorised access to aircraft systems and networks which “could result in the malicious use of networks, and loss or corruption of data (eg, software applications, databases, and configuration files) brought about by software worms, viruses, or other malicious entities”.

The FAA also says that a lack of cyber-security regulations, policy, and guidance “could result in security-related certification criteria that are not standardised and harmonis

Last October John Craig, Boeing's chief engineer cabin and network solutions an airline chief executive “has to understand the risk to their company” posed by cyber security threats.

Pointing to the high-profile hacking incidents at US-based retail giants Home Depot and Target, Craig warned that “people are starting to look at aviation now”.

Cyber security policies are created and managed by IT departments, whereas flight operations need to be more aware of these policies said consultancy AirInsight following an airline survey.

Justification for the fears was demonstrated at the Amsterdam Hack In The Box security conference during a presentation by security consultant Hugo Teso from n.runs in Germany in his paper, 'Aircraft Hacking: Practical Aero Series' and his demo crash.

In his demo, Teso used his SIMON code, and Android app PlaneSploit, to change the plane's course; crash the plane; set lights flashing in the cockpit; activate something when the plane is in a certain area.

A report on Teso's findings in the Independent notes how Automated Dependent Surveillance-Broadcast (ADS-B), a surveillance technology for tracking aircraft, is unencrypted and unauthenticated thus has no security, however the US government will require all aircraft to be equipped with ADS-B by the year 2020. Attacks on this system "range from passive attacks (eavesdropping) to active attacks (message jamming, replaying, injection)" says Teso.

In addition,  the Aircraft Communications Addressing and Reporting System (ACARS) used to exchange messages between aircraft and stations via radio or satellite - also has no security, making it easy to read and send ACARS messages with some hardware from eBay. Teso told  Forbes: " The plane has no means to know if the messages it receives are valid or not.”