The Government Accountability Office (GAO) published a report on April 14, on behalf of FAA's look into next-generation air transportation systems, and it indicated that on-board Wi-Fi could feasibly be used by hackers to bring the aircraft to the ground.
Those working on the research stressed that this attack wouldn't be easy or very likely, but said that the worst-case scenario, especially as airlines and the FAA move to modernise planes with flight-tracking and internet technology, could see a terrorist mid-flight use the passenger Wi-Fi to take control of the aircraft. The internet, reads the report, “can potentially provide unauthorised remote access to aircraft avionics systems”.
Avionics typically operate on a self-contained network and not connected to same one as used by passengers. However, experts – who included professors at the universities of Virginia and Columbia, as well as senior figures at SANS Institute and HP - said in the report that newer systems could see Wi-Fi systems share the same routers or internal wiring. In addition, they said that any firewalls used for separating networks could be hacked, just like any other software.
"According to cyber-security experts we interviewed, internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors," the report reads.
The GAO released a separate report last March which said that FAA's system for guiding planes and other aircraft also was at "increased and unnecessary risk" of being hacked. One particular area of weakness was the ability to prevent and detect unauthorised access to the vast network of computer and communications systems the FAA uses to process and track flights around the world.
A number of infosec pros, when speaking to SCMagazineUK.com this week, were mixed on this perceived threat.
Gérôme Billois, senior manager of French information security consultancy Solucom – whose company has worked with airlines on securing their infrastructure in the past, says that data networks should be typically segregated into different zones, for passengers, crew and avionics, as required by the ARINCC 664 standard.
“The issue [of security] arises when one zone inter-flows to another,” he said, adding – for instance – that cabin crew will often be able to see critical domain information, such as temperature or flight speed.
He acknowledged that this causes “some risks” but said that attacks, as mentioned in the report, would need very specific conditions and thus unlikely.
“These systems are interconnected so it's really important to think about security at design, and to regularly test it because planes are around for a very long time.”
Billois, who was due to board a plane after the interview, added that the future planes threat may not be dissimilar to a modern enterprise. Older planes run customised software so are “not as easy to attack”, but in future, he says that it wouldn't be impossible to launch buffer overflow attacks or an integrated attack on internal communications to, for example, alter altitude or speed readings.
Simon Chapman, director at Manchester-based penetration tester Ambersail Ltd, added that it was hard to see how viable the attack would be, although sharing the same IP network for entertainment and plane controls was a “bad idea”.
With the firm's own experience implementing payment gateway solutions on planes, he said that present and future plane designs would need to have “physically separate cabling, and separate IP network”, air-gapped machines and solutions that can be switched off any time. But citing the recent Germanwings crash, he said planning for the future is impossible.
“People often talk about future proofing but there's never been a bigger con in the world of technology – its fakery, the future has no regard for the past or present. You have to start with the assumption that the model might to be invalid in future.”
Jovi Umawing, malware intelligence analyst at Malwarebytes, said in a statement to the press: “While it is true that firewalls could be potentially bypassed by those with ill intent, we have to remember that aircraft systems are built with safety in mind. These systems, which we deem life or safety critical, have redundancies in place to lessen the chances of tragic outcomes should they be compromised. As the GAO report does not clearly elaborate if this new threat via cabin Wi-Fi takes into account such systems, we can't know for sure if an attack like this would be successful.”
Ken Munro, managing director of Pen Test Partners, and a pilot himself, said of the research: “It appears to hinge around the fact that, as firewalls are software, we can't rely on them to offer complete security or segregation. In theory that's true, however, we rely on firewalls to provide security in virtually every other facet of internet life, so why aren't they considered secure enough for aeroplanes?”
He added that physical segregation of network infrastructure between passenger Wi-Fi, entertainment and flight control system was “arguably unnecessary”, while the cabling for this – let alone an isolated routing infrastructure – will “add significant weight to the plane, and therefore reduce payload.”
“VPNs and other secure network technologies offer strong encryption of data; the military, government and others rely on them for communication of highly sensitive data. Utilities, nuclear generators and others with critical infrastructure use them - why then do they think that they aren't suitable for ‘planes?”
Munro added that, even with these changes, there remains opportunities for attack; “rogue airport staff and baggage handlers have plenty of opportunity to place network taps and other devices to intercept or modify data.”
“Indeed, physical segregation often leads to a sense of complacency – look at the age and insecurity of SCADA networks for example. Their security only started to be taken seriously when organisations started hooking them up to conventional IP networks."
He added that attacking over Wi-Fi isn't a ‘massive threat' as ‘simple security controls mitigate attacks'. “And surely, if the ‘plane starts doing weird stuff, pull the plug on the Wi-Fi network. Make sure the captain has a simple method of killing its power. Like a fuse, like every other electrical system on a plane, there's a circuit-breaking fuse in easy reach of the pilot.”
Ruben Santamarta, principal security consultant for IOActive, has previously done research on hacking planes and he told SC that this research was 'useful for awareness' - but said how vulnerable each airline would be would depend on a case-by-case basis.
"The ability to cross the red line between passenger entertainment and owned domains and the aircraft control domain heavily relies on the specific devices, software and configuration deployed on the target aircraft. From my point of view, one of the main concerns are the communication devices, such as those used for SATCOM (satellite communications) which are shared between different data domains," he said. "Therefore, this equipment might be used to pivot from to certain avionics. Anyway, Aircraft's security posture needs to be carefully analysed case by case."
"New air-to-ground technologies will equip modern aircraft with a new set of capabilities. However, in terms of security this poses a major challenge. IOActive thinks it is better to approach these kinds of potential attacks from a proactive manner, instead of waiting until something happens. However, we should not be thinking airplanes are going to start falling out of the sky if someone just presses a key on their laptop. Aircraft rely on redundancy to operate safely, it's not that easy."
Meanwhile, pilot Dr Phil Polstra told Forbes reporter Tom Fox-Brewster earlier this week that the GAO report was “irresponsible” for relaying incorrect information. He claimed the experts cited in the report did not understand how modern aircraft networks operate.
“To imply that because IP is used for in-flight Wi-Fi and also on the avionics networks means that you can automatically take over the avionics network makes about as much sense as saying you can take over the jet engines because they breath air like the passengers and there is no air gap between passengers who touch the plane and the engines which are attached to the plane.”