How can airlines stop hackers pwning planes over the air? And don't say 'regular patches'

As Homeland Security hacks 757 on the tarmac

66 Reg comments Got Tips?

At least some commercial aircraft are vulnerable to wireless hacking, a US Department of Homeland Security official has admitted.

A plane was compromised as it sat on the tarmac at a New Jersey airport by a team of boffins from the worlds of government, industry and academia, we're told. During the hack – the details of which are classified – experts accessed systems on the Boeing 757 via radio-frequency communications.

“We got the airplane on September 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Robert Hickey, aviation program manager within the cyber-security division of the DHS's science and technology directorate, while speaking at the CyberSat Summit in Virginia earlier this month.

The research team was made up of eggheads from MIT; the US Department of Energy's Pacific Northwest National Laboratory; the University of California San Diego, SRI International, and QED Secure Solutions.

Initially, the team's findings were written off by computer security experts as old news, and “it’s not a big deal,” Hickey told Defense Daily. However, during a technical meeting in March to discuss the project's findings, a bunch of commercial airline pilots said they were unaware of the vulnerabilities exploited during the hack.

In other words, the wireless intrusion was old hat to infosec pros safely behind their desks, but news to the people flying and working on the actual things. It should come as no surprise that airplanes, like any computer-controlled electronic system, has bugs and these bugs can be exploited by meddling miscreants.

Previous work

A couple of years ago, security researcher Chris Roberts was accused of hacking into the controls of a United Airlines plane in midair via the inflight entertainment system. Roberts tweeted about airplane network security during the flight to Syracuse, New York. He was questioned on arrival by the Feds. However, there is no evidence he accessed flight control systems, and no charges were ever brought.

In 2014, Brad Haines poked air traffic control and ADS-B security, and found various threats to installations.

And back in 2013, infosec pro Hugo Teso claimed that some commercial aircraft could be compromised with little more than a mobile phone, which was disputed by America's aviation safety watchdog at the time.

Other researchers such as Ruben Santamarta have looked into the security of airplane satellite comms systems.

Plane. Image via shutterstock

This is your captain speaking ... or is it?

READ MORE

Steve Armstrong, an incident response expert and former lead of the UK's Royal Air Force penetration and TEMPEST testing teams, told El Reg that aircraft have benefited from what's known as security through obscurity – not that many IT security bods have scrutinized airplane technology nor are able to gain access into the systems or are able to interface with the connectors and other buses onboard. However, as wireless gadgets, such as Wi-Fi hotspots, are added to aircraft, this opens them up to remote hacking via common protocols.

Basically, it's now possible to be simply near a vulnerable piece of equipment and compromise it over the air using standard off-the-shelf tech, as opposed to having to physically expose interface ports, break into cabinets, wire up plugs, and so on, to tamper with stuff.

“Aircraft are perceived to be closed systems with the only interfaces being touch screens," said Armstrong. "On board Wi-Fi and other data-buses use standard IP [internet protocol connections]."

"Modern company networks have defenders constantly monitoring the network,” whereas planes simply don't. “Airplanes report their exact take off times and synchronize to servers. All these open up interfaces to attacks that most legacy aircraft are not equipped to protect,” he said.

Meanwhile, Hickey said research into aircraft security is ongoing. Homeland Security has yet to formulate specific advice for airplane manufacturers and airlines. Hickey also pointed out that patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive

Patching

Recently designed commercial aircraft – such as Boeing’s 787 and the Airbus Group A350 – were drafted with computer security in mind, we're told, but resisting or preventing cyber-attacks were not on the design criteria list for older aircraft, which still make up the vast majority of airline fleets.

Airplane communication and information technology systems are fundamentally different from conventional enterprise networks so attempting to address airplane cybersecurity the same way it is approached for land-based networks “is going to leave us short of the mark,” according to Hickey.

Armstrong agreed with this general assessment, adding that the rigorous requirements of aircraft safety testing and regular patching pulled in different directions.

“Companies that make aircraft components don’t like to do frequent updates to devices as the testing process is lengthy and thus costly. So with tight margins and the historic push for safety over everything, many components aren’t updated,” Armstrong explained. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

Update Firefox: Mozilla just patched three hijack-me holes and a bunch of other flaws

Plus: Zoom fixes code-execution security bugs

The seven deadly sins letting hackers hijack America's govt networks: These unpatched bugs leave systems open

'Unauthorized access to elections support systems' detected tho 'no evidence to date that integrity of elections data has been compromised'

Zero-click, zero-day flaws in iOS Mail 'exploited to hijack' VIP smartphones. Apple rushes out beta patch

Updated Senior execs, journos, managed security service providers among those targeted, we're told

Twitter says spear-phishing attack hooked its staff and led to celebrity account hijack

Attack came in waves that probed for staff with access to the creds crims craved

What do F5, Citrix, Pulse Secure all have in common? China exploiting their flaws to hack govt, biz – Feds

Beijing's snoops don't even need zero-days to break into valuable networks

Psst.. You may want to patch this under-attack data-leaking Cisco bug – and these Ripple20 hijack flaws

In Brief Plus: US govt sounds the alarm on industrial equipment attacks

Android owners – you'll want to get these latest security patches, especially for this nasty Bluetooth hijack flaw

'Pwned with a broadcast' bug among 25 to be patched by Google

F5 emits fixes for critical flaws in BIG-IP gear: Hopefully yours aren't internet-facing while you ready a patch

Not to worry, there are only *searches* several thousand devices apparently exposed online

Biting the hand that feeds IT © 1998–2020