How can airlines stop hackers pwning planes over the air? And don't say 'regular patches'

As Homeland Security hacks 757 on the tarmac

At least some commercial aircraft are vulnerable to wireless hacking, a US Department of Homeland Security official has admitted.

A plane was compromised as it sat on the tarmac at a New Jersey airport by a team of boffins from the worlds of government, industry and academia, we're told. During the hack – the details of which are classified – experts accessed systems on the Boeing 757 via radio-frequency communications.

“We got the airplane on September 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Robert Hickey, aviation program manager within the cyber-security division of the DHS's science and technology directorate, while speaking at the CyberSat Summit in Virginia earlier this month.

The research team was made up of eggheads from MIT; the US Department of Energy's Pacific Northwest National Laboratory; the University of California San Diego, SRI International, and QED Secure Solutions.

Initially, the team's findings were written off by computer security experts as old news, and “it’s not a big deal,” Hickey told Defense Daily. However, during a technical meeting in March to discuss the project's findings, a bunch of commercial airline pilots said they were unaware of the vulnerabilities exploited during the hack.

In other words, the wireless intrusion was old hat to infosec pros safely behind their desks, but news to the people flying and working on the actual things. It should come as no surprise that airplanes, like any computer-controlled electronic system, has bugs and these bugs can be exploited by meddling miscreants.

Previous work

A couple of years ago, security researcher Chris Roberts was accused of hacking into the controls of a United Airlines plane in midair via the inflight entertainment system. Roberts tweeted about airplane network security during the flight to Syracuse, New York. He was questioned on arrival by the Feds. However, there is no evidence he accessed flight control systems, and no charges were ever brought.

In 2014, Brad Haines poked air traffic control and ADS-B security, and found various threats to installations.

And back in 2013, infosec pro Hugo Teso claimed that some commercial aircraft could be compromised with little more than a mobile phone, which was disputed by America's aviation safety watchdog at the time.

Other researchers such as Ruben Santamarta have looked into the security of airplane satellite comms systems.

Plane. Image via shutterstock

This is your captain speaking ... or is it?


Steve Armstrong, an incident response expert and former lead of the UK's Royal Air Force penetration and TEMPEST testing teams, told El Reg that aircraft have benefited from what's known as security through obscurity – not that many IT security bods have scrutinized airplane technology nor are able to gain access into the systems or are able to interface with the connectors and other buses onboard. However, as wireless gadgets, such as Wi-Fi hotspots, are added to aircraft, this opens them up to remote hacking via common protocols.

Basically, it's now possible to be simply near a vulnerable piece of equipment and compromise it over the air using standard off-the-shelf tech, as opposed to having to physically expose interface ports, break into cabinets, wire up plugs, and so on, to tamper with stuff.

“Aircraft are perceived to be closed systems with the only interfaces being touch screens," said Armstrong. "On board Wi-Fi and other data-buses use standard IP [internet protocol connections]."

"Modern company networks have defenders constantly monitoring the network,” whereas planes simply don't. “Airplanes report their exact take off times and synchronize to servers. All these open up interfaces to attacks that most legacy aircraft are not equipped to protect,” he said.

Meanwhile, Hickey said research into aircraft security is ongoing. Homeland Security has yet to formulate specific advice for airplane manufacturers and airlines. Hickey also pointed out that patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive


Recently designed commercial aircraft – such as Boeing’s 787 and the Airbus Group A350 – were drafted with computer security in mind, we're told, but resisting or preventing cyber-attacks were not on the design criteria list for older aircraft, which still make up the vast majority of airline fleets.

Airplane communication and information technology systems are fundamentally different from conventional enterprise networks so attempting to address airplane cybersecurity the same way it is approached for land-based networks “is going to leave us short of the mark,” according to Hickey.

Armstrong agreed with this general assessment, adding that the rigorous requirements of aircraft safety testing and regular patching pulled in different directions.

“Companies that make aircraft components don’t like to do frequent updates to devices as the testing process is lengthy and thus costly. So with tight margins and the historic push for safety over everything, many components aren’t updated,” Armstrong explained. ®

Keep Reading

Apple emits iOS, iPadOS, watchOS, macOS patches to fix three hijack-my-device flaws exploited in the wild

Trio of bugs reported by Google Project Zero, plenty of other flaws addressed

Update Firefox: Mozilla just patched three hijack-me holes and a bunch of other flaws

Plus: Zoom fixes code-execution security bugs

The Russians are at it again: Zebrocy backdoor malware is evolving, Uncle Sam warns close to eve of presidential election

Yep, it's the artists occasionally known as APT28

It's 2021 and you can hijack a Cisco SD-WAN deployment with malicious IP traffic and a buffer overflow. Patch now

And also fix up these other holes that can be exploited via HTTP requests, SQL injection, etc

Psst.. You may want to patch this under-attack data-leaking Cisco bug – and these Ripple20 hijack flaws

In Brief Plus: US govt sounds the alarm on industrial equipment attacks

The seven deadly sins letting hackers hijack America's govt networks: These unpatched bugs leave systems open

'Unauthorized access to elections support systems' detected tho 'no evidence to date that integrity of elections data has been compromised'

Zero-click, zero-day flaws in iOS Mail 'exploited to hijack' VIP smartphones. Apple rushes out beta patch

Updated Senior execs, journos, managed security service providers among those targeted, we're told

Dnsmasq, used in only a million or more internet-facing devices globally, patches not-so-secret seven spoofing, hijacking flaws

Get your updates when you can for gear from scores of manufacturers

Biting the hand that feeds IT © 1998–2021