News agencies throughout the world are reporting on the vulnerability of new commercial passenger planes to hacking, malware, and terrorism. What is the cause of that vulnerability? The on-board system allowing passengers to access the internet. That system is directly connected to the computers that run the plans avionics system. See the diagram below:
The U.S. Government Accountability Office released a report yesterday describing the danger. The GAO consulted with the FAA and experts on computer security. Their analysis was not reassuring. Planes are vulnerable to hacking for two reasons: (1) on-board computers used by passengers are connected to the internet, and (2) those same computers are connected to the avionics systems that control the plane.
“FAA officials and experts we interviewed said that modern aircraft are also increasingly connected to the Internet, which also uses IP-networking technology and can potentially provide an attacker with remote access to aircraft information systems. According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors. FAA officials and cybersecurity and aviation experts we spoke to said that increasingly passengers in the cabin can access the Internet via onboard wireless broadband systems. One cybersecurity expert noted that a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines.” [GAO-15-370, 14 April 2015, p. 19].
I’m not an expert on computer security, but even I can see two solutions to this problem. (1) Don’t connect the internet computers to the avionics system. Have two separate systems that are not connected. (2) And don’t have internet access on the plane. Is it really necessary to be connected to the internet every hour of every day?
What are the commercial plane manufacturers doing about this problem. They set up a firewall between the avionics and the passenger computers. Well, problem solved! Or not.
“Firewalls protect avionics systems located in the cockpit from intrusion by cabin-system users, such as passengers who use in-flight entertainment services onboard. Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented. The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin.”
The FAA warned Boeing about this type of vulnerability SEVEN YEARS AGO!!! And all they did was set up a software firewall.
The GAO says: “Historically, aircraft in flight and their avionics systems used for flight guidance and control functioned as isolated and self-contained units, which protected their avionics systems from remote attack.” [p. 18]. But not anymore. Boeing and Airbus have adopted a new approach that inexplicably connects essential flight guidance and control computer systems to passenger entertainment computers and the whole bloody internet.
A passenger on the plane, with hacking skills and the right malware, could by-pass the firewall and disable the avionics system. Worse still, any hacker on the planet could possibly gain access to the flight computers remotely. It is not clear from the GAO report how much damage a hacker could do, once the firewall was breached. But crashing the plane is certainly a real possibility.
- Thoreau
