Hacking an aircraft is easier than you might think. Last year, a Department of Homeland Security (DHS) official admitted that he and his team of experts remotely hacked into a Boeing 757.
In 2016, there were more than 50 reports of GPS interference at Manila International Airport – which can lead to “missed approaches” forcing flight crews to re-approach the runway using backup navigation systems.
The results of an attack on a plane can be catastrophic. After the 2008 crash of Spanair flight 5022, it was discovered that a central computer system used to monitor technical problems in the aircraft was infected with malware. An internal report by the airline revealed the infected computer failed to find three technical problems with the aircraft which, if detected, might have stopped the plane from taking off in the first place.
The ability to breach an aircraft system has already been demonstrated. Security researcher Ruben Santamarta has shown how attacks such as bypassing the credit card check and SQL injection can be conducted on an in-flight entertainment system. Such assaults can even be perpetrated from the ground, he says.
Meanwhile, US regulator the Federal Aviation Administration(FAA) has warned that some computer systems on the Boeing 747-8 and 747-8F may be vulnerable to outside attacks due to the nature of their connectivity.
In addition, weak encryption systems in aircraft communications addressing and reporting systems have raised issues around the privacy of messages sent via the data-link.
According to Nitha Suresh, a cybersecurity consultant at Synopsys, the surveillance signal used to broadcast the position of aircraft can potentially be eavesdropped or spoofed by highly skilled attackers.
The risk is particularly elevated in aviation due to the complexity of aircraft systems. Over the years, the size of the software supporting them has grown exponentially, says Suresh.
This complexity – including multiple lines of code – lowers the testability of the software, leaving behind vulnerabilities which can be exploited by a skilled attacker.
Adding to this, the software goes through many overhauls and updates during the lifecycle of the plane. “Unless this job is carried out with extreme caution, there is a great deal of potential for security bugs to creep into the software,” Suresh says.
In addition, modern avionics software development takes advantage of commercial off-the-shelf components. But this can potentially allow an attacker to tunnel through and enter the heart of the system, Suresh warns.
She says software vendors should take necessary precautions in terms of plugging the loopholes, “just like they would with any other open architecture”.
At the same time, Suresh points out that major development standards don’t currently include detailed cybersecurity policies. Although she concedes, the Aircraft Systems Information Security Protection (ASISP) 2015 initiative by the FAA “is a move in the right direction”.
So, what can be done to prevent malicious actors from attacking aircraft? The risks can, to an extent, be mitigated by the effective decision-making capability of an experienced pilot – who might spot something unusual, says Suresh.
But she emphasizes the importance of understanding the attack surface. “There should be a common repository of threats to both hardware and software detected by the developers and assessors. This needs to be maintained by regulatory agencies like the FAA and should also be available across different development platforms.”