David Armstrong considers the possibility of computer-hacking an aircraft
COMMERCIAL AIRCRAFT HACKS
On a United Airlines flight from Denver, Colorado, to Syracuse, New York, in April 2015, passenger Chris Roberts, a self-described cybersecurity researcher, commandeered the plane by tapping into the seat electronic box under his seat and accessing the plane’s thrust management computer. Roberts, of One World Labs in Denver, controlled the aircraft and briefly flew the plane sideways. Or did he?
Cyber security experts working for government agencies, aircraft manufacturers and aviation consultancies dismissed the claim, which Roberts made in a tweet from the plane, saying that the acts he described didn’t happen and couldn’t, in fact, happen. Aircraft manufacturers Boeing Company and Airbus were adamant on that point. Boeing told CNN its entertainment and navigation systems were not connected, so consequently, Roberts could not have done what he said he did.
Boeing elaborated in a statement: “Boeing airplanes have more than one navigational system available to pilots. No changes in the flight plans loaded into the airplane systems can take place without pilot review and approval. In addition, other systems, multiple security measures and flight deck operating procedures help ensure safe and secure airplane operations.”
Airbus was equally firm. In a statement the company said: “Airbus, in partnership with our suppliers, constantly assesses and revisits the system architecture of our products, with an eye to establishing and maintaining the highest standards of safety and security. Beyond that, we don’t discuss design details or safeguards publicly, as such discussion might be counterproductive to security.”
Expert opinion then and now concurs with Airbus and Boeing. The consensus is that carefully engineered aviation architecture makes commandeering a civilian or military aircraft, from the ground or in the air, virtually impossible.
Threats
A number of aviation security experts worry more about other threats. Among them, the intrusion of UAVs, blinding laser pointers aimed at aircraft, ground or air-fired missiles, hijacking, in-flight collisions with birds and other dangers.
Yet, concerns that aircraft are not hackproof have not gone away. If anything, cooperation between aviation stakeholders to stop hack-a-plane scenarios is growing. The issue has drawn the attention of the US Federal Aviation Administration (FAA) and the European Aviation Safety Agency (EASA). Although both are circumspect about speaking publicly and in detail about their anti-hacking efforts, they acknowledge a mutual desire to harmonise anti-hacking protocols.
In June 2016, FAA Administrator Michael Huerta told an aviation cybersecurity conference in Washington, DC that cybersecurity is “a huge issue we need to think about”. In an interview with the Wall Street Journal, Huerta elaborated: “As you rely on broader networks to swap data, you have to build many layers of protection. But at the same time you have to assume at some point, someone is going to break through that safety net… and then the most important factor will become how do you isolate it? How do you track it?”
Responding to questions for this article, the FAA emailed a statement that read, in part: “The FAA and industry have worked together on aircraft cybersecurity over the past 20 years, and there have been no US commercial accidents or incidents from intentional unauthorised electronic interaction with onboard aircraft systems.”
However, while no verified incidents have been reported, concerns that something untoward and even tragic could eventually happen trouble authorities. Cybersecurity concerns centre chiefly on air trafic control upgrades, advanced navigation computers and automated maintenance messaging systems – all potential vulnerabilities – along with widely used in-flight entertainment systems.
The FAA confirms its efforts to protect aircraft from hacking are international in scope. In an email, an agency spokesman wrote: “The FAA’s cybersecurity efforts also include close cooperation with international civil aviation authorities, including EASA and representatives from the international aviation industry.”
For its part, EASA has stated that it hopes to have a far-reaching cybersecurity plan in place by the end of 2018, though the Cologne-based agency is quiet about sharing details and did not respond to AIR International’s query asking if the plan was on track and on schedule.
Despite the circumspection of companies and regulators, broad contours of the cyber threat and outlines of what might be done to neutralise it have emerged in fits and starts.
EASA Executive Director Patrick Ky warned in October 2016 that a malicious hacker could exploit vulnerabilities in an aircraft on the ground. Ky said a commercial pilot hired by EASA as a consultant had exploited weaknesses in the aircraft communications addressing and reporting system (ACARS) used to send text messages between aircraft and ground stations. Ky told a press conference that it took the consultant just five minutes to burrow into ACARS. According to Ky, the hired hacker was also able to access the aircraft control system on the ground after several days of trying. According to a story published in France’s Les Echos, Ky said: “For security reasons, I will not tell you how he did it.”
Ky’s statement came one day before the introduction of the European air traffic control system dubbed SESAR, a system born from the Single European Sky Air traffic management research programme. The EASA leader said: “With the introduction of SESAR and the possibility for air traffic control to directly give instructions to the aircraft control system, this risk will be multiplied. We need to start by putting in place a structure for alerting airlines to cyberattacks.”
Just a month before, Ky addressed that issue at an AVSEC World aviation security conference in Dublin and zeroed in on the security of an aircraft’s ADS-B system, which transmits information about its position. Speakers emphasised that the data are unencrypted, making the system vulnerable to outside interference. To defend against such attacks, James Vasatka, Boeing’s director for aviation security, told the gathering that his company – like EASA and others – routinely hires hackers to test software and systems Boeing installs on its planes.
A flurry of media attention to the threat of cyber-hacking a plane emerged early this decade, peaked from 2013 to 2015, and receded somewhat since then. Even so, it’s never fallen offthe radar.
Some early reports on alleged hacking – and speculation how easy such hacking was – bordered on the sensational. German researcher Hugo Teso made a splash at the Hack in The Box security conference in Amsterdam in 2013, when he outlined how easy it could be to hack into the electronic system of a jetliner by combining knowledge of computer coding with a personal digital device. In Teso’s case, it was a Samsung smartphone.
US business magazine Fast Company noted: “Relying on the fact that two critical aircraft systems use no encryption during their chatter to a ground-based service, Teso was able to hack into the flight control software of an airliner – one that could, theoretically, be in flight. He was able to divert the aircraft’s autopilot settings, potentially placing the aircraft at risk of collision, and even pull offstunts like dropping the oxygen masks in the passenger compartment. Teso’s hacking demonstration, like many ‘white hat’ hacks, is intended to prompt the industries concerned to seriously beef up their security, before a not-so-benevolent hacker throws a digital spanner in the works.”
That was the same rationale cited by Chris Roberts after making his claim of controlling an airliner in flight. After tweeting while he was on the plane about the alleged exploit, Roberts was met on the ground by the FBI, held and questioned, before being let go. No charges were filed against him. He maintained his actions were meant to be a wake-up call to sleepy government officials, airline executives, leading manufacturers of aircraft and security experts.
At least some got the message, loud and clear. According to a story published in November 2013 in the Los Angeles Times, Michael Sinnett, Boeing’s Vice-President of Production Development, told an industry conference in the summer of that year: “I know the media worries about the kid in seat 14B on his laptop hacking the flight controls. I’m here to tell you that’s not going to happen; but the question is, do I have to worry about a guy inside my system for four years before the code even hits the streets? The Boeing Company, its contractors and aviation regulators test systems for errors, but the worry persists that a ‘black hat’ hacker could find a way to worm into the systems and stay there undetected until it’s too late.”
Sleeper attacks
In the age of the nascent Internet of Things, when everything from home heating and cooling systems, to refrigerators, self-driving cars and airplane pilot tablets loaded with information is heavily reliant on complex, interconnected digital technology, sleeper attacks are a serious worry.
Peter Andres, Vice-President of Security for Deutsche Lufthansa AG, told the Los Angeles Times that being a glamorous, modern industry heightens the risks for aviation. He said: “There are many people who love to play with simulators, who listen to controls, who really study this stuff. But that, of course, gives more transparency and tools to people who have malicious intent.’’
Newer aircraft types with cutting-edge digital technology, such as Airbus’s A320, A350 and A380 and Boeing’s 787, are believed to be more at risk than older aircraft. One way these or other aircraft types could be compromised is by implanting hidden malware on a plane and activating it later.
By 2014, researchers were at work trying to devise systems to thwart such threats. Much of the impetus was driven by the disappearance on March 8, 2014, of MH370, a doomed Malaysian Airlines flight that some observers speculated had been the victim of a cyberattack, though most researchers believe something other than a cyberattack caused the aircraft to veer offcourse and disappear.
Some of this research was done in the UK by City University professor David Stupples, who has consulted on cybersecurity issues for the UK government, and specialists Cranfield University. Cranfield has initiated work on a system that would recognise malware and reconfigure itself to work around it.
Stupples told The Guardian in November 2014: “We have to address the problem completely differently. We need to look at architectures that can survive a malware attack. This is really important for infrastructure such as power stations and water plants, as well.”
According to Stupples, programmes to identify and isolate malware in aircraft and other crucial infrastructure are especially needed to counter the possibility of an inside job by a malicious actor, perhaps airline or airport employees or workers at maintenance facilities. Malware could be loaded on to an aircraft by using a USB pen, he suggested, or migrate from a company network via a data port at an airport gate. Data ports are often crucial to aircraft in-flight entertainment systems, which researchers cite as potentially vulnerable portals into a targeted plane.
He said: “[A] disaffected employee would have to be someone associated with the systems. If that’s the case, there’s a better than 80% chance they can either get to the data being transmitted on to the aircraft or get into the aircraft itself.’’
The proliferation of passengers’ personal digital devices – smartphones, laptops, tablets and the like – make a cybersecurity team’s work that much more difficult. Ruben Santamarta, principal security consultant at London’s IOActive, told Techworld in August 2016 that cyber attackers could try to gain control via the aircraft control domain or the airline information services domain. Moreover, he said: “Then we have two separated domains that are mainly focused on the passengers, the passenger information and entertainment services domain, and we have the passengers’ own devices.”
Santamarta singled out passenger devices as a tantalising sweet spot for hackers with malign intent. An attack, he said, “could be performed by someone using the public Wi-Fi on board, or someone who has had their laptop infected with malware and didn’t even know someone was trying to hack into the aircraft. That’s one scenario.”
Tom Patterson of information security company Unisys points to another possible portal: avionics. He said: “One of the key points to look at is weight. In the old days, in-flight avionics were a completely separate system. They were on wires, on computers: everything was separate. It would have been very difficult for an attacker to jump in there. What’s happening now is that to flighten the planes, more systems are sharing common wires and common computers.”
Countering the threats
Luc Tytgat, EASA’s strategy and safety management director, remarked in the April 4, 2017, issue of its newsletter On Air: “We need to be prepared for the threat of cyberattacks in aviation; it is not a matter of will it happen, but when it will happen. The growing risks come from the use of new technologies and new devices; for example, pilots are increasingly using devices connected to the cockpit such as flight maps and we have no way to guarantee these cannot be hacked.”
JeffPoole, Director-General of the Civil Air Navigation Services Organisation, noted: “Protecting our industry from cyber threats is hard, probably one of the hardest things we’re facing, because we do not know what we are facing or for what we have to prepare.”
As technology experts develop anti-hacking tools to counter multiple threats, international aviation stakeholders draw ever closer to protect themselves against cyber threats. EASA, in conjunction with other European stakeholders, is playing a key role.
On February 10, 2017, EASA signed a memorandum of understanding with the EU’s Computer Emergency Response Team (CERT-EU). According to EASA officials, the first phase of the agreement is set to roll out this year, and will include a public web site reporting cyber security news and European initiatives, open source intelligence services for members, plus an unspecified collaboration platform for members to exchange cyber security information.
The new vehicle, EASA announced, counts among its constituency: manufacturers of aircraft, avionics and ground systems; aviation organisations, such as airlines, maintenance, repair and overhaul operations; communication services providers; air navigation service providers; and national and cross-border air navigation service providers.
In April 2017, EASA announced implementation of the memorandum with CERT-EU, creating a European Centre for Cyber Security in Aviation (ECCSA). EASA agreed to “provide the analyst resources and technical expertise for the coordination of the ECCSA”. From CERT-EU came a commitment to provide secure information technology infrastructure services plus cybersecurity tools and threat management services. Both agreed to maintain close collaboration between their analyst teams.
ECCSA is just one recent example of the ever closer collaboration in the international aviation community to prevent malicious hacking of aircraft.
Said Unisys’ Tom Patterson: “Air transport is one of the critical infrastructure sectors that’s looked at globally, and is one of the leading sectors to share information and countermeasures information among all its participants around the world. We’ve got great leaders, facilities to work together. We definitely come together when there are emergencies. Now, what we’re starting to do is get them to come together in advance of emergency situations, to prevent those emergencies from happening.”
