Sometimes just the thought of a vacation or even leaving town for a few days is enough to help you forget your cybersecurity troubles—especially when you step onto a comfortable, modern jumbo jet. But it may surprise you to learn that the airplanes we often regard as safe are actually riddled with their own digital problems, many of which pose significant risks to passengers. Too often, travellers view the dangers of flying in a traditional sense, like those related to landing gears, seatbelts, turbulence—or more recently, terrorism and potential bomb scares.
But as the world continues to grow and modernize, a successful shift in the security mindset also includes taking note of the many ways airlines continue to expose themselves to vulnerability and risk. While it’s true carriers and airports have made some vast security improvements with regards to passenger access and potentially dangerous materials, they have yet to find true cyber resilience when it comes to being 100% safe while in the air. And until they do, the notion of flying is really more dangerous than ever.
Hacking a Plane
One of the biggest concerns about the cybersecurity of an airplane is protecting it from virtual hijackers. Not too long ago, taking over control of a Boeing 747 at 40,000 feet required a malicious person to actually be on board, weilding a weapon—or worse, an explosive—of some kind and demanding access to the cockpit. But these days, this same goal can feasibly be accomplished by “hacking” a plane, which means a black hat somewhere on the ground can gain total control of a 900,000 lb. plane in mid-flight by using nothing more than a computing system.
Don’t believe it? Last year, the Department of Homeland Security (DHS) officially announced they, themselves, had successfully hacked a Boeing 757 from a remote site, albeit not while it was in flight. Granted, it was a 197os design, but hundreds of those older models still take to the sky today, including President Trump’s personal jet that he used throughout his electoral campaign. And according to hacking expert, Brad Haines, “Anyone with a TV tuner can listen in to raw position data and other telemetry from planes directly. The threat models never anticipated this. Manufacturers and airlines don’t let researchers, even with honest intentions, get access to find a very expensive problem. Their faith in the systems is never challenged.”
Even more disturbing are the various reports that have already surfaced about missed approaches due to some kind of GPS interference from outside. Whether or not these were related to an attack is unclear, but Manila International Airport alone has reported more than 50 in one year. And in other cases, like that of Spanair flight 5022, a malware infection of the plane’s central computing systems was what caused the aircraft to crash, killing 154 souls.
One major problem within this entire discussion is the lack of agreement among industry experts. While Scott McConnell, a spokesman for the DHS has been quoted saying, “The aviation industry, including manufacturers and airlines, has invested heavily in cybersecurity and built robust testing and maintenance procedures to manage risk.” However, people directly involved in the cybersecurity division of the DHS disagree, saying their “remote, non-cooperative penetration” of a Boeing 757 is proof that neither the airlines nor the U.S. Air Force have the programs or expertise capable of detecting today’s cyber threat to airplanes.
The lifecycle of an airplane can last decades, and during this time, the software used to fly and protect it also goes through many updates and repairs. As we all know, such a lengthy process, with so many potential security holes, can be rife with creeping bugs if the software is not vigilantly handled by extremely knowledgeable experts. And when these vulnerabilities are neglected or simply not detected, attackers have a much better change of tunneling through and entering the heart of the system. Just like with any digital architecture, all airplane-related software need to be considered of the utmost importance.
Just like the people who fly them, commercial airplanes also rely on a modernized system of satellite communication channels to navigate through their movement, both on and off the ground. Within the past five years alone, they processes have shifted from ground-based radar to GPS systems, connecting cockpit pilots directly to satellites to guide them during critical moments of takeoff and landing. In-flight wifi used by both passengers and crew are also linked to satellites, which creates yet another opening for cyber attackers looking to “board” the plane remotely.
Of course, the question of cost is always a factor when it comes to security. And in the case of cyber upgrades for planes, the price tag is high due to the nature of their complex systems. To address and repair weaknesses in one of today’s most advanced aircrafts would likely include the rewriting of computer code within the avionics equipment, and that alone could cost over $1 million—and it would take close to a year to complete.
Although there is no easy answer to this issue, what’s important is to pay attention to the realities that exist all around. It doesn’t take an expert to recognize the vulnerable state of airplanes today, nor does it take a genius to realize certain (sometimes costly) actions will need to be taken. If passengers are going to continually do their part for security by packing only certain things, removing their shoes and outerwear for security checks, and keeping an eye out for suspicious bags and activity, professionals in the airline industry much also commit themselves to keep those same passengers safe in the wilds of the digital world.