It took Robert Hickey and his team of researchers just two days to do what the aerospace industry had insisted was nigh impossible.
On September 21 2016, the US Department of Homeland Security official hacked into the systems of a Boeing 757 passenger aircraft parked in the airport in Atlantic City, New Jersey. It was, he said last year, “a remote, non-co-operative penetration” without insider help or being onboard, using “typical stuff that could get through security”.
Mr Hickey waited more than a year to drop his bombshell at a cyber security conference in Virginia and even then he gave scant detail about what had been accessed and how — for obvious security reasons.
But his revelation has raised serious questions about aviation’s exposure to cyber attack as aircraft, airports and air traffic control systems become increasingly reliant on digital systems.
Passengers can now FaceTime friends on their own devices while flying across the ocean. Pilots are ditching their heavy manuals and maps for WiFi-enabled tablets. Airlines are also harvesting the data generated by the aircraft — on everything from the engine to air conditioning — in order to monitor performance and operate more efficiently.
“We have to admit that the threats and vulnerabilities have changed,” says Matthieu Gualino, who provides security training for consultants L.A. Conseils and ICAO, the aviation safety regulator. “We have had technology in the air for many years . . .[but] the rise of connected technologies leads to greater vulnerability.”
The US Government Accountability Office has warned at least twice in the last three years that the industry and regulators need to step up their efforts to guard against cyber attacks as technology evolves at an ever faster pace.
Earlier this year the UK government also set out its concerns in a new cyber security strategy. “It is not a matter of if, but when cyber attacks or system compromises are perpetrated against or impact upon aviation,” the strategy document states.
This was not the first time the alarm was raised. In 2015, FBI agents alleged that a well-known cyber security expert claimed to have hacked into an aircraft’s flight controls through the entertainment system, and made it briefly fly sideways. However, doubts persist over the claim, given that no charges appear to have been brought against him.
“I am fairly confident that people have tried and just as confident that they have failed,” says Joe Kenney, chief technology officer of Honeywell Aerospace, a supplier of flight management and other avionic systems.
Boeing, whose 787-8 faced questions from the US aviation regulator in 2008 over perceived vulnerabilities in its system architecture, insists that such an attack is impossible. “Critical flight systems cannot be accessed from an aeroplane’s non-critical systems,” Boeing says. “Multiple layers of protection, including software, hardware, and network architecture features, are designed to . . . guard against intrusion. Technical controls protecting flight critical systems . . . extend beyond traditional security measures found in ground-based environments.”
Nevertheless, there are risks other than a terrorist or hacker remotely taking control of an aircraft in-flight. They could try to create panic on the plane by hacking into the Wi-Fi system and displaying images or false messages on screens to passengers and crew, says Mr Gualino.
Ruben Santamarta, a cyber security expert at consultancy IOActive, has for years warned of weak links in aviation’s satellite communication systems. Mr Santamarta says he has proved that a hacker can access an aircraft’s onboard WiFi through the satellite link and interfere with the internet-enabled devices of passengers and crew. The aircraft’s navigation antenna could also potentially be accessed this way.
The good news is that he has been unable to hack into safety critical cockpit systems. “It was not possible to move from in-flight communication to the avionics,” he says.
The bad news is that common devices — being used more and more by onboard staff like maintenance and cabin crew — may interface with the critical as well as the non-critical systems and thus could pose a real threat.
“Onboard you now find devices that are used in different industries,” Mr Santamarta says. “Some operations are using iPads or other common devices. For example if you compromise a laptop used to load software into the aircraft it might be possible to inject malicious malware.”
Mr Kenney of Honeywell believes that the industry is facing an urgent challenge with the arrival of 5G wireless communications, which will bring much faster speeds of data transfer. This will raise risk levels significantly, even as it opens the door to new business opportunities arising from a greater volume of real-time data; for example, by enabling aircraft automatically to warn each other of shifting weather patterns.
“Historically all data stays on the plane,” says Mr Kenney. But with 5G services such as sharing information on the weather, that data will be taken off the aircraft, processed and brought back on board. “It is now open system if you do that. That is an opportunity for hackers to go in.”
Mr Kenney insists these new business opportunities are crucial, as they will help airlines cut fuel consumption and deliver cheaper, better services to passengers. “If you get real time information (about unexpected weather) on an aircraft it can save a lot of fuel because you don’t have to reroute. It is solving a problem for airlines. They want that data,” he says. As the new services develop, however, “the protection needs to be the same as in an isolated system,” he says. “We are very aware and conscious as a leader in avionics that we have to ensure our systems retain their integrity.”
Everyone in the industry is aware of the high stakes. More than any other industry, safety is the overriding imperative of all technological advances in aviation. Last year despite carrying 4bn passengers, commercial aviation suffered no fatalities.
“It is very much up to the manufacturers to make sure that the integrity of our systems is as good today if not better,” he says. “The technology exists today to monitor the performance of aircraft systems closely enough so that if someone were to do something you could override those commands using artificial intelligence and land the aircraft safely.”
Get alerts on Cyber Security when a new story is published