Hacker’s Into Commercial Airline Systems

Screen-Shot-2015-04-16-at-07.54.43-655x360.png

 

Even as the US questioned a computer researcher’s claims of tampering with a jetliner in flight, his account spotlighted possible cybersecurity risks in commercial aviation. The consultant told the Federal Bureau of Investigation that he hacked into in-flight networks more than a dozen times using onboard entertainment systems, as Wired magazine reported.

While a US official said that lacked credibility, the article drew attention to a US report last month about digital threats to airliners. 

U.S. government officials flagged potential vulnerabilities in the US’s pending shift to satellite-based air traffic control from current ground-based systems. They said there is a theoretical risk that an unauthorized person could gain access to sensitive aircraft systems, even though the computers running the controls are kept separate from in-flight entertainment technology.

Even with firewalls, a breach could occur if the cockpit controls system and entertainment technologies were connected to the same router or use the same networking platform, the US Government Accountability Office wrote last month.
Hacking into cockpit controls would require a combination of expert skills and a network that is sufficiently vulnerable, said Jon Haass, chairman of Cyber Intelligence & Security at Embry-Riddle Aeronautical University’s Prescott, Arizona, campus. But it’s possible because of the interconnectivity of aircraft systems, he said.

“The networks are in some sense connected, even though they’re firewalled off from each other,” Haass said. “If I can trick a network computer or device into thinking I’m OK, that would allow me to then get to the controls which I’m not authorized to touch.”

Chris Roberts, founder of a cybersecurity consulting firm called One World Labs, claimed to have made that threat a reality after being pulled off a flight last month over provocative tweets about airline hacking.
However, there is no credible information to suggest an airplane’s flight control system can be accessed or manipulated from its in-flight entertainment system, a senior law enforcement official who asked not to be identified told Bloomberg News recently.

Even so, hacking a plane’s control systems in flight would represent a dangerous and likely illegal escalation, which has angered security researchers.

While cockpit control systems have historically been isolated and self-contained units, airplane manufacturers have shifted to a concept called integrated modular avionics that run vital functions through fewer central processing units to save weight and increase the ease of software upgrades.

This approach shaved 2,000 pounds off the weight of Boeing’s most advanced commercial jet, the 787 Dreamliner, while cutting in half the numbers of processor units for Airbus Group NV’s A380 superjumbo jet, according to Aviation Today.

Although separated from the entertainment systems by firewalls, security technologies could be breached if connected to the same router or use the same networking platform, the GAO wrote. Some aircraft have controls that have an “air gap” with other airplane computer networks, meaning the different networks have separate wiring that prevents the sharing of information. That closes off that vulnerability, Embry-Riddle’s Haass said. It’s not clear that all planes have this closed-off system, he said.

The FBI is warning airline workers to watch for suspicious activities, such as passengers connecting cables or wires to the in-flight entertainment systems “or unusual parts of the airline seat,” and report any signs of tampering with the entertainment systems, according to Wired.

The Federal Aviation Administration last year ordered Boeing to ensure that computer networks on upgraded versions of its 737 aircraft are protected. Previous versions of the same plane “had very limited connectivity with external network sources” and weren’t at risk, the FAA said in the June 6 notice. The agency has issued similar notices ordering Boeing, Airbus and other aircraft manufacturers to design electronics to protect them from outside interference.

Entertainment systems on Boeing’s commercial airplanes are isolated from flight and navigation systems, and pilots have more than one navigational system at their disposal, said company spokesman Doug Alder.
“No changes to the flight plans loaded into the airplane systems can take place without pilot review and approval,” he wrote.
Airbus has systems and procedures in place to ensure against potential cyberattacks, Mary Anne Greczyn, a spokesman for Toulouse, France-based Airbus, said in an e-mail. “We naturally do not discuss details on our security design and operations in public.”
Pilots form an additional layer of protection, John Cox, president of consulting firm Safety Operating Systems, said in an interview.

On the off chance that it was possible for a hacker to manipulate the flight controls, pilots are trained how to manually override a plane’s automatic systems, said Cox, a former pilot himself. Therefore he says, “The idea that you can somehow get in and take control of the airplane, it isn’t going to happen,” he said.
Claims Journal:  http://bit.ly/1LWLbEB

« Iran Suffering a Techno Gap in Cyber Defense
Keeping Passwords Safe From Cracking »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CIO

CIO

CIO provides technology and business leaders with insight and analysis on information technology trends

QA Systems

QA Systems

QA Systems provides software testing solutions for safety and business critical sectors and software safety and security standards.

HyTrust

HyTrust

HyTrust specialises in security, compliance and control software for virtualization and cloud environments.

Kroll

Kroll

Kroll provides clients a way to build, protect and maximize value through our differentiated financial and risk advisory and intelligence.

Norwegian Business & Industry Security Council (NSR)

Norwegian Business & Industry Security Council (NSR)

NSR is a member organization serving the Norwegian business sector in an advisory capacity on matters relating to crime and security including cyber.

Herbert Smith Freehills

Herbert Smith Freehills

Herbert Smith Freehills is a leading professional services including data protection and privacy.

KIOS Center of Excellence (KIOS CoE)

KIOS Center of Excellence (KIOS CoE)

KIOS carries out top level research in the area of Information and Communication Technologies (ICT) with emphasis on the Monitoring, Control and Security of Critical Infrastructures.

TechBeacon

TechBeacon

TechBeacon.com is a digital hub by and for software engineering, IT and security professionals sharing practical and passionate guidance to real-world challenges.

2Keys

2Keys

2Keys designs, deploys and operates Digital Identity Platforms and Cyber Security Platforms through Managed Service and Professional Service engagements.

The ATOM Group

The ATOM Group

ATOM builds and secures technology for regulated industries. We design and build for a future we can all trust.

Identity Management Institute (IMI)

Identity Management Institute (IMI)

Identity Management Institute (IMI) provides professional training and certification in cyber security with a focus on identity and access management, identity theft, and data protection.

LGMS - LE Global Services

LGMS - LE Global Services

LGMS is a leading cyber security penetration testing and assessment firm in the Asia Pacific region.

Cyber Security Partners (CSP)

Cyber Security Partners (CSP)

Cyber Security Partners specialise in the provision of Cyber Security Consultancy, Data Protection and Certification and Compliance services.

International Cyber Threat Task Force (ICTTF)

International Cyber Threat Task Force (ICTTF)

The International Cyber Threat Task Force is a not-for-profit initiative promoting the ecosystem of an International independent non-partisan cyber security community.

Pessimistic Security

Pessimistic Security

The team behind Pessimistic helps blockchain startups meet modern security challenges since 2017.

Barquin Solutions

Barquin Solutions

Barquin Solutions is a full-service information technology consulting firm focused on supporting U.S. federal government agencies and their partners.