Hacker’s Into Commercial Airline Systems

Uploaded on 2015-06-01 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Screen-Shot-2015-04-16-at-07.54.43-655x360.png

 

Even as the US questioned a computer researcher’s claims of tampering with a jetliner in flight, his account spotlighted possible cybersecurity risks in commercial aviation. The consultant told the Federal Bureau of Investigation that he hacked into in-flight networks more than a dozen times using onboard entertainment systems, as Wired magazine reported.

While a US official said that lacked credibility, the article drew attention to a US report last month about digital threats to airliners. 

U.S. government officials flagged potential vulnerabilities in the US’s pending shift to satellite-based air traffic control from current ground-based systems. They said there is a theoretical risk that an unauthorized person could gain access to sensitive aircraft systems, even though the computers running the controls are kept separate from in-flight entertainment technology.

Even with firewalls, a breach could occur if the cockpit controls system and entertainment technologies were connected to the same router or use the same networking platform, the US Government Accountability Office wrote last month.
Hacking into cockpit controls would require a combination of expert skills and a network that is sufficiently vulnerable, said Jon Haass, chairman of Cyber Intelligence & Security at Embry-Riddle Aeronautical University’s Prescott, Arizona, campus. But it’s possible because of the interconnectivity of aircraft systems, he said.

“The networks are in some sense connected, even though they’re firewalled off from each other,” Haass said. “If I can trick a network computer or device into thinking I’m OK, that would allow me to then get to the controls which I’m not authorized to touch.”

Chris Roberts, founder of a cybersecurity consulting firm called One World Labs, claimed to have made that threat a reality after being pulled off a flight last month over provocative tweets about airline hacking.
However, there is no credible information to suggest an airplane’s flight control system can be accessed or manipulated from its in-flight entertainment system, a senior law enforcement official who asked not to be identified told Bloomberg News recently.

Even so, hacking a plane’s control systems in flight would represent a dangerous and likely illegal escalation, which has angered security researchers.

While cockpit control systems have historically been isolated and self-contained units, airplane manufacturers have shifted to a concept called integrated modular avionics that run vital functions through fewer central processing units to save weight and increase the ease of software upgrades.

This approach shaved 2,000 pounds off the weight of Boeing’s most advanced commercial jet, the 787 Dreamliner, while cutting in half the numbers of processor units for Airbus Group NV’s A380 superjumbo jet, according to Aviation Today.

Although separated from the entertainment systems by firewalls, security technologies could be breached if connected to the same router or use the same networking platform, the GAO wrote. Some aircraft have controls that have an “air gap” with other airplane computer networks, meaning the different networks have separate wiring that prevents the sharing of information. That closes off that vulnerability, Embry-Riddle’s Haass said. It’s not clear that all planes have this closed-off system, he said.

The FBI is warning airline workers to watch for suspicious activities, such as passengers connecting cables or wires to the in-flight entertainment systems “or unusual parts of the airline seat,” and report any signs of tampering with the entertainment systems, according to Wired.

The Federal Aviation Administration last year ordered Boeing to ensure that computer networks on upgraded versions of its 737 aircraft are protected. Previous versions of the same plane “had very limited connectivity with external network sources” and weren’t at risk, the FAA said in the June 6 notice. The agency has issued similar notices ordering Boeing, Airbus and other aircraft manufacturers to design electronics to protect them from outside interference.

Entertainment systems on Boeing’s commercial airplanes are isolated from flight and navigation systems, and pilots have more than one navigational system at their disposal, said company spokesman Doug Alder.
“No changes to the flight plans loaded into the airplane systems can take place without pilot review and approval,” he wrote.
Airbus has systems and procedures in place to ensure against potential cyberattacks, Mary Anne Greczyn, a spokesman for Toulouse, France-based Airbus, said in an e-mail. “We naturally do not discuss details on our security design and operations in public.”
Pilots form an additional layer of protection, John Cox, president of consulting firm Safety Operating Systems, said in an interview.

On the off chance that it was possible for a hacker to manipulate the flight controls, pilots are trained how to manually override a plane’s automatic systems, said Cox, a former pilot himself. Therefore he says, “The idea that you can somehow get in and take control of the airplane, it isn’t going to happen,” he said.
Claims Journal:  http://bit.ly/1LWLbEB

« Iran Suffering a Techno Gap in Cyber Defense
Keeping Passwords Safe From Cracking »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Red Hat

Red Hat

Red Hat is a leader in open source software development. Our software security team proactively identifies weaknesses before they become problems.

Cryptus Cyber Security

Cryptus Cyber Security

Cryptus Cyber Security is an Information Security Training company providing advanced training and services to IT Professionals.

S2 Grupo

S2 Grupo

S2 Grupo is the benchmark company in Europe and Latin America, for Cyber Intelligence and mission critical systems operations.

Mission Secure (MSi)

Mission Secure (MSi)

MSi is a specialized provider of next generation cyber defense solutions protecting control systems and critical physical assets in energy, transportation and defense.

Kobil Systems

Kobil Systems

Kobil is a pioneer in the fields of smart card, one-time password, authentication and cryptography.

Workz Group

Workz Group

Workz connects and protects mobile subscribers of today and tomorrow by providing secure removable or embedded SIMs and remote provisioning solutions for consumer, M2M and IOT devices.

CyberCareers.gov

CyberCareers.gov

CyberCareers.gov is a platform for Cybersecurity Job Seekers, Federal Hiring Managers and Supervisors, Current Federal Cybersecurity Employees, Students and Universities.

ReconaSense

ReconaSense

ReconaSense helps protect people, assets, buildings and cities with its next-gen access control and converged physical security intelligence platform.

Network Intelligence

Network Intelligence

Network Intelligence delivers a comprehensive suite of AI-powered cybersecurity solutions built on the ADVISE framework.

Active Countermeasures

Active Countermeasures

Active Countermeasures believe in giving back to the security community. We do this through free training, thought leadership, and both open source and affordable commercial tools.

Avancer Corporation

Avancer Corporation

Avancer Corporation is a multi-system integrator focusing on Identity and Access Management (IAM) Technology. Founded in 2004.

Saporo

Saporo

Saporo helps organizations increase their cyber-resistance. Continuously map your attack surface and get the recommendations you need to make your organization more resistant to attacks.

SRG Security Resource Group

SRG Security Resource Group

SRG Security Resource Group is a Canadian company dedicated to providing world-class Physical and Cyber Security services.

Emerge Digital

Emerge Digital

Emerge Digital is a technology and digital innovation business and Managed Services Provider providing solutions to SMEs.

Google Cloud

Google Cloud

Accelerate your digital transformation. Whether your business is early in its journey or well on its way to digital transformation, Google Cloud can help solve your toughest challenges.

Mitra Informatics Integration (MII)

Mitra Informatics Integration (MII)

Mitra Informatics Integration is the information communication technology solution business of the Metrodata Group.