Hacker’s Into Commercial Airline Systems

Screen-Shot-2015-04-16-at-07.54.43-655x360.png

 

Even as the US questioned a computer researcher’s claims of tampering with a jetliner in flight, his account spotlighted possible cybersecurity risks in commercial aviation. The consultant told the Federal Bureau of Investigation that he hacked into in-flight networks more than a dozen times using onboard entertainment systems, as Wired magazine reported.

While a US official said that lacked credibility, the article drew attention to a US report last month about digital threats to airliners. 

U.S. government officials flagged potential vulnerabilities in the US’s pending shift to satellite-based air traffic control from current ground-based systems. They said there is a theoretical risk that an unauthorized person could gain access to sensitive aircraft systems, even though the computers running the controls are kept separate from in-flight entertainment technology.

Even with firewalls, a breach could occur if the cockpit controls system and entertainment technologies were connected to the same router or use the same networking platform, the US Government Accountability Office wrote last month.
Hacking into cockpit controls would require a combination of expert skills and a network that is sufficiently vulnerable, said Jon Haass, chairman of Cyber Intelligence & Security at Embry-Riddle Aeronautical University’s Prescott, Arizona, campus. But it’s possible because of the interconnectivity of aircraft systems, he said.

“The networks are in some sense connected, even though they’re firewalled off from each other,” Haass said. “If I can trick a network computer or device into thinking I’m OK, that would allow me to then get to the controls which I’m not authorized to touch.”

Chris Roberts, founder of a cybersecurity consulting firm called One World Labs, claimed to have made that threat a reality after being pulled off a flight last month over provocative tweets about airline hacking.
However, there is no credible information to suggest an airplane’s flight control system can be accessed or manipulated from its in-flight entertainment system, a senior law enforcement official who asked not to be identified told Bloomberg News recently.

Even so, hacking a plane’s control systems in flight would represent a dangerous and likely illegal escalation, which has angered security researchers.

While cockpit control systems have historically been isolated and self-contained units, airplane manufacturers have shifted to a concept called integrated modular avionics that run vital functions through fewer central processing units to save weight and increase the ease of software upgrades.

This approach shaved 2,000 pounds off the weight of Boeing’s most advanced commercial jet, the 787 Dreamliner, while cutting in half the numbers of processor units for Airbus Group NV’s A380 superjumbo jet, according to Aviation Today.

Although separated from the entertainment systems by firewalls, security technologies could be breached if connected to the same router or use the same networking platform, the GAO wrote. Some aircraft have controls that have an “air gap” with other airplane computer networks, meaning the different networks have separate wiring that prevents the sharing of information. That closes off that vulnerability, Embry-Riddle’s Haass said. It’s not clear that all planes have this closed-off system, he said.

The FBI is warning airline workers to watch for suspicious activities, such as passengers connecting cables or wires to the in-flight entertainment systems “or unusual parts of the airline seat,” and report any signs of tampering with the entertainment systems, according to Wired.

The Federal Aviation Administration last year ordered Boeing to ensure that computer networks on upgraded versions of its 737 aircraft are protected. Previous versions of the same plane “had very limited connectivity with external network sources” and weren’t at risk, the FAA said in the June 6 notice. The agency has issued similar notices ordering Boeing, Airbus and other aircraft manufacturers to design electronics to protect them from outside interference.

Entertainment systems on Boeing’s commercial airplanes are isolated from flight and navigation systems, and pilots have more than one navigational system at their disposal, said company spokesman Doug Alder.
“No changes to the flight plans loaded into the airplane systems can take place without pilot review and approval,” he wrote.
Airbus has systems and procedures in place to ensure against potential cyberattacks, Mary Anne Greczyn, a spokesman for Toulouse, France-based Airbus, said in an e-mail. “We naturally do not discuss details on our security design and operations in public.”
Pilots form an additional layer of protection, John Cox, president of consulting firm Safety Operating Systems, said in an interview.

On the off chance that it was possible for a hacker to manipulate the flight controls, pilots are trained how to manually override a plane’s automatic systems, said Cox, a former pilot himself. Therefore he says, “The idea that you can somehow get in and take control of the airplane, it isn’t going to happen,” he said.
Claims Journal:  http://bit.ly/1LWLbEB

« Iran Suffering a Techno Gap in Cyber Defense
Keeping Passwords Safe From Cracking »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cloudbric

Cloudbric

Cloudbric is a cloud-based web security service, offering award-winning WAF, DDoS protection, and SSL, all in a full-service package.

MetricStream

MetricStream

MetricStream provide integrated GRC solutions across business, IT, and security functions.

Assured Information Security (AIS)

Assured Information Security (AIS)

AIS is committed to providing our customers with critical information security products, services, and training. We support diverse needs throughout business and industry.

NRI Secure Technologies

NRI Secure Technologies

NRI SecureTechnologies is a Cybersecurity group company of the Nomura Research Institute (NRI) and a global provider of next-generation Managed Security Services and Security Consulting.

MAD Security

MAD Security

MAD Security is a premier provider of information and cybersecurity solutions that combine technology, managed security services, support and training.

SQN Banking Systems

SQN Banking Systems

SQN Banking Systems fraud detection software products are a critical step towards overcoming the growing problem of fraud across the various payment channels.

Digitpol

Digitpol

Digitpol’s Cyber Crime Investigation experts investigate hacking incidents, ransomware, extortion and conduct security audits and IT upgrades.

PKI Solutions

PKI Solutions

PKI Solutions offers Public Key Infrastructure (PKI) products, services, and training to help ensure the security of organizations now and in the future.

Adversa AI

Adversa AI

Adversa's mission is to build trust in AI and protect AI from cyber threats, privacy issues, and safety incidents.

Gravitee

Gravitee

Gravitee helps organizations manage and secure their entire API lifecycle with solutions for API design, management, security, productization, real-time observability, and more.

CloudWave

CloudWave

CloudWave, the expert in healthcare data security, provides cloud, cybersecurity, and managed services to healthcare organizations.

Tychon

Tychon

Tychon develops advanced enterprise endpoint management technology that enables commercial and government organizations to bridge the gap between security and IT operations.

Reveald

Reveald

Reveald is making Exposure Management a reality to solve the biggest challenges in cybersecurity with a trailblazing ‘offense to defense’ approach that gives the advantage back to the business.

Merkle Science

Merkle Science

Merkle Science provides next generation risk mitigation, compliance and forensics for crypto-native businesses, DeFi participants, financial institutions & government agencies.

UltraViolet Cyber

UltraViolet Cyber

UltraViolet is an industry leading tech-enabled managed security services company.

Cyber Castellum

Cyber Castellum

Cyber Castellum is a cybersecurity consulting firm that specializes in the identification of security vulnerabilities in an organization’s technology landscape.