A few weeks ago I wrote about the possibility of cockpit electronics and computers being hacked through inflight entertainment systems. The story centered around a self styled computer expert claiming that he had hacked into an airliner's flight control systems through the entertainment system and had affected the flight path of the aircraft in some fashion.
I suppose it's one thing to do this, but it seems to me that it is to transcend to a significantly higher level of stupid to then publicly announce that you've done this. Of course this guy ended up being interviewed by the FBI and also got himself declared persona non grata on United Airlines, the airline he claimed to have hacked. He also got some air time on several news shows which perhaps was his goal.
But notwithstanding this clown's antics, the question remains of whether aircraft control system computers are vulnerable to hacking through Wifi, entertainment, gaming, or other onboard passenger systems. While not being a computer expert by any stretch myself, I did ask a friend who is more of a computer guru. He was able to point me toward some resources addressing inflight computer hacking. (Hat tip to Dennis Corkery)
Inflight Hacking is a Recognized Concern
The US government has recognized that the proliferation of "IP" or internet protocol networks in critical aviation computer systems presents a vulnerability to malicious attacks on systems that were previously not connected to public networks. The GAO, an investigative arm of Congress, has issued several reports in recent years critical of the FAA and their deployment of information technology. One recent report highlights the potential of aircraft systems to be compromised:
Modern aircraft are increasingly connected to the Internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems. As part of the aircraft certification process, FAA's Office of Safety (AVS) currently certifies new interconnected systems through rules for specific aircraft and has started reviewing rules for certifying the cybersecurity of all new aircraft systems.And
Historically, aircraft in flight and their avionics systems used for flight guidance and control functioned as isolated and self-contained units, which protected their avionics systems from remote attack. However, according to FAA and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them.
Firewalls protect avionics systems located in the cockpit from intrusion by cabin system users, such as passengers who use in-flight entertainment services onboard. Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented.
So, yeah, I know it's the government, but intrusion into airborne systems at least sounds plausible.
Some information system experts quickly retorted that the government experts don't know what they're talking about. (Sacre bleu!) In a Forbes article, a professor of digital forensics (whatever that is) at Bloomsburg State University in Pennsylvania claimed that the GAO report was " put together by people who don't understand how modern aircraft actually work". He insisted that:
The information passed on to the inflight entertainment system is via something called a NED (Network Extension Device). This device is not a router. This is a device that must be programmed to pass certain information to the entertainment system (aircraft position, etc.).
This is a one-way communication. Even if someone were able to send information back toward the avionics, they aren’t listening for information from the in-flight entertainment systems… Since the computer doesn’t try and read information on those wires it is not likely to be useful to an attacker.
So there you have it. Some "experts" say we're all f*cked and others say they're smoking weed. What's the truth? I have no idea. The concept of aircraft systems being compromised at least sounds plausible but like all accounts of cyber-warfare, it seems to devolve into a cat and mouse game where each side attempts to score points against the other but it is the technology laggers who typically get owned.
Personally, this issue won't keep me awake at night. And probably shouldn't keep you up either.