Friday, April 17, 2015

Could a Hacker Shut Down the Engines Using Onboard Wifi?

Sitting down with my morning coffee and iPad, I came across a piece of aviation clickbait that seemed to be of the standard  "seven things pilots don't want you to know" variety. The report was about a computer security expert being pulled off a United Airlines flight and questioned by the FBI about hacking into airplane systems.

The expert being questioned was a man named Chis Roberts, CTO of One World Labs, who had previously claimed that vulnerabilities in aircraft in-flight entertainment systems could possibly be used to "turn the engines off at 35,000 feet". The tone of the report was that of the breathless whistleblower sort where a person with critical knowledge was being corralled by "the system". Think Erin Brockovich of the skies I suppose.

At first blush, I thought the whole concept of hackers infecting avionics was ridiculous and that this guy, who's firm had three employees in 2011, was simply a self promoter selling a bit of sensationalism. After listening to an interview with him, I'm not so sure that his premise is completely implausible.

For a hacker to gain access to aircraft data and control systems there has to be some sort of link. That is, if the systems are not physically connected, there can't be any way to get in. So I was thinking that's that: there's no connection between passenger entertainment systems and the cockpit, but I was wrong. There is.

Most entertainment systems, including the wifi on the planes I fly, feature flight tracking information which comes from the aircraft's air data and flight management computers. Information like arrival times, flight plan, altitude, heading and airspeed comes from flight computers and is relayed through a data bus to the wifi and entertainment systems.

Knowing that this data bridge exists, could a resourceful hacker exploit this path to cause trouble? My thought is that if there is a will there is a way. I am no computer guru as my expertise in coding consists of some Fortran language skills used in college many decades ago, but I also know that many computer experts consider no computer network to be completely invulnerable.

If anyone remembers the Stuxnet affair of a few years back, hackers (who were eventually revealed as US intelligence assets) were able to infiltrate Iranian computer networks. They inserted malware which found it's way to the controllers of the centrifuges the Iranians were using to purify uranium. The bug subtly caused the machines to tear themselves apart setting the program back years.

This was an international effort complete with skullduggery which included breakins at some Taiwanese firms to get computer keys which allowed access to the networks and centrifuges. I'm still waiting for the movie. So it seems to me to be at least plausible that airplane systems could be exploited.

I guess that begs the question of why someone would wish to sabotage an airplane on which they were riding, but I think we know the answer to that one. Or, should a method be perfected, an innocent mule could then be sent on a one way trip with a laptop.

Am I particularly worried about my engines shutting down unexpectedly on my next flight? Not really. The 737s I fly have old school hydraulic flight controls, and while the engine controls are electronic, the fuel shutoff valves are not. But on the newest Boeings and Airbuses, you can pretty much count on everything being controlled by some sort of computer.

Make no mistake, the computers on commercial aircraft are extremely robust and designed with multiple failure modes but they are still computers. Simple safety features such as air gaps to isolate critical systems or perhaps unwritable firmware might be employed as countermeasures. An even simpler solution might be to completely isolate all passenger and airplane systems. Get the inflight data from a parallel but separate system.

I can't imagine that this subject has not been discussed and considered by the designers of aircraft computer architecture. A quick search found at least one commercial firm offering software security services for airlines. Apparently the FBI had some concerns. And as the gentleman on the interview mentioned, such an effort would require an expert depth of knowledge of the design of many different control and software systems to pull it off.

It seems that not a day goes by where we don't hear about crappy software or shoddy network security practices resulting in the theft of millions of credit cards or corporate technology. Software designers of avionics have enough of a headache just getting all their millions of lines of code to work properly without having to consider the additional burden of potential malware gumming up the works.

Let's hope that they have this on their radar.

1 comment:

  1. Anonymous10:27 AM

    good info, as usual. makes me want to stick to "old school hydraulic flight controls" in my travels! oh and a word to the wise: don't go blabbing on Fox News and then get on an airplane right before an important cybersecurity business meeting. (unless you know someone with clout at the FBI?)


I welcome feedback. If you have any comments, questions or requests for future topics, please feel free to comment. Comment moderation is on to reduce spam, but I'll post all legit comments.Thanks for stopping by and don't forget to visit my Facebook page!

Capt Rob