In-flight wi-fi could be used to hack planes, US watchdog warns

The increasing connectedness of modern aircraft – from in-cabin wi-fi to more sophisticated air traffic control systems – may make them more vulnerable to hackers, a US government agency has warned.

A new report from the US Government Accountability Agency (GAO) says modern communications technologies, including IP connectivity, increasingly used in aircraft systems, are "creating the possibility that unauthorised individuals might access and compromise aircraft avionics systems".

Internet connectivity in the passenger cabins of planes "should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors", the GAO wrote.

The agency claimed security experts had informed it that "a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines".

"The threat of malicious activity by trusted insiders also grows with the ease of access to avionics systems afforded by IP connectivity if proper controls, such as role-based access, are not in place," the GAO wrote.

"For example, the presence of personal smartphones and tablets in the cockpit increases the risk of a system being compromised by trusted insiders, both malicious and non-malicious, if these devices have the capability to transmit information to aircraft avionics systems."

The world's convergence on IP-based systems is in itself a problem, according to the report, which noted that historically, aircraft systems for avionics and in-flight entertainment functioned as "isolated and self-contained units", which protected planes' avionics systems from remote attack.

"However, according to FAA (the Federal Aviation Authority) and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them," the GAO wrote.

"Firewalls protect avionics systems located in the cockpit from intrusion by cabin system users, such as passengers who use in-flight entertainment services onboard.

"Four cybersecurity experts with whom we spoke ... all said that because firewalls are software components, they could be hacked like any other software and circumvented."

A user could subvert the firewall and access the cockpit avionics systems if the cabin systems connect to the cockpit avionics systems and use the same networking platform, the GAO said.

Even new IP-connected air traffic control systems – which greatly improve the efficiency of airspace management – bring their own risks, especially where they interface with legacy point-to-point systems that lack modern cybersecurity features, it said.

The FAA's next-generation air traffic control system will use IP-networking technologies to communicate across the enterprise.

"This transformation involves acquiring, certifying, and operating a vast network of navigation, communications, and surveillance systems, including information systems in the cockpits of thousands of aircraft (avionics); it will also employ digital and Internet-based computer networking technologies, exposing the air traffic control (ATC) system to new cybersecurity risks," the GAO said.