How vulnerable is air travel to cyber attack?

Last week two independent technical incidents left aircraft and countless passengers stranded on the tarmac at two airports.

In New Zealand an alleged “internal network failure” led to Airways NZ’s communication and surveillance systems being disrupted for the best part of three hours.

The second more troublesome report came from Poland’s national airline, LOT, which claimed a DDoS attack on a critical computer system at Warsaw Chopin airport prevented the issuance of flight plans, resulting in 1400 passengers being grounded for nearly five hours.

No details have been released on how the LOT attack manifested. It's difficult to speculate on how this attack occurred given these computer systems are built on closed networks and hence protected from the menace of direct network attack (from public wi-fi or the internet).

Nevertheless, a successful attack did occur, which begs the wider question to be asked - how exposed are modern aircraft to cyber attack?

This question has become more relevant given the rapid introduction of onboard passenger connectivity and wireless entertainment services, such as the Q Streaming service recently launched by Qantas.

A recent audit carried out by the US Government Accountability Office (GAO) highlighted three separate areas of aviation that needed attention with relation to cyber security issues:  air-traffic control systems, information systems, and avionics systems (the control systems used to operate and guide the aircraft).

The report (pdf) claims “significant security control weaknesses remain that threaten the [FAA's] ability to ensure the safe and uninterrupted operation of the national airspace system.”

NIST has since recommended a cyber security threat model should be developed to aid in specifically targeting the search for systemic weaknesses in aviation systems, however, the FAA said it has no plans to produce a threat model and has no funding to make a change a priority.

The GAO report specifically highlighted the modern interconnectedness of aircraft systems as a growing concern, suggesting there is no guarantee whatsoever that the avionics systems would not be exposed to attack should an attacker have the right tools and access.

The concern lies for aircraft both in-flight and when stationary on the tarmac, and the FAA has stated it is planning to introduce rules that force cyber security certification of aircraft systems prior to deployment.

This is just talk at this stage and any capability is nothing more than nascent planning, not impacting the rapid introduction of highly connected in-flight technology.

Back to the question: are these concerns grounded in reality or are they more similar to a Steven Spielberg movie pitch to a Hollywood?

In an eye-opening presentation given to the European Aviation Safety Agency (EASA), security researcher Hugo Teso said "in modern airplanes, there are a whole series of backdoors, through which hackers can gain access to a variety of aircraft systems".

Teso had earlier demonstrated how he would be able to hijack a plane using nothing more than his smartphone, albeit fully loaded with a toolkit of bespoke hacking tools that he created himself, with the primary exploitation tool dubbed PlaneSploit. The app reportedly takes over the plane’s autopilot, giving full control to the hacker.  

More recently, a flagrant demonstration of security weaknesses being exploited during a flight was the Chris Roberts case, where a security researcher made headlines after hacking flight controls via the entertainment system and making the aircraft fly “sideways” for a short period of time. 

Security problems stem from the underlying impulsiveness of businesses to be the technical trailblazers that lead with innovative new customer experiences. However, security is typically traded as a disabler of innovation, with executives accepting more risks without completely understanding the consequences.

Security, cost and usability are inextricably linked, meaning that if you decide to improve one, you can’t do it without considering the impact on the other two. If you increase your usability, you need to factor the additional security measures into your design, which invariably inflates the cost.

With cyber security issues such as these having the potential to take lives and inflict real harm, we need to tread cautiously and build safety and security measures into our systems from the beginning of the solution design lifecycle; the nature of the global threat environment we live in today demands it.