In-flight Wi-Fi can be an open door for hackers

A report published by the Government Accountability Office (GAO) warns that the FAA faces some serious cyber security issues for modern flights.

Security experts for a long time suspected that in-flight Wi-fi could create an entry door for hackers and a new report issued by The US Government Accountability Office (GAO) describes the dungeon of such action.

The report titled  “FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen“reveals for example how IP networks left flights “open” to cyber-attacks (in-flight wireless, internet-based cockpit).

“IP networking may allow an attacker to gain remote access to avionics systems and compromise them,” states the report.

The reports highlights two principal sources of problems.

• The first source comes when a passenger uses the in-flight Wi-fi and as the report says, “Four cyber security experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented.”

According to the experts, the flight cockpit and passengers use the same router and share the same internal network, this means that a passenger could interfere with control console creating serious problems.

The airplanes are very sophisticated systems. They are comparable to a complex network in which each system runs its software component that could be compromised exactly like the information exchanged by the parts. Many investigators revealed that an attacker with a deep knowledge of the plane’s system could intentionally cause serious problems with its normal operation.

“The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin,”

By the fact that nowadays everyone uses smartphones/tablets, things got even worse,

“The presence of personal smartphones and tablets in the cockpit increases the risk of a system’s being compromised by trusted insiders, both malicious and non-malicious, if these devices have the capability to transmit information to aircraft avionics systems,”

• The second source of the problem can come from the internet, since the aircrafts use IP protocols like anyone, meaning that can make the aircraft vulnerable for instance for a hacker to be able to install malware, and as the report says,

“One cybersecurity expert noted that a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines.”

We can agree that until now we haven’t seen any attack to an aircraft coming from “outside” of “inside”, but the real threat exists we there is the need to avoid this, to never happen.

In 2013, a security consultant Hugo Teso was able to prove the point, and demonstrated how from smartphone he exploited the Automatic Dependent Surveillance-Broadcast navigation system, as well the plane’s Flight Management System.

After this demonstration of the used method, the vulnerability was patched. The report also says that the FAA is taking steps to have better cyber security policies, for that a group of experts are working together and it’s expected to have a draft in Sep2015 that will provide a guide to how restructure the IT infrastructure.

Concluding, I think that there are yet some steps to be done until we can feel safer when entering and traveling in an airplane and cyber security should be a vector of investment, where there is the need to create more strict regulations, certification standards, proprietary technologies, etc. etc., but all needs time.

I look forward seeing what improvements will be done in the industry in the next years, for the flight safety and cyber security of in-board systems.

About the Author Elsio Pinto

Pierluigi Paganini

(Security Affairs –  Flight, hacking, GAO)