GAO Warns FAA of Hacking Threat To Airliners

chicksdaddy writes: A report from the Government Accountability Office (GAO) warns that the U.S. Federal Aviation Administration may be failing to address cyber security vulnerabilities that could allow remote attacks on avionics systems needed to keep the plane airborne. In a report issued Tuesday (PDF), the GAO said, "significant security-control weaknesses remain that threaten the agency's ability to ensure the safe and uninterrupted operation of the national airspace system." Among those: a lack of clear certification for aircraft airworthy readiness that encompasses cyber security protections. That lapse could allow planes to fly with remotely exploitable vulnerabilities that could affect aircraft controls and guidance systems.

The GAO report did not provide details of any specific vulnerability affecting any specific aircraft. Rather, GAO cited FAA personnel and experts, saying that the possibility exists that "unauthorized individuals might access and compromise aircraft avionics systems," in part by moving between Internet-connected in-flight entertainment systems and critical avionics systems in the aircraft cabin.

Security researchers have long warned that hackers could jump from in-flight entertainment systems in the passenger cabin to cockpit avionics systems if airlines did not take proper precautions, such as so-called "air gapping" the networks. At last year's Black Hat Briefings, researcher Ruben Santamarta of IOActive demonstrated a method of hacking the satellite communications equipment on passenger jets through their WiFi and inflight entertainment systems.

Of Course It Is

[Greyfox]

And they're not going to do anything about it until it actually happens, because that would cost money and some douchebag CEO wants a fat bonus this quarter. There could be a law if you could get Congress to cooperate. And if they weren't all old and actually understood anything about computers. You'd think as much as most of them fly, they'd be worried about that. I'd guess if you ask any given one, it wouldn't even be on their top 100 list of things to be worried about. Probably not even on their top 100 list of things to be worried about while flying.

Re:Of Course It Is

[bobbied]

However, if the systems are properly designed and firewalled and the software properly vetted, I believe that you can eliminate the chances of having a successful attack vector. The problem though is how to write regulations that can assure something doesn't get overlooked and how you could prove that to the GAO so they will get off the FAA's back...

Lots of companies have gotten hacked through their properly designed and firewalled network -- every software product (even firewalls) has security holes. The only sure way to isolate the avionics from the passenger network is to air gap it. Don't rely on a firewall - I really can't believe that an airgapped network is not standard practice.

Not exactly true. IF you have fully defined all the possible traffic that goes though your firewall, down to the exact bytes you allow though and what you don't, you can write effective filters and verify that nothing else gets though, then you can have confidence that your firewall will work as expected. But this implies that your firewall does full packet inspection all the way up though the application layer. You CAN do that, it's just a lot of work to specify and verify everything to that much detail.

The problem for most commercial firewalls that are used in corporate networks is that you simply cannot fully define what you allow though and what you don't. Even if you could define that well enough, no firewall could do the necessary processing to dive deep into the packet content and filter out all possible exploits as it would take too much processing power and time. It's just not practical do it at this level.

However, if you have tight controls on your avionics interfaces (and they do) and can construct a safe way to supply the information needed, there are very safe ways to avoid hacking yet have connections. It's a pain to do, and even a bigger pain to verify you actually did it, but it's possible.