Slashdot Mirror


GAO Warns FAA of Hacking Threat To Airliners

chicksdaddy writes: A report from the Government Accountability Office (GAO) warns that the U.S. Federal Aviation Administration may be failing to address cyber security vulnerabilities that could allow remote attacks on avionics systems needed to keep the plane airborne. In a report issued Tuesday (PDF), the GAO said, "significant security-control weaknesses remain that threaten the agency's ability to ensure the safe and uninterrupted operation of the national airspace system." Among those: a lack of clear certification for aircraft airworthy readiness that encompasses cyber security protections. That lapse could allow planes to fly with remotely exploitable vulnerabilities that could affect aircraft controls and guidance systems.

The GAO report did not provide details of any specific vulnerability affecting any specific aircraft. Rather, GAO cited FAA personnel and experts, saying that the possibility exists that "unauthorized individuals might access and compromise aircraft avionics systems," in part by moving between Internet-connected in-flight entertainment systems and critical avionics systems in the aircraft cabin.

Security researchers have long warned that hackers could jump from in-flight entertainment systems in the passenger cabin to cockpit avionics systems if airlines did not take proper precautions, such as so-called "air gapping" the networks. At last year's Black Hat Briefings, researcher Ruben Santamarta of IOActive demonstrated a method of hacking the satellite communications equipment on passenger jets through their WiFi and inflight entertainment systems.

3 of 78 comments (clear)

  1. Pilots will always be needed by bughunter · · Score: 5, Interesting

    This is why the idea of remote overrides of pilot controls is a particularly BAD idea.

    A trained, qualified pilot must always have last resort authority, over any automated system and preferably even over any "assisted" system, whether it be fly by wire, hydraulic, etc. If control can be taken out of his or her hands remotely, because someone (or something) on the ground doesn't agree with the pilot's judgement, I guarantee we'll see more disasters, not fewer.

    The instances where intentional pilot misconduct or hijacking occur are few, but notorious. But the instances where human pilots in the cockpit handle minor emergencies that could easily have turned into deadly ones occur regularly and we seldom hear about most of them.

    Case in point: Do you think an autopilot on the ground could have heard a stowaway baggage handler?

    --
    I can see the fnords!
  2. Re: Of Course It Is by bobbied · · Score: 4, Interesting

    There are reasons they get connected. Many times the in-flight entertainment systems need to know things like the position, speed, altitude and heading to perform their assigned tasks. You want the entertainment system to be turned off below 10,000 feet AGL, or if you want the system to supply your customers a graphic that gives the position, speed, heading and accurate ETA then you need to get that information from the flight management system. I can imagine that it might be important to change how the data systems connect to the internet based on where the aircraft is (choosing the cheaper data path when it is in range) or use that data connection to report maintenance information to the airline's mechanics.

    There are plenty of reasons the flight controls might not be totally air gapped from the in-flight entertainment systems.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  3. Re:Of Course It Is by hawguy · · Score: 4, Interesting

    However, if the systems are properly designed and firewalled and the software properly vetted, I believe that you can eliminate the chances of having a successful attack vector. The problem though is how to write regulations that can assure something doesn't get overlooked and how you could prove that to the GAO so they will get off the FAA's back...

    Lots of companies have gotten hacked through their properly designed and firewalled network -- every software product (even firewalls) has security holes. The only sure way to isolate the avionics from the passenger network is to air gap it. Don't rely on a firewall - I really can't believe that an airgapped network is not standard practice.