GAO Warns FAA of Hacking Threat To Airliners

chicksdaddy writes: A report from the Government Accountability Office (GAO) warns that the U.S. Federal Aviation Administration may be failing to address cyber security vulnerabilities that could allow remote attacks on avionics systems needed to keep the plane airborne. In a report issued Tuesday (PDF), the GAO said, "significant security-control weaknesses remain that threaten the agency's ability to ensure the safe and uninterrupted operation of the national airspace system." Among those: a lack of clear certification for aircraft airworthy readiness that encompasses cyber security protections. That lapse could allow planes to fly with remotely exploitable vulnerabilities that could affect aircraft controls and guidance systems.

The GAO report did not provide details of any specific vulnerability affecting any specific aircraft. Rather, GAO cited FAA personnel and experts, saying that the possibility exists that "unauthorized individuals might access and compromise aircraft avionics systems," in part by moving between Internet-connected in-flight entertainment systems and critical avionics systems in the aircraft cabin.

Security researchers have long warned that hackers could jump from in-flight entertainment systems in the passenger cabin to cockpit avionics systems if airlines did not take proper precautions, such as so-called "air gapping" the networks. At last year's Black Hat Briefings, researcher Ruben Santamarta of IOActive demonstrated a method of hacking the satellite communications equipment on passenger jets through their WiFi and inflight entertainment systems.

Of Course It Is

[Greyfox]

And they're not going to do anything about it until it actually happens, because that would cost money and some douchebag CEO wants a fat bonus this quarter. There could be a law if you could get Congress to cooperate. And if they weren't all old and actually understood anything about computers. You'd think as much as most of them fly, they'd be worried about that. I'd guess if you ask any given one, it wouldn't even be on their top 100 list of things to be worried about. Probably not even on their top 100 list of things to be worried about while flying.

Re:Of Course It Is

[bobbied]

Look, don't be so jaded about the aircraft industry... They are not the ones the GAO is going after...

This is about the FAA and the regulations they enforce when certifying aircraft are safe to fly, not about Boeing's CEO making more money or shareholders getting their profits by cutting safety corners. Where it MIGHT be a political issue, where Boeing hires lobbyists to try and get the rules the FAA enforces changed, it's not directly related to cutting corners for profits.

Of course the GAO is right, sort of.. The possibility exists for someone to hack the flight controls from the entertainment systems if they are connected in some way. However, if the systems are properly designed and firewalled and the software properly vetted, I believe that you can eliminate the chances of having a successful attack vector. The problem though is how to write regulations that can assure something doesn't get overlooked and how you could prove that to the GAO so they will get off the FAA's back...

Re: Of Course It Is

[bobbied]

There are reasons they get connected. Many times the in-flight entertainment systems need to know things like the position, speed, altitude and heading to perform their assigned tasks. You want the entertainment system to be turned off below 10,000 feet AGL, or if you want the system to supply your customers a graphic that gives the position, speed, heading and accurate ETA then you need to get that information from the flight management system. I can imagine that it might be important to change how the data systems connect to the internet based on where the aircraft is (choosing the cheaper data path when it is in range) or use that data connection to report maintenance information to the airline's mechanics.

There are plenty of reasons the flight controls might not be totally air gapped from the in-flight entertainment systems.

Re:Of Course It Is

[hawguy]

However, if the systems are properly designed and firewalled and the software properly vetted, I believe that you can eliminate the chances of having a successful attack vector. The problem though is how to write regulations that can assure something doesn't get overlooked and how you could prove that to the GAO so they will get off the FAA's back...

Lots of companies have gotten hacked through their properly designed and firewalled network -- every software product (even firewalls) has security holes. The only sure way to isolate the avionics from the passenger network is to air gap it. Don't rely on a firewall - I really can't believe that an airgapped network is not standard practice.

Re:Of Course It Is

[bobbied]

However, if the systems are properly designed and firewalled and the software properly vetted, I believe that you can eliminate the chances of having a successful attack vector. The problem though is how to write regulations that can assure something doesn't get overlooked and how you could prove that to the GAO so they will get off the FAA's back...

Lots of companies have gotten hacked through their properly designed and firewalled network -- every software product (even firewalls) has security holes. The only sure way to isolate the avionics from the passenger network is to air gap it. Don't rely on a firewall - I really can't believe that an airgapped network is not standard practice.

Not exactly true. IF you have fully defined all the possible traffic that goes though your firewall, down to the exact bytes you allow though and what you don't, you can write effective filters and verify that nothing else gets though, then you can have confidence that your firewall will work as expected. But this implies that your firewall does full packet inspection all the way up though the application layer. You CAN do that, it's just a lot of work to specify and verify everything to that much detail.

The problem for most commercial firewalls that are used in corporate networks is that you simply cannot fully define what you allow though and what you don't. Even if you could define that well enough, no firewall could do the necessary processing to dive deep into the packet content and filter out all possible exploits as it would take too much processing power and time. It's just not practical do it at this level.

However, if you have tight controls on your avionics interfaces (and they do) and can construct a safe way to supply the information needed, there are very safe ways to avoid hacking yet have connections. It's a pain to do, and even a bigger pain to verify you actually did it, but it's possible.

Pilots will always be needed

[bughunter]

This is why the idea of remote overrides of pilot controls is a particularly BAD idea.

A trained, qualified pilot must always have last resort authority, over any automated system and preferably even over any "assisted" system, whether it be fly by wire, hydraulic, etc. If control can be taken out of his or her hands remotely, because someone (or something) on the ground doesn't agree with the pilot's judgement, I guarantee we'll see more disasters, not fewer.

The instances where intentional pilot misconduct or hijacking occur are few, but notorious. But the instances where human pilots in the cockpit handle minor emergencies that could easily have turned into deadly ones occur regularly and we seldom hear about most of them.

Case in point: Do you think an autopilot on the ground could have heard a stowaway baggage handler?

Wisdom follows, pay attention!

Hello,

Here is some crushed FUD for thought:

- As long as pilots are in the cockpit, they can pull circuit breakers and then it's game over for Stuxnet worm or whatever e-threat. For example in the Airbus A-320 there are 3 or 4 (3 digital +1 analogue) flight control computers, depending on how old or new make the plane is. Their juice can be denied by breakers on the cockpit overhead panel, one-by-one. This is how the logic works:

- When all 3 digital flight computers run and agree about the situation, it is "normal law": pilot moves joystick, computers decide if it is both absolutely safe and comfortable to do so and when affirmative, execute the manouver.

- When only 2 computers run or 1 cpu has been voted out by the majority, it is "alternate law": pilot moves joystick, computers decide if it is reasonably safe to do so and if yes, execute the manouver (maximum pax comfort be damned and alpha floor stall protection is partially lost).

- When only 1 computer runs, it is "direct law": pilot moves joystick and the computer forwards the instruction to electro-hydraulic actuators, to execute the manouver in a brain-dead manner.
(Passanger comfort be damned and for safety, hope that the pilots are skilled and talented aviators who will keep the plane flying. That is not always a given for the younger generation, e.g. the button-pushers who crashed the AF flight 447. On the other hand, computer circuit breaker pulling, until reaching "direct law" was the very method which Lufthansa pilots followed for rescue when the speedometer of their A-320 froze up and confused computers wanted to send the plane into a never-ending descent under "normal law".)

- When 0 digital computers remain running (e.g. giant EMP from a nuke or nearby supernova) pilots would have somewhat limited tools remaining on the newer model year Airbus-320 planes, such as:

The foot pedals (rudder) are still mechanically connected with steel rope and pulley to the rudder sail in the tail, allowing turn to the left and right.
The trim-wheel is also mechanicall connected to the little adjustment tabs on the horizontal flying tail, allowing limited control of descent and climb.
Jet engines' power can also be controlled manually to allow for descend/climb and near-idle before landing (but without FADEC computerized help the pilots must be careful not to wreck the turbines with sudden moves on the thrust levers)
All this is a very tricky situation, therefore much drilled in flight simulator training!

- Unlike the Airbus A-320, the Boeing's B-737 is not fly-by-wire, as it is derived from an early 1960s design and big fleet customers, like Ryanair are outright banning Boeing from any innovation, not willing to spend a penny on pilot re-training!

This legacy-mania is how Helios airlines' B737 crashed: the pressurization to give breathable air at high altitude is completely under manual control on B-737 and activation is often forgotten. By the time the warning siren sounds at over 3000 meters altitude, pilots can be too mountain-sick to react properly in time and faint. A hungarian Malev airlines B-737 almost crashed under eerily similar circumstances a few years ago, so Helios was not a unique occurance. The landing gear is similarly full manual operation, that's how the polish wrecked a B-767 last year. Yet large fleet customers ban Boeing from improving ergonomy and foolproof-ness, not wanting to spend on any pilot re-training.

If it weren't for Airbus, Boeing would still be making airplanes with "swiss watch filled cockpit dashboards" because they carry a lot of legacy and the existing customer base / operators are very resistant to any change that would mandate personnel re-training. Glass cockpit (LCD screen) displays, electronic flight controls are all thanks to Airbus in the world of civilian aviation and Boeing is slowly following, due to the fuel economy benefits fly-by-wire and FADEC provide.

- The big problem is airlines no longer allow their pilots to fly general aviation (soa