Slashdot Mirror

← Back to Stories (view on slashdot.org)

Calling Out a GAO Report That Says In-Flight Wi-Fi Lets Hackers Access Avionics

Posted by timothy on from the this-postcard-is-just-an-atom-bomb dept.

An anonymous reader writes A new report from the U.S. Government Accountability Office (GAO) warns that in-flight W-Fi, including wireless entertainment and internet-based cockpit communications, may allow hackers to gain remote access to avionics systems and take over navigation. At the same time, a cyber expert and pilot called the report "deceiving" and said that "To imply that because IP is used for in-flight WiFi and also on the avionics networks means that you can automatically take over the avionics network makes about as much sense as saying you can take over the jet engines because they breathe air like the passengers and there is no air gap between passengers who touch the plane and the engines which are attached to the plane."

6 of 113 comments (clear)

  1. Hmmm .... by gstoddart · · Score: 4, Insightful

    So, Mr cyber Expert and Pilot, other than saying "nuh uh", do you have anything to suggest there is no chance of this?

    We know people can hack air gaps, and if the in-flight wi-fi is at all connected to the electronics in the airplane, there's potentially a lot of attack vectors.

    And since there is no actual article, just a summary which says some guy says it can't happen ... I call "bullshit" on the whole story.

    Seriously, timothy, a link to a story or this is nothing more than innuendo.

    --
    Lost at C:>. Found at C.
    1. Re:Hmmm .... by gstoddart · · Score: 1, Insightful

      Honestly though, we see pretty much daily that the number of security holes in a system is proportional to its complexity.

      A modern aircraft is an immensely complex maze of wiring. A 'modern' aircraft could be easily 10-15 years (or more) old, and full of systems which weren't designed with security in mind.

      If you've ever sat in an aircraft seat and seen the navigation display which shows your position, altitude and speed ... you can bet your ass there is some connectivity among the systems.

      So, if the default assumption in security is all software has bugs, and all systems have weaknesses ... it's reasonable to conclude that we simply don't know the risks here.

      But you don't simply say "oh noes, teh evidence isn't there so it's teh safe". Be it IP or not, if there are physical connections between the components, there is probably an exploit.

      --
      Lost at C:>. Found at C.
    2. Re:Hmmm .... by ledow · · Score: 5, Insightful

      You know that little screen they put in the back of the seats? Do you think they're stupid enough to cable that into the engine management?

      The air-phones? Do you think they're stupid enough to just tie that into the cockpit comms?

      When you're talking life-dependent systems (which pretty much no-one here will ever have to deal with and certify, which is why all your electronics ALL say that it's not to be used in life-support devices etc.) like airbag deployment and plane avionics, it's heavily regulated, heavily specified, heavily tested and heavily scrutinised. Rarely does a aircraft system specified on the "jumbo jet" level do anything more than exactly what it's designed to do. Plane crashes are caused by outside influences, human input overriding the computer and by DESIGN decisions, not software failure because someone forgot to renew the licence of two DHCP servers fought over who assigned IP's to the engines.

      It's an entirely different class of system that you want to hope that you never have to deal with. That's WHY large planes cost HUNDREDS of millions of dollars and you have to train for decades to be allowed near the switches - even if you're servicing them.

      And, no, VLAN's would never operate in a system like that and if they did they'd be proven-safe mathematically and, hell, even my cheap commodity switches only respond to management requests on the management VLAN and no other.

      They is why the guy responding is so clear on this. It's just not done. Ever. If you change a cable, or a panel, or redesign a bit of hatchway, or push out a software upgrade for a commercial airliner, it takes hundreds of people checking it, re-certification of the end-result, testing and all sorts.

  2. Uhh by StikyPad · · Score: 4, Insightful

    If there's no air gap between the passengers and the engines on your flights, then I'll take another flight please.

    --
    https://www.eff.org/https-everywhere
  3. Re:Kind of a dup, but here's a link that explains by Lumpy · · Score: 4, Insightful

    It's the same for all the hype over car systems. EVERY SINGLE EXAMPLE they have to install hardware to get access to the data interface.

    So yes Terrorists can take over the airplane from their cellphones if the flight crew let them into the maintenance areas and help them install several specialized devices that give them access.

    The terrorists need to make appointments so they can make sure that avionics technicians are on hand to help them

    --
    Do not look at laser with remaining good eye.
  4. Re:Kind of a dup, but here's a link that explains by Lumpy · · Score: 3, Insightful

    Hackers have a better chance of deorbiting a satellite and hitting the aircraft while it is in flight than they do taking it over from the in flight wifi.

    --
    Do not look at laser with remaining good eye.