Calling Out a GAO Report That Says In-Flight Wi-Fi Lets Hackers Access Avionics

An anonymous reader writes A new report from the U.S. Government Accountability Office (GAO) warns that in-flight W-Fi, including wireless entertainment and internet-based cockpit communications, may allow hackers to gain remote access to avionics systems and take over navigation. At the same time, a cyber expert and pilot called the report "deceiving" and said that "To imply that because IP is used for in-flight WiFi and also on the avionics networks means that you can automatically take over the avionics network makes about as much sense as saying you can take over the jet engines because they breathe air like the passengers and there is no air gap between passengers who touch the plane and the engines which are attached to the plane."

Kind of a dup, but here's a link that explains it

[xxxJonBoyxxx]

This is a dup story, so here's my dup comment:
See DefCon 22's avionics preso from 2014 to see what you can and can't do from a hacker's perspective.
https://www.defcon.org/images/...
(Since the summary doesn't even often a link or name...this MIGHT even be exactly what the submitter is talking about.)

Re:Hmmm ....

[ledow]

You know that little screen they put in the back of the seats? Do you think they're stupid enough to cable that into the engine management?

The air-phones? Do you think they're stupid enough to just tie that into the cockpit comms?

When you're talking life-dependent systems (which pretty much no-one here will ever have to deal with and certify, which is why all your electronics ALL say that it's not to be used in life-support devices etc.) like airbag deployment and plane avionics, it's heavily regulated, heavily specified, heavily tested and heavily scrutinised. Rarely does a aircraft system specified on the "jumbo jet" level do anything more than exactly what it's designed to do. Plane crashes are caused by outside influences, human input overriding the computer and by DESIGN decisions, not software failure because someone forgot to renew the licence of two DHCP servers fought over who assigned IP's to the engines.

It's an entirely different class of system that you want to hope that you never have to deal with. That's WHY large planes cost HUNDREDS of millions of dollars and you have to train for decades to be allowed near the switches - even if you're servicing them.

And, no, VLAN's would never operate in a system like that and if they did they'd be proven-safe mathematically and, hell, even my cheap commodity switches only respond to management requests on the management VLAN and no other.

They is why the guy responding is so clear on this. It's just not done. Ever. If you change a cable, or a panel, or redesign a bit of hatchway, or push out a software upgrade for a commercial airliner, it takes hundreds of people checking it, re-certification of the end-result, testing and all sorts.

Re:Kind of a dup, but here's a link that explains

Mod parent down. I attended the presentation in person. The presenter is full of shit.

He based his presentation on flight simulators and utter conjecture. Flight simulators do not model the internal workings of an airplane, but rather the flight characteristics. You can't learn how the internals work without any reference to the internals. The guy made claims about things that just aren't true. He also spread a lot of FUD - "isn't it scary that landing times are on the Internet? What evil things could I do with that?!?" Idiot. Flight plans have to be public, because they're offering travel to the public. If you don't know when the plane lands, you can't schedule a ride from family. If they don't know when it lands, they can't schedule their pickup of you.

The 'hacker' that presented that tripe doesn't know what he's talking about.