US Government Probes Airplane Vulnerabilities, Says Airline Hack Is 'Only a Matter of Time'

Joseph Cox, writing for Motherboard: U.S. government researchers believe it is only a matter of time before a cybersecurity breach on an airline occurs, according to government documents obtained by Motherboard. The comment was included in a recent presentation talking about efforts to uncover vulnerabilities in widely used commercial aircraft, building on research in which a Department of Homeland Security (DHS) team successfully remotely hacked a Boeing 737.

The documents, which include internal presentations and risk assessments, indicate researchers working on behalf of the DHS may have already conducted another test against an aircraft. They also show what the US government anticipates would happen after an aircraft hack, and how planes still in use have little or no cybersecurity protections in place.

"Potential of catastrophic disaster is inherently greater in an airborne vehicle," a section of a presentation dated this year from the Pacific Northwest National Laboratory (PNNL), a Department of Energy government research laboratory, reads. Those particular slides are focused on PNNL's findings around aviation cybersecurity. "A matter of time before a cyber security breach on an airline occurs," the document adds.

Re:Commercial aircraft connected to the Internet?

[w3woody]

So passengers can use WiFi while on board. Duh.

The real question is "why is the cockpit navigational equipment connected to the Internet," and the answer is "it isn't." Nor is the autopilot on most designs.

*sigh* The vulnerabilities are not what we think.

[w3woody]

First, all pilots are trained to fly the airplane manually, with all air surfaces controlled by hydraulics on most aircraft. Electric motors are also connected to these hydraulics to allow the autopilot to fly the airplane, but as a convenience. Pilots are supposed to know how to fly the airplane without the use of the autopilot and by using radio signals received by VORs (radio-directional beacons) in order to navigate using a paper chart (or an iPad with a chart on it).

That Air France Flight 447 went down was not due to "poor training" or because of a lack of ability to detect a cyber-attack, but because the copilot in that airplane panicked and pulled when he should have pushed. (Frankly his mistake was a rookie mistake that student pilots are supposed to unlearn within the first 20 hours of training.)

Now are there attack vectors which can be used to sabotage an airplane? Absolutely--but they're not the "I plugged the laptop into the network and hacked the airplane's firewall" variety, since most aircraft (certainly the 737) run parallel networks--with the avionics physically disconnected from the entertainment and WiFi systems used by the passengers.

Attack vectors would be for a passenger or someone on the ground to jam and spoof GPS signals, and to jam and spoof directional VOR and ILS transmissions, to fool the navigation equipment on the aircraft to think it's somewhere it's not. Another attack vector is jamming and overriding the air traffic voice and text communications by someone spoofing air traffic control.

The problem is exacerbated by NextGen, where aircraft broadcast their GPS location (rather than their location being detected by ground-based radar), so it makes it harder for Air Traffic Control (who watches all commercial aircraft like a hawk, alerting pilots if they deviate from their flight plan) to determine if someone has gone off course. And of course the problem is made worse by inattentive pilots who often sit around the cockpit bored when they are supposed to be monitoring the navigational equipment to make sure it looks correct. (Remember when two pilots flew off course because both of them fell asleep at the wheel?)

But onboard cyber-attacks? Puh-lease...

The solution to all of this is the solution first taught to student pilots flying their first Cessna 172: fly the damned plane. Left hand on the yoke, right hand on the throttles, both feet on the rudders, and do that stick-and-yoke thing so many of them have forgotten because they think the computer is the best pilot in the cockpit.

If I had my way, the first thing I'd mandate is that all commercial pilots--including those flying the largest A-380 airplanes--spend at least a few hours a month flying the same Cessna 172 they learned in. That way they remain viscerally connected to flying by stick and yoke--and when the computer acts up, as it always seems to do at the worst moment in the cockpit, you can still look out the window, see that piece of cement in the distance, and put the airplane down where it's supposed to go.

Re:*sigh* The vulnerabilities are not what we thin

[w3woody]

I did not say the pilots were rookies. I said the copilot made a rookie mistake:

I notice you didn't quote the relevant part of the Wikipedia article:

In response to the stall, first officer Robert took over control and pushed his control stick forward to lower the nose and recover from the stall; however, Bonin was still pulling his control stick back, lifting the nose further up. The inputs cancelled each other out.

Rookie mistake. (1) You always clearly announce who is in control of the aircraft. Generally this is announced by one pilot saying "my controls", and the other responding "your controls." Two pilots trying to do the opposite action is rookie mistake number 1.

(1) When the aircraft is in a stall, it's because insufficient air is flowing over the wing, and the wing cannot provide lift. This is solved by pushing the nose down, allowing the aircraft to regain airspeed. Bonin, the co-pilot, was pulling the stick back, which can only be read as that he panicked, and forgot training he should have learned while learning how to recover from stalls waaaaaay back when he first started learning to fly and got his basic pilots certificate. The pilot pulling when he should push is rookie mistake number 2.

On top of all of this, your assertion:

Your desire for pilots to fly the plane manually is laudable, but planes have become highly sophisticated beasties.

Are you asserting flying is too hard for humans? Because that would worry the fuck out of me. Or are you asserting flying commercial jets is hard? Because there I'd completely agree with you; the most complex thing I've flown is a single-prop high-performance retractible out of a Class C airport in IFR, and the idea of flying a jet is intimidating as hell. But then, that's why the guys who fly commercial jets get additional training: to learn how to keep ahead of these highly sophisticated beasties.