US Government Probes Airplane Vulnerabilities, Says Airline Hack Is 'Only a Matter of Time'

Joseph Cox, writing for Motherboard: U.S. government researchers believe it is only a matter of time before a cybersecurity breach on an airline occurs, according to government documents obtained by Motherboard. The comment was included in a recent presentation talking about efforts to uncover vulnerabilities in widely used commercial aircraft, building on research in which a Department of Homeland Security (DHS) team successfully remotely hacked a Boeing 737.

The documents, which include internal presentations and risk assessments, indicate researchers working on behalf of the DHS may have already conducted another test against an aircraft. They also show what the US government anticipates would happen after an aircraft hack, and how planes still in use have little or no cybersecurity protections in place.

"Potential of catastrophic disaster is inherently greater in an airborne vehicle," a section of a presentation dated this year from the Pacific Northwest National Laboratory (PNNL), a Department of Energy government research laboratory, reads. Those particular slides are focused on PNNL's findings around aviation cybersecurity. "A matter of time before a cyber security breach on an airline occurs," the document adds.

*sigh* The vulnerabilities are not what we think.

[w3woody]

First, all pilots are trained to fly the airplane manually, with all air surfaces controlled by hydraulics on most aircraft. Electric motors are also connected to these hydraulics to allow the autopilot to fly the airplane, but as a convenience. Pilots are supposed to know how to fly the airplane without the use of the autopilot and by using radio signals received by VORs (radio-directional beacons) in order to navigate using a paper chart (or an iPad with a chart on it).

That Air France Flight 447 went down was not due to "poor training" or because of a lack of ability to detect a cyber-attack, but because the copilot in that airplane panicked and pulled when he should have pushed. (Frankly his mistake was a rookie mistake that student pilots are supposed to unlearn within the first 20 hours of training.)

Now are there attack vectors which can be used to sabotage an airplane? Absolutely--but they're not the "I plugged the laptop into the network and hacked the airplane's firewall" variety, since most aircraft (certainly the 737) run parallel networks--with the avionics physically disconnected from the entertainment and WiFi systems used by the passengers.

Attack vectors would be for a passenger or someone on the ground to jam and spoof GPS signals, and to jam and spoof directional VOR and ILS transmissions, to fool the navigation equipment on the aircraft to think it's somewhere it's not. Another attack vector is jamming and overriding the air traffic voice and text communications by someone spoofing air traffic control.

The problem is exacerbated by NextGen, where aircraft broadcast their GPS location (rather than their location being detected by ground-based radar), so it makes it harder for Air Traffic Control (who watches all commercial aircraft like a hawk, alerting pilots if they deviate from their flight plan) to determine if someone has gone off course. And of course the problem is made worse by inattentive pilots who often sit around the cockpit bored when they are supposed to be monitoring the navigational equipment to make sure it looks correct. (Remember when two pilots flew off course because both of them fell asleep at the wheel?)

But onboard cyber-attacks? Puh-lease...

The solution to all of this is the solution first taught to student pilots flying their first Cessna 172: fly the damned plane. Left hand on the yoke, right hand on the throttles, both feet on the rudders, and do that stick-and-yoke thing so many of them have forgotten because they think the computer is the best pilot in the cockpit.

If I had my way, the first thing I'd mandate is that all commercial pilots--including those flying the largest A-380 airplanes--spend at least a few hours a month flying the same Cessna 172 they learned in. That way they remain viscerally connected to flying by stick and yoke--and when the computer acts up, as it always seems to do at the worst moment in the cockpit, you can still look out the window, see that piece of cement in the distance, and put the airplane down where it's supposed to go.