Can Aircraft Really Be Hacked Through the WiFi or Entertainment System?

DEF CON 22, Las Vegas, NV 2014 - Over the past year or so there have been several discoveries in the aviation industry that have had security researchers and regular people very concerned. We have covered a couple of these that have hit including a claim that a plane can be attacked through its inflight WiFi system and also a very recent one that claims to have found hard coded root credentials in the firmware of some satellite communication equipment. The aviation industry has been quick to refute these claims (and with good reason), but the question still persists: are air craft vulnerable to remote hacking?

According to a talk given by Dr. Phil Polstra and Captain Polly (both with lots of experience in aviation) things might not be as grim as presented, but there are still things that need to be done. Dr Polstra started off by talking about the reason for the claims and their persistence. He stated that these claims get notice because they are bold and get lots of press. They are also not easy to validate by the press (or most normal people).  Now while these are both true there is the fact that people are looking closer at the airlines simply because they are responsible for many people’s safety and are, for the most part, operating older hardware and software. It has also been pointed out that there are little to no security in place for the protocols used for air plane controls and systems.

It has been this last part along with an increasing interest in attacking firmware (to find the hidden logins and admin access there) that makes looking at the airlines so interesting. But what is the extent of the danger? Could an attacker take over a plane and fly it as they wanted to? What, if any, backups or overrides exist to prevent compromise of the aircraft? That is what Dr. Polstra and Captain Polly were there to discuss.

The talk began with a clear statement: an attacker cannot override the pilot of an aircraft or their input on the controls. This was followed up with the reminder that all planes are required to have mechanical backups to their systems and that even if you compromised the auto pilot it can be disabled in a number of ways and is not strong enough to prevent pilot interaction with the controls. On top of this, unless there was a massive compromise of the system there would some sort of alarm that would go off for any drastic change in course or altitude of the plane.

From there the talk dived into the much more boring role of listing out the individual hardware and protocols used in modern (and not so modern) aircraft. Some of the highlights of the information include the fact that none of the flight controls or aircraft systems were on a TCP/IP network. Although newer systems do use Ethernet, they are not pushing information over anything close to TCP/IP and are never over wireless or connected to passenger accessible systems.

Even the systems that show the passengers course, speed, altitude and location are only reading that information through a one-way gateway called a Network Extension Device (NED). A NED takes the none-TCP/IP output and translates it to TCP/IP based information for output only. The Flight Management System (FMS) does not accept any information from the NED though there is the possibility that the compromise of the NED could allow an attacker to pretend to be other systems on the aircraft. This has the potential to allow someone to communicate with the FMS which is a concern as the protocols for communication are not secured. So far there have been no proven method of doing this though and there is always that manual override that a pilot has.

Other methods that have been talked about for attacking aircraft in flight are going after the collision avoidance systems. Dr. Polsta and Captain Polly went after each of these and explained the impacts that someone can have. Through the use of ADS (B and A) transponders an attacker could potentially send fake weather notices, phantom planes and even can be jammed, but as it is not an authoritative (must be confirmed by visual sighting) system it is not likely to have much of an impact to an aircraft. Hacking the TIS-B system would also yield little results as it is simply not wide spread and also is another non-authoritative system. This system is used by Air Traffic Control to relay ADS-B beacons to aircraft, but does not relay all of them. This limits its use in any remote attack.

The last two big ones in the realm of collision avoidance are the TCAD and TCAS. TCAD is used by smaller planes and is unlikely to be a target for attack. TCAS is used on larger or more complex aircraft and is one of the few authoritative systems. A pilot can see an aircraft indicator there and acknowledge it without needing to see it. This is because the system actually interrogates the transponders that aircraft use to gain information about them. Attacking TCAS is also of very little value as you would need to have the transponders in the air around the air craft. Doing this from the ground is not going to be effective.

Last up on the possible avenues of compromise is a communication system called ACARS. This system is used to send messages between people and systems on the aircraft and to the ground. Some of these messages are flight plan changes, and also systems information from the engine monitors to the ground. Someone could send a bogus flight plan, but any change would be verbally verified by someone at the airline so that would be of little use. There is one open area that is not related to the safety of the plane though. It seems that passenger manifests are often sent via this system, but this is more of a privacy issue than a safety one.

So are planes 100% safe from hacking? The short answer is mostly. There are areas for concern in aircraft systems, but for now there are multiple manual systems that can be used to override current automated controls. Still the aviation industry does need to change their practice of using unsecured protocols even when talking about segmented systems attackers are clever and have been known to find ways of making one-way devices work in their favor. We do imagine that as the light is shined on this new area of security things will change and newer air craft will include more secure systems and older craft will be retrofitted with them when going through normal maintenance windows.

So you can stop worrying about someone breaking into flight controls through the onboard WiFi or entertainment system, at least until you hear about exploits of the NEDs used to push that data out. We hope that long before that happens the airlines and aircraft makers will have moved to much more secure protocols and devices. It is likely that they already exist for military aircraft, now we just need to get them pushed out to commercial and private airplanes.

Tell us what you think in our Forum

No comments

Leave your comment

In reply to Some User