Head of European aviation body EASA warns of cyber-attack risk against aircraft

The chief of the European Aviation Safety Agency (EASA) has warned that hackers could infiltrate critical systems that keep planes up in the air.  He has said that cyber-criminals could hack into critical systems on planes from the ground. He told European aviation journalists that his organisation had hired a penetration tester to find and exploit vulnerabilities in the ACARS (Aircraft Communications Addressing and Reporting System) used to transmit messages between aircraft and ground stations. Over the past two years, there has been an increasing number of cyber-security incidents reported in the aviation industry. There have been several incidents in which security consultants have succeeded in gaining access to aircraft controls. The aircraft navigation and other control systems are effectively separated from non-critical systems such as entertainment, so that should mean the risk of hacking critical systems is low. But experts warn that the ACARS system was not designed, in the 1970s, with cyber-security in mind and could therefore be vulnerable to attack.  EASA said the next generation of air traffic management systems, such as SESAR, will need to be protected, as SESAR relies a lot on satellite-based communications and navigation – increasing the risks.

European aviation body warns of cyber-attack risk against aircraft

By Rene Millman (SCMagazine – Security)
October 12, 2015

Hackers could infiltrate critical systems that keep planes up in the air, warns the chief of the European Aviation Safety Agency

The chief of Europe’s top airline safety agencies warned that cyber-criminals could hack into critical systems on an airplane from the ground.

Patrick Ky, director of the European Aviation Safety Agency, told European aviation journalists at a meeting of the Association des Journalistes Professionnels de l’Aéronautique et de l’Espace (AJPAE) that his organisation had hired a penetration tester to find and exploit vulnerabilities in the ACARS (Aircraft Communications Addressing and Reporting System) used to transmit messages between aircraft and ground stations.

Over the past two years, there has been an increasing number of cyber-security incidents reported in the aviation industry.

As reported by French newspaper Les Echoes, Ky said the white-hat hacker, who was also a professional pilot, took five minutes to crack the messaging system. It was another couple of days before the same consultant managed to gain access to aircraft control systems.

“For security reasons, I will not tell you how he did it, but I’ll let you judge if the risk is high or low,” Ky told reporters.

According to the report, research conducted by the International Civil Aviation Organisation (ICAO) last year said that as aircraft navigation and other control systems are effectively separated from non-critical systems such as entertainment, that the risk of hacking critical systems was low.

But experts rejected this and warned that because ACARS uses a proprietary encoding/decoding scheme in use since 1978, this was not designed with cyber-security in mind and therefore vulnerable to attack.

Ky said that the next generation of air traffic management systems such as the Single European Sky ATM Research, or Sesar, will need protecting. Sesar relies a lot on satellite-based communications, navigation and surveillance systems.

“With the introduction of SESAR and the possibility for the air traffic control to directly give instructions to the aircraft control system, this risk will be multiplied,” said Ky. “We need to start by putting in place a structure for alerting airlines on cyber-attacks.”

He said in the longer term, the EFSA, which is responsible for making sure aircraft are safe, could also certify airline equipment against being hacked.

Mike Westmacott, cyber consultant at Thales UK, told SCMagazineUK.com that as the article does not disclose the attack vectors, tools or techniques used, it is impossible to determine the level of risk associated with the claims.

“It is, however, possible to present levels of risk for theoretical situations. If the penetration tester (who was also a pilot) was able to obtain access to the ACARS message system from the on-plane public Wi-Fi, or from any facility that the public has access to, then the risk would be substantial – and any aircraft exposing such a vulnerability would likely be immediately grounded,” he said.

“If on the other hand the tester (as a pilot) was able to use a connection that was restricted access (physically – such as in the cockpit or staff areas) then the risk is reduced, potentially significantly.”

Westmacott added that airlines must ensure that safety critical systems and control networks are segregated from publicly accessible facilities, and that aircraft designs and their systems are subject to a full and thorough risk assessment and suite of technical assessments.

Trey Ford, global security strategist at Rapid7, told SC that a simple review of message validation and workflows around questionable or suspected manipulated communications would effectively manage this.

“The workflows already exist, but not with an expectation of malice as much as failed equipment,” he said.

Carl Herberger, who looks after security solutions for Radware, used to be in the US Air Force and was an Electric Warfare Officer on B52 bombers. He told SC that an attack on airplanes was “absolutely possible”.

“It’s long been recognised that hackers can get access to the Aircraft Communications Addressing and Reporting System (ACARS). In fact, in 2013 it was proved that the ACARS could be intercepted and hackers could sabotage this communication channel via a purpose-built Android app. It’s possible because this system does not have any real authentication features nor prevention of spoofed commands build in,” he said.

He added that Boeing warned the US government about it with regards to its Boeing 777 when it was seeking certificates for airworthiness. It said at the time that the way the on-board network is designed doesn’t allow for cyber-security, added Herberger.

“Security professionals have long understood the threat that embedded systems create for modern day critical infrastructure – the airline industry is no different. There needs to be collaboration between the industry, security experts, aviation authorities and governments to test and protect these systems but above all drive best practice for detecting and mitigating attacks into the engineering, to ensure public safety is built in well before the plane has left the drawing board,” said Herberger.



There is an IATA webpage devoted to Cyber Security

Aviation Cyber Security Toolkit – 2nd edition – July 2015

It says:

Your toolkit to counter the threat of cyber security in aviation

The aviation industry relies on computer systems extensively in its ground and flight operations. The security of the airline systems can directly impact the operational safety and efficiency of the industry, and indirectly impact the service, reputation and financial health of the industry.

The application is available on CD or as a web download, and offers:

  • structured analysis tool to help identify, assess & mitigate risk
  • practical guidance material
  • complementary access to 17 training videos (2-5 mintues each) covering all aspects of IT Security
  • information reviewed by industry experts

It is a secure site, not available to the public.




NextGen aircraft cockpit avionics vulnerable to cyber attack from passenger inflight entertainment

A United States watchdog is warning that NextGen avionics could render the cockpit vulnerable to cyber attack.

A new report by the nation’s Government Accountability Office (GAO) reckons that because modern aircraft are increasingly connected to the Internet, this interconnectedness could allow a terrorist to hack into flight-critical avionics systems from the back of the cabin.

“Aircraft information systems consist of avionics systems used for flight and in-flight entertainment. Historically, aircraft in flight and their avionics systems used for flight guidance and control functioned as isolated and self-contained units, which protected their avionics systems from remote attack,” it noted.

However, according to the FAA itself and several experts the GAO consulted, firewalls which should now protect flight-critical avionics systems from intrusion by passengers using in-flight entertainment could be hacked just like any other software and circumvented as they basically share the same physical wiring harness or router and use the same networking platform.

“According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors,” it warned.

“the internet must be considered a direct link between the aircraft and the outside world”

Attacks could be waged via onboard wireless broadband systems where a virus or malware embedded maliciously in the websites operating those systems could provide a terrorist with an opportunity.

It found that even a pilot’s personal smart phone and tablet could pose a risk of a system being compromised because these devices have the capability to transmit information to aircraft avionics systems.

More worryingly, the rules governing the FAA’s aircraft-airworthiness certification do not currently include safeguards to protect against cyber security. The FAA does however issue rules with limited scope, called Special Conditions, to aircraft manufacturers where  interconnectivity could present cyber security risks.

The GAO said that the aviation agency views these conditions as an integral part of the certification process, with which to address the risks associated with the increased connectivity among aircraft cockpit and cabin systems such as the Boeing 787 and Airbus A350.

FAA officials told the GAO that it would support bringing together all the research supporting cyber security-related Special Conditions to support new rules which would offer more certainty for it as a certification organisation.

Another principal cyber security challenge isprotecting air traffic control information systems.

A January report by the Government Accountability Office watchdog noted that even though the aviation agency has taken steps to protect its ATC systems from cyber-based threats, significant security-control weaknesses still threaten the safe and uninterrupted operation of the national airspace system.

While the FAA has agreed to address these weaknesses, the GAO found that, nevertheless, the FAA will continue to be challenged in protecting ATC systems because it has yet to  develop a cyber security threat model.

One solution would be to conduct modeling to identify potential threats to information systems, and as a basis for aligning cyber security efforts and limited resources.

“While the FAA has taken some steps toward developing such a model, it has no plans to produce one and has not assessed the funding or time that would be needed to do so.”

Without such a model, the watchdog said it feared that the FAA may not be allocating resources properly to guard against the most significant cyber security threats.




FBI: Computer expert briefly made plane fly sideways

Elizabeth Weise (CNBC)
17 May 2015

SAN FRANCISCO — A computer security expert hacked into a plane’s in-flight entertainment system and made it briefly fly sideways by telling one of the engines to go into climb mode.

Chris Roberts of One World Labs in Denver was flying on the plane at the time it turned sideways, according to an FBI search warrant filed in April.

The warrant was first publicized on Friday by APTN, a Canadian News Service.

Roberts told the FBI he had hacked into planes “15 to 20 times,” according to court documents first made public Friday.

Read MoreFrench broadcaster says victim of Islamist hacking

Roberts first made news in April when he was told he couldn’t fly on United Airlines because of tweets he had made about whether he could hack into the flight’s onboard computer settings.

The FBI search warrant describes him doing just that.

According to the document, in an interview on Feb. 13, 2015, Roberts told agents he had hacked into in-flight entertainment centers on Boeing 737s, 757s and Airbus A-320 aircraft “15 to 20 times.”

…… and it continues ……..



The Dinosaurs Of Cybersecurity Are Planes, Power Grids And Hospitals

Jul 10, 2015
by Wesley Wineberg (Tech Crunch)


As we continue down the path toward complete connectivity — in which all devices, appliances and networks connect to each other and the Internet — it is evident that much of our longstanding technology can no longer keep up.

And it’s not an issue affecting only tech companies and web-connected devices, it’s affecting systems and infrastructures that most would expect to be the safest in the world. Even airplanes are at risk, and the recent breach of the Office of Personnel Management demonstrates that government networks can be breached as easily as those in the private sector.

Even though recent incidents may have been a surprise to the general public, it wasn’t for my team or me. The only surprise is that we are not hearing about these attacks more often. It’s no secret that companies are hacked way more often than they report (or even realize). These systems have always been vulnerable; it is only now, when “cybersecurity” has become top-of-mind for leadership in government and enterprises alike, that the incidents happening every day are garnering broader awareness.
Airplanes are a great example of this last point. Until recently, the average person would not even consider that “hacking” an airplane was possible. Yet, when Chris Roberts (see above) ended up in the news for making a plane fly sideways (or so the FBI seems to claim), security researchers began to examine all the ways someone might actually be able to interface with aircraft systems.

Companies are saving time and money by using off-the-shelf solutions, but they aren’t investing in proper security measures.

Airplanes increasingly have satellite or cellular communications links to the ground, and there is a rapidly growing trend of airlines offering some form of in-flight Wi-Fi, whether for access to the Internet or general in-flight entertainment systems. While it remains to be seen whether any of those communications paths could actually result in a successful attack on critical flight systems, they are all possible attack vectors that did not exist even a few years ago.

Moreover, almost all of the avionics systems connected in these communications paths run a combination of off-the-shelf and proprietary software. Like industrial or medical systems, patches are rarely made available and, when they are, it can take months or years until they are applied. It is only a matter of time until we start finding malware at 30,000 feet.

……… and it continues …..