A group of security researchers from private industry, universities, and the Department of Homeland Security (DHS), were able to successfully hack a Boeing 757 remotely in a non-laboratory setting. The test was done last year but was only recently made public at the 2017 CyberSat Summit in Virginia.
Radio Frequency Hack
Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate, said that the researchers were able to access the aircraft’s systems through radio frequency communications:
“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Hickey at the CyberSat Summit.
“[Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft,” he added.
Perhaps the scariest part about this hack was that it took the researchers only two days to come up with it. The DHS seems to have become interested in the attack when a hacker claimed to have been able to take over a plane’s engine controls while in flight, back in 2015. In the same year, the Government Accountability Office warned about "potential malicious actors" accessing an airliner's Wi-Fi network.
The DHS told Tom’s Hardware that Hickey’s comments “lacked some important context.” According to the DHS, even though the test was not done in a laboratory setting, it was done in an artificial testing environment that had “risk reduction measures” in place. In translation, that means it wasn’t tested under a real-world scenario.
However, this doesn’t necessarily mean that this particular hack couldn’t happen in a real-world scenario, just that the hack hasn’t yet been tested in one yet..
When we contacted Boeing, the company outright denied that its 757 suffers from any cybersecurity vulnerability:
The Boeing Company has worked closely for many years with DHS, the FAA, other government agencies, our suppliers and customers to ensure the cybersecurity of our aircraft and will continue to do so.
Boeing observed the test referenced in the Aviation Today article, and we were briefed on the results. We firmly believe that the test did not identify any cyber vulnerabilities in the 757, or any other Boeing aircraft.
Boeing is confident in the cyber-security measures of its airplanes. Multiple layers of protection, including software, hardware, network architecture features, and governance are designed to ensure the security of all critical flight systems from intrusion.
Boeing’s cyber-security measures have been subjected to rigorous testing, including through the FAA’s certification process, and our airplanes meet or exceed all applicable regulatory standards.
Thus, Boeing denies there is any vulnerability in its planes, and the details of the test remain classified. Until they are made public, we can’t know for sure how likely the tested hack is to happen in a real-world scenario, too.
High Cost To Fix Airplane Bugs
Hickey noted at the CyberSat Summit that it’s almost prohibitively expensive for airline companies to patch their plane’s systems. According to him, changing one line of code across their planes costs $1 million and takes a year to implement.
The good news is that the Boeing 757 plane has not been in production since 2004. The bad news is that legacy aircraft from both Boeing and Airbus, which includes the Boeing 757, make up more than 90% of the commercial planes that are still in use today.
It’s only newer planes such as the Boeing 787 and Airbus A350 that have been designed with security in mind. However, the Boeing 787 may have issues of its own, as two Cambridge experts discovered a “back door” in the plane's chip five years ago. They warned that this could allow attackers to take over the planes.
As a general rule of thumb in security, the more connected a device is, the more likely it is that it will be hacked. Connecting something to the internet gives attackers from all over the world the opportunity to access the systems when they wouldn’t normally be able to do it without that connection.
It’s probably now time for airplane companies to start taking software security more seriously, especially because it costs so much to fix a mistake after the planes are already out there and in use. Additionally, not all future research will be hidden behind security classification, so sooner or later they will have to tackle their security issues in public, too.