“As long as there is a physical path that connects both domains, we can't discard a potential attack.” That’s the conclusion of Ruben Santamarta, Principal Security Consultant at IOActive, a global information security services firm based in Seattle, Washington, US and London, UK. “Avionics should be located in the aircraft control domain, which ideally would be physically isolated from the passenger domains, but this is not always happening,” he told me.
Santamarta raised an alarm last year at the Black Hat USA computer security conference that the design of satellite communications (SATCOM) equipment from several vendors “allowed unauthenticated users to hack into the SATCOM equipment when it is accessible through WiFi or In-Flight Entertainment networks.”
Hugo Teso Torio, a former commercial airline pilot who now works for Danish company nSense focusing on network vulnerability assessment, raised the spectre of aircraft interference in dramatic fashion in 2013 at the Hack in the Box conference in Amsterdam, the Netherlands. Teso Torio claimed he had successfully simulated a method for taking control of an airplane remotely, from the ground, creating a smartphone app called PlaneSploit.
As early as 2010, at the Bsides hacker gathering in Las Vegas, One World Labs co-founder Chris Roberts described a method for accessing an aircraft’s flight control systems by tapping into any of the in-flight entertainment (IFE) equipment boxes found under seats in the passenger cabin.
Such presentations generally receive little attention outside the niche domain of information technology insiders. That is, until the US Federal Bureau of Investigation (FBI) issued a warrant for Roberts, alleging that he had indeed taken control of an unidentified scheduled flight and caused it to “fly sideways.”
Roberts claims his interest in experimental hacks of aircraft systems is purely to make air travel safer by encouraging aircraft manufacturers, airlines, and regulators to close system gaps which could be exploited by terrorists. “We had conversations with two main airplane builders as well as with two of the top providers of infotainment systems and it never went anywhere,” he has stated. Roberts reportedly identified exploitable weaknesses in Boeing 737-800, 737-900, 757-200, and Airbus A320 models.
Airbus and Boeing both categorically deny that their aircraft systems are susceptible to unauthorized access. Boeing has stated: “No changes to the flight plans loaded into the airplane systems can take place without pilot review and approval. In addition, other systems, multiple security measures, and flight deck operating procedures help ensure safe and secure airplane operations.”
Similarly, Airbus spokesperson Mary Anne Greczyn said: “Airbus has robust systems and procedures in place for our aircraft and their operations to ensure security against potential cyberattacks.”
It’s one thing for hackers to claim discovery of a hitherto unknown bug. But earlier this year, the independent US Government Accountability Office (GAO) legitimized the concerns, issuing a caveated report that concluded, yes, modern communications technologies used in aircraft create “the possibility that unauthorized individuals might access and compromise aircraft avionics systems.”
And in December, five major international aviation organizations – the International Civil Aviation Organization (ICAO), Airports Council International (ACI), the Civil Air Navigation Services Organisation (CANSO), the International Air Transport Association (IATA), and the International Coordinating Council of Aerospace Industry Associations (ICCAIA) – agreed on a common roadmap to align their respective actions against ‘hacktivists’, cyber criminals, and terrorists “focused on malicious intent ranging from the theft of information and general disruption to potential loss of life.”
“As technologies rapidly evolve and become more readily accessible to all, cyber threats cannot be ignored,” stressed ICAO Secretary General Raymond Benjamin, who is retiring this summer. “This is an important new area of aviation security concern and our global community will ensure that it is met with a strong level of commitment and response.”
A Little Bird Told Me
It’s ironic that the US Federal Aviation Administration (FAA) and other regulatory agencies worldwide have recently relaxed the restrictions on the use of mobile phones, computers, and other electronic devices during a flight. The GAO investigators said it is theoretically possible for someone with an ordinary laptop to commandeer the aircraft, inject a virus into flight control computers, jeopardize the safety of the flight by taking control of computers, or take over the warning systems or even navigation systems.
Based on interviews with security experts, the GAO explained, “If the cabin systems connect to the cockpit avionics systems (e.g. share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin.” Gerald Dillingham, Director of Civil Aviation Issues at the GAO and one of the authors of the report, said modern aircraft such as the Boeing 787, Airbus A350, and A380 all have advanced cockpits that are wired into the same Wi-Fi system used by passengers.
Santamarta told CAT: “The ability to cross the red line between passenger entertainment and owned domains and the aircraft control domain heavily relies on the specific devices, software, and configuration deployed on the target aircraft. Under my point of view, one of the main concerns is the communication devices, such as those used for SATCOM, which are shared between different data domains. Therefore, this equipment might be used to pivot from IFE to certain avionics.”
The GAO report said a hacker would have to bypass the firewall that separates the Wi-Fi from the rest of the plane's electronics. However, their cybersecurity experts suggested “because firewalls are software components, they could be hacked like any other software and circumvented."
Roberts claims to have accessed IFE systems between 15 and 30 times during actual flights from 2011-14 by removing the cover of a Seat Electronic Box (SEB) underneath a passenger seat, then physically connecting a Cat6 ethernet cable.
On April 15 this year, Roberts, using the Twitter name Sidragon1, was on a United Airlines domestic flight from Chicago when he posted a tweet which was probably meant as a joke but which the airline and the authorities interpreted with alarm. Roberts’ tweeted: “Find myself on a 737/800, let’s see Box-IFE-ICE-SATCOM? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone?” Then he added a smiley face icon.
Roberts did not access the Engine Indicator Crew Alert System nor deploy the passenger oxygen masks, he told the FBI, who greeted the plane and escorted him off when the flight landed in Syracuse, New York. They interviewed him for four hours and confiscated his MacBook Pro, iPad, three hard drives, and six USB thumb drives.
It wasn’t the first time the Denver, Colorado hacker had discussions with the Feds. They had met in February and March, and Roberts described the process to commandeer an aircraft’s thrust management computer to issue a “climb command” and “caused one of the airplane engines to climb resulting in a lateral movement or sideways movement of the plane.”
After the FBI warrant was issued, Roberts insisted he was misunderstood, that the “flying sideways” hack he had described to law enforcement was a simulation, not a real flight. “One paragraph out of multiple meetings … totally taken out of context and misinterpreted.” As this is written, no formal charges have been filed. However, the FBI and US Transportation Security Administration (TSA) issued a warning to all airlines to be on the lookout for passengers attempting to hack into onboard networks through Wi-Fi or the media systems below airplane seats.
Since the Twitter tempest, a report has surfaced that in 2012 Roberts told the GrrCON conference he had altered the temperature aboard the International Space Station by accessing NASA’s communication controls.
Computer security experts and pseudo-experts are expressing mixed opinions about whether Roberts actually did or could do what he and the FBI claim he did. “Scenarios described by Roberts' claims cannot be completely discarded but they have to be carefully examined,” Santamarta said. There’s almost universal agreement, however, that the sarcastic tweet was not a smart send.
Roberts won’t be posting again via United’s WiFi anytime soon. When he attempted to board one of the airline’s flights to San Francisco in May, he was denied. Spokesman Rahsaan Johnson said, “Given Mr. Roberts' claims regarding manipulating aircraft systems, we've decided it's in the best interest of our customers and crew members that he not be allowed to fly United.” Even though, Johnson added, “We are confident our flight control systems could not be accessed through techniques he described.”
Nate Cardozo, a staff attorney with the Electronic Frontier Foundation, which represents Roberts, said, “We hope that United learns that computer security researchers are a vital ally, not a threat."
Coincidentally, about the time Roberts was declared persona non grata, United claims to have become the first airline to offer a “bug bounty” program, offering frequent flyer mile rewards for finding vulnerabilities in its systems (though not flaws in “onboard Wi-Fi, entertainment systems or avionics”).
Softness in the Software
The underlying issue is that “we’re not very good at software development,” according to Berni Reiter, a pioneer in the field of object-oriented programming tools and a member of the A-lister group of technologists known as the Phoenix Global Consortium. “The software has been cobbled together and carried forward over several decades. There’s a lot of software that goes into a 787 because it also contains the 777 and the 767.”
“From the software side of things, it’s very, very fragile. It’s got too many lines of code.”
The FAA recently issued a warning and maintenance order over a software bug that could cause a complete electric shutdown of Boeing’s 787 and potentially “loss of control” of the aircraft. “If the four main generator control units (associated with the engine-mounted generators) were powered up at the same time, after 248 days of continuous power, all four GCUs will go into failsafe mode at the same time, resulting in a loss of all AC electrical power regardless of flight phase,” according to the directive.
“If we don’t address the issue of software post-haste,” warns Reiter, “people are not going to want to fly.” She advocates changing underlying software architectures to “a more layered approach, like nested Russian dolls” and moving away from standard protocols such as TCP/IP. She also would “avoid publishing anything. If you don’t make it public domain, you can secure it down.”
The power-down issue, of course, is not the Dreamliner’s first hiccup and the GAO report was not its first security flag. In 2007, Ali Bahrami, FAA Manager, Transport Airplane Directorate, Aircraft Certification Service, issued a “special condition” for the Boeing 787-8 type certification: “The design shall prevent all inadvertent or malicious changes to, and all adverse impacts upon, all systems, networks, hardware, software, and data in the Aircraft Control Domain and in the Airline Information Domain from all points within the Passenger Information and Entertainment Domain.” In one of the comments to the special condition, rival Airbus expressed that “demonstration of compliance with such a requirement during the entire life cycle of the aircraft is quite impossible because security threats evolve very rapidly.”
In 2013, the FAA issued another security change request for the Boeing 777, and a year ago another special conditions filing addressed the 737 line, acknowledging, “The architecture and network configuration may allow the exploitation of network security vulnerabilities resulting in intentional or unintentional destruction, disruption, degradation, or exploitation of data, systems, and networks critical to the safety and maintenance of the airplane.”
Reiter said, “I told Boeing over 15 years ago about the vulnerabilities of co-mingling the automation of the avionics and the cabin services such as entertainment.”
“Airlines cannot not rely on reactive solutions to detect attacks. The best way to avoid live attacks during a flight is analyze the security posture of the aircraft on the ground,” Santamarta encouraged. “It is better to approach this kind of potential attack from a proactive manner, instead of waiting until something happens.”
“However,” he added, “we should not think airplanes are going to start falling down from the sky if someone just presses a key on their laptop. Aircraft rely on redundancy to operate safely; it's not that easy.”
Dr. David Stupples and researchers at aviation university Cranfield in the UK are attempting to develop a network architecture that would prevent such hack attacks. The system would recognize dangerous malware, then “reconfigure” the aircraft around the malware to “out-manuever the bad guys.” Stupples emphasized: “We have to address the problem completely differently. We need to look at architectures that can survive a malware attack.”