Cyber Defense Advisors

Greatest cyber threats to aircraft come from the ground

How vulnerable are commercial airliners to cybersecurity breaches? It depends on what part of their IT systems you’re talking about. The avionics equipment that runs the aircraft is quite resistant to hacking, although not bulletproof. However, the inflight internet access systems that connect passengers to the web are as vulnerable as any ground-based network to hackers.

Why avionics are hard, but not impossible, to hack

Avionics encompasses all “the instrumentation, telemetry, and communications systems used by pilots and flight crew on aircraft,” says Patrick Kiley, principal security consultant for Rapid7. In modern aircraft where these units are computer-controlled, they are networked and connected to the ground to deliver regular system monitoring reports. This allows airlines to detect problems as soon as they occur and deal with them effectively with minimal impact on flight schedules.

Compared to in-flight internet access systems, networked avionics are harder to hack. This is due to their architecture (avionics networks are not connected to the web), the limited functions they perform, and their generally closed operating environments. Hacking is still possible, as Kiley himself provided in a 2019 Rapid7 research paper entitled, Investigating CAN Bus Network Integrity in Avionics Systems.

“Modern aircraft use a network of electronics to translate signals from the various sensors and place this data onto a network to be interpreted by the appropriate instruments and displayed to the pilot,” Kiley wrote. When this physical network (the “vehicle bus”) is combined with a common communications standard called “Controller Area Network” (CAN), it creates the “CAN bus,” which serves as the aircraft’s central nervous system.

“After performing a thorough investigation on two commercially available avionics systems, Rapid7 demonstrated that it was possible for a malicious individual to send false data to these systems, given some level of physical access to a small aircraft’s wiring,” Kiley wrote. “Such an attacker could attach a device — or co-opt an existing attached device — to an avionics CAN bus in order to inject false measurements and communicate them to the pilot.” Such false measurements could include incorrect engine telemetry readings; incorrect compass and attitude data; and incorrect altitude, airspeed, and angle of attack (AoA) information.

“A pilot relying on these instrument readings would not be able to tell the difference between false data and legitimate readings, so this could result in an emergency landing or a catastrophic loss of control of an affected aircraft,” wrote Kiley. This being said, “we want to emphasize that this attack requires physical access, something that is highly regulated and controlled in the aviation sector.”

“Avionics systems have a limited surface area to attack remotely purely by the nature of the architecture.” Kiley tells CSO. “Avionics systems do go through extensive review by both the manufacturer, industry and the FAA, but these reviews do not exclusively focus on security but are heavily focused on safety.”

Enhancing safety is why modern aircraft avionics systems are so heavily networked. But this trend has not kept pace with the need for enhanced cybersecurity, warns the Thales Group in a blog post. “The aviation industry has reaped the benefits of digitization over the past ten years, but this has also triggered new risks, including social and technical vulnerabilities that had never previously been addressed,” it said.

However, Sean Reilly, VP of air transport management and digital solutions at the ground-to-aircraft broadband service provider SmartSky Networks, disagrees with this negative assessment. “Security protocol on avionics is actually very, very stringent,” says Reilly. To bypass it, a hacker would need to understand the fundamentals of an ARINC 429 bus, which is basically an aircraft’s main data bus, plus insider knowledge of what’s actually inside “the software layer on top of that piece of avionics and be able to tie into” it, he explains. “It’s not just something you can go in and grab at the end of the day.”

Why inflight internet access could be a problem

Ask cybersecurity experts about known hacks of commercial aircraft, and chances are they’ll cite white hat hacker Chris Roberts. According to a 2015 article on Wired.com, “Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane’s Thrust Management Computer while aboard the flight.”

An FBI affidavit filed by Special Agent Mark S. Hurley in support of the Bureau’s seizure of Roberts’ iPad, MacBook Pro, and various storage media stated that Roberts had hacked into various commercial aircraft’s IFE systems by opening up the seat electronic boxes under the seat and connecting his laptop to them using a CAT6 cable.

“He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command,” said the FBI affidavit. “He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways moment of the plane.” In fairness to Roberts, the 15-20 IFE hacks he performed while flying on selected Airbus and Boeing aircraft between 2011 and 2014 were done “because he would like the vulnerabilities to be fixed,” the FBI affidavit says.

In line with Kiley’s earlier statement, Roberts had to do this hack by physically connecting to the aircraft’s internal network. Thanks to the development of digitally integrated, web-connected aircraft like the Boeing 787 Dreamliner, this is no longer the case. Based on a presentation/paper at BlackHat USA 2019 by Ruben Santamarta, then principal security consultant at IOActive, it is now possible “to effectively reach the avionics network on a commercial airplane from either non-critical domains, such as passenger information and entertainment services, or even external networks.” (Boeing has disputed Santamarta’s findings.)

From a CISO’s perspective, what matters is not that a specific security vulnerability was found in a particular model of aircraft, but rather the general idea that modern aircraft with interconnected IT networks could potentially allow intrusions into high security avionics equipment from low security passenger internet access systems.

This being the case, the time has come for all onboard aircraft systems — including avionics — to be regarded as being vulnerable to cyberattacks. As such, the security procedures for protecting them should be as thorough and in-depth “as any other internet-connected device,” Kiley says. “The disclosure I did in 2019 was the first major one that involved the industry, the airlines, and the US government cooperating to ensure that the disclosure was done responsibly and following security industry best practices. This should be a model for how to alert the industry of an issue responsibly.”

Unfortunately, “Many manufacturers in the aviation industry do not understand how to work with security researchers and instead attempt to stifle research by threatening action instead of working together to solve identified issues,” observes Kiley. This is a counterproductive response to cyber threats, at a time when everyone in the industry is a potential target. After all, “Even the US military has had its autonomous aircraft hacked by adversaries,” he says.

Aerospace and Defense Industry, Threat and Vulnerability Management