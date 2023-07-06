How vulnerable are commercial airliners to cybersecurity breaches? It depends on what part of their IT systems you\u2019re talking about. The avionics equipment that runs the aircraft is quite resistant to hacking, although not bulletproof. However, the inflight internet access systems that connect passengers to the web are as vulnerable as any ground-based network to hackers.\n\nWhy avionics are hard, but not impossible, to hack\n\nAvionics encompasses all \u201cthe instrumentation, telemetry, and communications systems used by pilots and flight crew on aircraft,\u201d says Patrick Kiley, principal security consultant for Rapid7. In modern aircraft where these units are computer-controlled, they are networked and connected to the ground to deliver regular system monitoring reports. This allows airlines to detect problems as soon as they occur and deal with them effectively with minimal impact on flight schedules.\n\nCompared to in-flight internet access systems, networked avionics are harder to hack. This is due to their architecture (avionics networks are not connected to the web), the limited functions they perform, and their generally closed operating environments. Hacking is still possible, as Kiley himself provided in a 2019 Rapid7 research paper entitled, Investigating CAN Bus Network Integrity in Avionics Systems.\n\n\u201cModern aircraft use a network of electronics to translate signals from the various sensors and place this data onto a network to be interpreted by the appropriate instruments and displayed to the pilot,\u201d Kiley wrote. When this physical network (the \u201cvehicle bus\u201d) is combined with a common communications standard called \u201cController Area Network\u201d (CAN), it creates the \u201cCAN bus,\u201d which serves as the aircraft\u2019s central nervous system.\n\n\u201cAfter performing a thorough investigation on two commercially available avionics systems, Rapid7 demonstrated that it was possible for a malicious individual to send false data to these systems, given some level of physical access to a small aircraft\u2019s wiring,\u201d Kiley wrote. \u201cSuch an attacker could attach a device \u2014 or co-opt an existing attached device \u2014 to an avionics CAN bus in order to inject false measurements and communicate them to the pilot.\u201d Such false measurements could include incorrect engine telemetry readings; incorrect compass and attitude data; and incorrect altitude, airspeed, and angle of attack (AoA) information.\n\n\u201cA pilot relying on these instrument readings would not be able to tell the difference between false data and legitimate readings, so this could result in an emergency landing or a catastrophic loss of control of an affected aircraft,\u201d wrote Kiley. This being said, \u201cwe want to emphasize that this attack requires physical access, something that is highly regulated and controlled in the aviation sector.\u201d\n\n\u201cAvionics systems have a limited surface area to attack remotely purely by the nature of the architecture.\u201d Kiley tells CSO. \u201cAvionics systems do go through extensive review by both the manufacturer, industry and the FAA, but these reviews do not exclusively focus on security but are heavily focused on safety.\u201d\n\nEnhancing safety is why modern aircraft avionics systems are so heavily networked. But this trend has not kept pace with the need for enhanced cybersecurity, warns the Thales Group in a blog post. \u201cThe aviation industry has reaped the benefits of digitization over the past ten years, but this has also triggered new risks, including social and technical vulnerabilities that had never previously been addressed,\u201d it said.\n\nHowever, Sean Reilly, VP of air transport management and digital solutions at the ground-to-aircraft broadband service provider SmartSky Networks, disagrees with this negative assessment. \u201cSecurity protocol on avionics is actually very, very stringent,\u201d says Reilly. To bypass it, a hacker would need to understand the fundamentals of an ARINC 429 bus, which is basically an aircraft\u2019s main data bus, plus insider knowledge of what's actually inside \u201cthe software layer on top of that piece of avionics and be able to tie into\u201d it, he explains. \u201cIt's not just something you can go in and grab at the end of the day.\u201d\n\nWhy inflight internet access could be a problem\n\nAsk cybersecurity experts about known hacks of commercial aircraft, and chances are they\u2019ll cite white hat hacker Chris Roberts. According to a 2015 article on Wired.com, \u201cChris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane's Thrust Management Computer while aboard the flight.\u201d\n\nAn FBI affidavit filed by Special Agent Mark S. Hurley in support of the Bureau's seizure of Roberts\u2019 iPad, MacBook Pro, and various storage media stated that Roberts had hacked into various commercial aircraft\u2019s IFE systems by opening up the seat electronic boxes under the seat and connecting his laptop to them using a CAT6 cable.\n\n\u201cHe stated that he successfully commanded the system he had accessed to issue the \u2018CLB\u2019 or climb command,\u201d said the FBI affidavit. \u201cHe stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways moment of the plane.\u201d In fairness to Roberts, the 15-20 IFE hacks he performed while flying on selected Airbus and Boeing aircraft between 2011 and 2014 were done \u201cbecause he would like the vulnerabilities to be fixed,\u201d the FBI affidavit says.\n\nIn line with Kiley\u2019s earlier statement, Roberts had to do this hack by physically connecting to the aircraft\u2019s internal network. Thanks to the development of digitally integrated, web-connected aircraft like the Boeing 787 Dreamliner, this is no longer the case. Based on a presentation\/paper at BlackHat USA 2019 by Ruben Santamarta, then principal security consultant at IOActive, it is now possible \u201cto effectively reach the avionics network on a commercial airplane from either non-critical domains, such as passenger information and entertainment services, or even external networks.\u201d (Boeing has disputed Santamarta\u2019s findings.)\n\nFrom a CISO\u2019s perspective, what matters is not that a specific security vulnerability was found in a particular model of aircraft, but rather the general idea that modern aircraft with interconnected IT networks could potentially allow intrusions into high security avionics equipment from low security passenger internet access systems.\n\nThis being the case, the time has come for all onboard aircraft systems \u2014 including avionics \u2014 to be regarded as being vulnerable to cyberattacks. As such, the security procedures for protecting them should be as thorough and in-depth \u201cas any other internet-connected device,\u201d Kiley says. \u201cThe disclosure I did in 2019 was the first major one that involved the industry, the airlines, and the US government cooperating to ensure that the disclosure was done responsibly and following security industry best practices. This should be a model for how to alert the industry of an issue responsibly.\u201d\n\nUnfortunately, \u201cMany manufacturers in the aviation industry do not understand how to work with security researchers and instead attempt to stifle research by threatening action instead of working together to solve identified issues,\u201d observes Kiley. This is a counterproductive response to cyber threats, at a time when everyone in the industry is a potential target. After all, \u201cEven the US military has had its autonomous aircraft hacked by adversaries,\u201d he says.