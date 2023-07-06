How vulnerable are commercial airliners to cybersecurity breaches? It depends on what part of their IT systems you're talking about. The avionics equipment that runs the aircraft is quite resistant to hacking, although not bulletproof. However, the inflight internet access systems that connect passengers to the web are as vulnerable as any ground-based network to hackers.

Why avionics are hard, but not impossible, to hack

Avionics encompasses all "the instrumentation, telemetry, and communications systems used by pilots and flight crew on aircraft," says Patrick Kiley, principal security consultant for Rapid7. In modern aircraft where these units are computer-controlled, they are networked and connected to the ground to deliver regular system monitoring reports. This allows airlines to detect problems as soon as they occur and deal with them effectively with minimal impact on flight schedules.

Compared to in-flight internet access systems, networked avionics are harder to hack. This is due to their architecture (avionics networks are not connected to the web), the limited functions they perform, and their generally closed operating environments. Hacking is still possible, as Kiley himself provided in a 2019 Rapid7 research paper entitled, Investigating CAN Bus Network Integrity in Avionics Systems.

"Modern aircraft use a network of electronics to translate signals from the various sensors and place this data onto a network to be interpreted by the appropriate instruments and displayed to the pilot," Kiley wrote. When this physical network (the "vehicle bus") is combined with a common communications standard called "Controller Area Network" (CAN), it creates the "CAN bus," which serves as the aircraft's central nervous system.

"After performing a thorough investigation on two commercially available avionics systems, Rapid7 demonstrated that it was possible for a malicious individual to send false data to these systems, given some level of physical access to a small aircraft's wiring," Kiley wrote. "Such an attacker could attach a device -- or co-opt an existing attached device -- to an avionics CAN bus in order to inject false measurements and communicate them to the pilot." Such false measurements could include incorrect engine telemetry readings; incorrect compass and attitude data; and incorrect altitude, airspeed, and angle of attack (AoA) information.

"A pilot relying on these instrument readings would not be able to tell the difference between false data and legitimate readings, so this could result in an emergency landing or a catastrophic loss of control of an affected aircraft," wrote Kiley. This being said, "we want to emphasize that this attack requires physical access, something that is highly regulated and controlled in the aviation sector."