US Report Claims In-Flight Entertainment Leaves Planes Open to Cyberattacks; Others Disagree

[Reefa]

A new report from the U.S. Government Accountability Office (GAO) warns that in-flight W-Fi, including wireless entertainment and internet-based cockpit communications, may allow hackers to gain remote access to avionics systems and compromise them. However, other experts disagree and call the report “deceiving.”

The report states that the threat comes in two forms. The first is an intrusion into the avionics systems by passengers using in-flight Wi-Fi, a threat that is compounded by the ubiquity of smartphones and tablets.

The report stated, “Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented. The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin. The presence of personal smartphones and tablets in the cockpit increases the risk of a system’s being compromised by trusted insiders, both malicious and non-malicious, if these devices have the capability to transmit information to aircraft avionics systems.”

Another threat comes from remote hackers. Since aircraft use IP networks like other communications hubs, there is a potential route into the system for hackers able to install malware on passenger’s devices without their knowledge. The report stated, “One cybersecurity expert noted that a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines.”

However, some experts strongly disagree with this assessment. Dr. Phil Polstra, a pilot and professor of digital forensics at Bloomberg University, said, “To imply that because IP is used for in-flight WiFi and also on the avionics networks means that you can automatically take over the avionics network makes about as much sense as saying you can take over the jet engines because they breath air like the passengers and there is no air gap between passengers who touch the plane and the engines which are attached to the plane.”

In-flight entertainment systems work through a Network Extension Device (NED) rather than a router, so even if someone were trying to communicate with avionics systems, the system would not be able to “read” the communications.

So far there has been no known real-world instance of an airplane being hacked. However, in 2013 cybersecurity consultant Hugo Taso demonstrated a remote attack on a virtual air control system by using a radio transmitter, flight code software and an app named PlaneSploit that he designed for his Android smartphone.

http://www.batblue.com/us-report-claims-in-flight-entertainment-leaves-planes-open-to-cyberattacks-others-disagree/

[humble3d]

And people don't believe USaf Jets can be operated by remote control... :lol:

The U.S. Air Force is using remote-controlled F-16 fighter jets as targets in simulated weapons testing.

Our future seems fraught with all manner of strange new things...

Take for example only one: USAF jets fly with remote control... :wtf: :lol:

F-16 fighter jet flies with empty cockpit

http://www.cnn.com/videos/us/2015/04/03/f-16-remote-controlled-fighter-jet-qf--16-orig.cnn-boeing

http://z.cdn.turner.com/xslo/cvp/assets/video/blank.mp4

Modern aircraft could be hacked via onboard WiFi systems

Modern aircraft with onboard WiFi systems face the very real threat that they could be hacked, according to a report by the US government.

The US Government Accountability Office (GAO) conducted an in-depth report into the threats posed by cyber attacks as the Federal Aviation Authority (FAA) transitions to a new system for monitoring and communicating with aircraft, called

Next-Generation Air Transportation System (NextGen).

The GAO noted that, while NextGen will bring many benefits, such as improved communication channels between aircraft and ground control systems, it will also require systems to be upgraded.

“The shift to NextGen technologies will require the FAA to replace its proprietary, relatively isolated ATC [air traffic control] computer systems with information systems that interoperate and share data throughout the FAA’s operations and those of its aviation partners,” the report said.

As a result of this shift the GAO warned that there will be increased exposure of these systems to outside threats.

“New networking technologies connecting the FAA’s ATC information systems expose these systems to new cyber security risks, potentially increasing opportunities for systems to be compromised and damaged,” it said.

“Such damage could stem from attackers seeking to gain access to and move among information systems, and from trusted users of the systems, such as controllers or pilots, who might inadvertently cause harm.”

These threats are not limited to ground systems. The GAO report said that modern aircraft that have the ability to access the internet through onboard WiFi systems face the very real threat of being hacked.

“FAA officials and cyber security and aviation experts we spoke to said that increasingly passengers in the cabin can access the internet via onboard wireless broadband systems,” said the report.

“Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors."

Furthermore, while aircraft have firewalls fitted to stop communications from passenger systems infiltrating the cockpit, these protections can never be considered 100 percent effective.

"Four cyber security experts with whom we spoke discussed firewall vulnerabilities, and all four said that, because firewalls are software components, they could be hacked like any other software and circumvented," the report said.

"The experts said that if the cabin systems connect to the cockpit avionics systems (e.g. share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin."

The image below shows the standard setup for wiring and internet connectivity services in modern aircraft.

The GAO said in response that, while it acknowledges that the FAA is taking the issue of cyber security seriously, potential gaps remain.

"The FAA has taken steps to protect its ATC systems from cyber-based threats. However, significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system," it said.

"The FAA has agreed to address these weaknesses. Nevertheless, the FAA will continue to be challenged in protecting ATC systems because it has not developed a cyber security threat model."

Furthermore, the GAO report noted with concern that, despite being alerted to this, the FAA is not addressing the situation adequately.

"While the FAA has taken some steps towards developing such a model, it has no plans to produce one and has not assessed the funding or time that would be needed to do so," it said.

"Without such a model, the FAA may not be allocating resources properly to guard against the most significant cyber security threats."

V3 contacted the FAA for its response to the report but had received no reply at the time of publication.

CNN reported that Keith Washington, acting assistant secretary for administration at the FAA, said in a draft letter to the GAO that the organisation is taking all necessary steps to protect itself and its system from cyber threats.

"[The FAA] recognises that cyber-based threats to federal information systems are becoming a more significant risk and are rapidly evolving and increasingly difficult to detect and defend against," he said.

"It is also important to note that the FAA had already initiated a comprehensive programme to improve the cyber security defences of the National Airspace System infrastructure, as well as other FAA mission-critical systems."

The threat posed by online systems was underlined recently in another major area, after the US CERT revealed that it had been called in to assess 245 incidents of hacks on industrial control systems across the US over a single year.

http://www.v3.co.uk/v3-uk/news/2404323/modern-aircraft-could-be-hacked-via-onboard-wifi-systems