GAO: Newer aircraft vulnerable to hacking
04-14-2015 | 06:32 PM
#1
Thread Starter
Line Holder
Joined: Mar 2015
Posts: 94
Likes: 0
GAO: Newer aircraft vulnerable to hacking
GAO: Newer aircraft vulnerable to hacking
http://www.cnn.com//2015/04/14/polit...ing/index.html
It was only a matter of time...
http://www.cnn.com//2015/04/14/polit...ing/index.html
It was only a matter of time...
04-14-2015 | 10:02 PM
#2
Prime Minister/Moderator
Joined: Jan 2006
Posts: 45,215
Likes: 819
From: Engines Turn or People Swim
Old news. Theoretically possible but highly unlikely that the bad guys have the skill.
Still, they should isolate critical systems except for software updates. Even those should probably be limited to physical data link only. Two ways in...through normal updates process, or by "jumping" from external data link into other parts of the software.
Still, they should isolate critical systems except for software updates. Even those should probably be limited to physical data link only. Two ways in...through normal updates process, or by "jumping" from external data link into other parts of the software.
04-15-2015 | 08:38 AM
#5
Prime Minister/Moderator
Joined: Jan 2006
Posts: 45,215
Likes: 819
From: Engines Turn or People Swim
To make something truly secure (if that's even possible) would necessitate that it be built that way from the ground up at the hardware level, and very few systems are. Typically security is a "perimeter" approach...once you get inside the perimeter you can do anything you want, limited only by skill and time.
Problem is, everything today is "update-able"...which means there is a mechanism to change the code, including the kernel. If you used non-changeable read-only memory for critical code, that would make it much more secure but of course updates would require a new chip vice a wifi download.
The "usual suspects" are not going to be doing this kind of stuff...it would require someone who was previously a key participant in the design of the system, or a government agency. Highly unlikely for the former, but you cannot absolutely rule out the possibility that certain rogue governments might develop such a capability. Have no doubt, they have the resources if they want it badly enough.
04-15-2015 | 05:21 PM
#6
Day puke
Joined: Feb 2006
Posts: 3,865
Likes: 0
From: Out.
Forget the aircraft, get into the TERPS databases before they get into the FMS and tablets. Alter the DA/MDA, nav freqs, final approach course, etc. May be caught quickly at bigger airports and not affect heavies, but it could take out a bunch of regionals, 135s, and 91 at non radar fields before being identified.
04-15-2015 | 06:33 PM
#7
New Hire
Joined: Apr 2015
Posts: 2
Likes: 0
GAO warns of wifi hacking to airliners
Washington (CNN)Hundreds of planes flying commercially today could be vulnerable to having their onboard computers hacked and remotely taken over by someone using the plane's passenger Wi-Fi network, or even by someone on the ground, according to a new report from the Government Accountability Office.
One of the authors of the report, Gerald Dillingham, told CNN the planes include the Boeing 787 Dreamliner, the Airbus A350 and A380 aircraft, and all have advanced cockpits that are wired into the same Wi-Fi system used by passengers.
"Modern communications technologies, including IP connectivity, are increasingly used in aircraft systems, creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems," according to the report, which is based on interviews with cybersecurity and aviation experts.
The government investigators who wrote the report say it is theoretically possible for someone with just a laptop to:
-- Commandeer the aircraft
-- Put a virus into flight control computers
-- Jeopardize the safety of the flight by taking control of computers
-- Take over the warning systems or even navigation systems
Dillingham says although modern aircraft could be vulnerable, there are a number of redundancy mechanisms built into the plane systems that could allow a pilot to correct a problem.
The report explains that as the air traffic control system is upgraded to use Internet-based technology on both the ground and in planes, avionics could be compromised. Older planes systems aren't highly Internet-based, so the risk for aircraft 20 years and older is less.
The GAO report does not draw a roadmap on how this could be done, but it does say someone would have to bypass the firewall that separates the Wi-Fi from the rest of the plane's electronics. GAO Investigators say they spoke with four cybersecurity experts about the firewall vulnerabilities, "and all four said that because firewalls are software components, they could be hacked like any other software and circumvented."
Sleeping ramp agent trapped in plane's cargo hold
Sleeping ramp agent trapped in plane's cargo hold 01:57
PLAY VIDEO
Commercial pilot John Barton told CNN, "We've had hackers get into the Pentagon, so getting into an airplane computer system I would think is probably quite easy at this point."
The report continues, "According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors."
"A virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines," according to the report.
It says another way a hacker could get access to a plane's computers is through a physical connection and notes that whenever there is a physical linkage, such as a USB plug in a passenger seat, if those wires are linked in any way to the airplane's avionics, that linkage creates a vulnerability.
Experts told investigators, "If the cabin systems connect to the cockpit avionics systems and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin."
Members of the House Transportation and Infrastructure Committee, along with senators on the Commerce Committee, requested the report. Rep. Peter DeFazio, D-Oregon, who is the ranking member of the House committee, tells CNN, "This report exposed a real and serious threat -- cyberattacks on an aircraft in flight."
He says that the Federal Aviation Administration "must focus on aircraft certification standards that would prevent a terrorist with a laptop in the cabin or on the ground from taking control of an airplane through the passenger Wi-Fi system. That's a serious vulnerability."
The report concludes that the FAA needs to work on certification of aircraft avionics that will account for these vulnerabilities and remove them as possible threats to commercial aviation.
A source briefed on the report tells CNN that cybersecurity experts say these vulnerabilities exist and these scenarios are possible. But it is unclear how far the GAO went to test any of these possible scenarios. In the report, the GAO does not say whether this is based on actual testing or just theoretical mockups.
Pilot Barton notes, "This is going to take a long time, vetted by the best experts in the world and safety people to make this technology secure and safe."
New report finds U.S. airline quality declining
New report finds U.S. airline quality declining 01:52
PLAY VIDEO
In a letter to the GAO, Keith Washington, acting assistant secretary for administration with the FAA, said the agency "recognizes that cyberbased threats to federal information systems are becoming a more significant risk and are rapidly evolving and increasingly difficult to detect and defend against. We take this risk very seriously."
Washington went on to say "It is also important to note that the FAA had already initiated a comprehensive program to improve the cybersecurity defenses of the NAS (National Airspace System) infrastructure, as well as other FAA mission-critical systems. We are significantly increasing our collaboration and coordination with cyber intelligence and security organizations across the federal government and in the private sector."
"The Dreamliner and the A350 were actually designed to have the technology in it going forward to be able to have remote control intervention between the pilot and the ground or if an emergency were to happen in the air," Barton said. But he quickly added, "It's going to take a long time before we get to the point where that technology is safe and secure."
Boeing said it is committed to designing secure aircraft.
"Boeing airplanes have more than one navigational system available to pilots," the company said in a statement. "No changes to the flight plans loaded into the airplane systems can take place without pilot review and approval. In addition, other systems, multiple security measures, and flight deck operating procedures help ensure safe and secure airplane operations."
Airbus released a statement, which read: "Airbus, in partnership with our suppliers, constantly assesses and revisits the system architecture of our products, with an eye to establishing and maintaining the highest standards of safety and security. Beyond that, we don't discuss design details or safeguards publicly, as such discussion might be counterproductive to security."
One of the authors of the report, Gerald Dillingham, told CNN the planes include the Boeing 787 Dreamliner, the Airbus A350 and A380 aircraft, and all have advanced cockpits that are wired into the same Wi-Fi system used by passengers.
"Modern communications technologies, including IP connectivity, are increasingly used in aircraft systems, creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems," according to the report, which is based on interviews with cybersecurity and aviation experts.
The government investigators who wrote the report say it is theoretically possible for someone with just a laptop to:
-- Commandeer the aircraft
-- Put a virus into flight control computers
-- Jeopardize the safety of the flight by taking control of computers
-- Take over the warning systems or even navigation systems
Dillingham says although modern aircraft could be vulnerable, there are a number of redundancy mechanisms built into the plane systems that could allow a pilot to correct a problem.
The report explains that as the air traffic control system is upgraded to use Internet-based technology on both the ground and in planes, avionics could be compromised. Older planes systems aren't highly Internet-based, so the risk for aircraft 20 years and older is less.
The GAO report does not draw a roadmap on how this could be done, but it does say someone would have to bypass the firewall that separates the Wi-Fi from the rest of the plane's electronics. GAO Investigators say they spoke with four cybersecurity experts about the firewall vulnerabilities, "and all four said that because firewalls are software components, they could be hacked like any other software and circumvented."
Sleeping ramp agent trapped in plane's cargo hold
Sleeping ramp agent trapped in plane's cargo hold 01:57
PLAY VIDEO
Commercial pilot John Barton told CNN, "We've had hackers get into the Pentagon, so getting into an airplane computer system I would think is probably quite easy at this point."
The report continues, "According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors."
"A virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines," according to the report.
It says another way a hacker could get access to a plane's computers is through a physical connection and notes that whenever there is a physical linkage, such as a USB plug in a passenger seat, if those wires are linked in any way to the airplane's avionics, that linkage creates a vulnerability.
Experts told investigators, "If the cabin systems connect to the cockpit avionics systems and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin."
Members of the House Transportation and Infrastructure Committee, along with senators on the Commerce Committee, requested the report. Rep. Peter DeFazio, D-Oregon, who is the ranking member of the House committee, tells CNN, "This report exposed a real and serious threat -- cyberattacks on an aircraft in flight."
He says that the Federal Aviation Administration "must focus on aircraft certification standards that would prevent a terrorist with a laptop in the cabin or on the ground from taking control of an airplane through the passenger Wi-Fi system. That's a serious vulnerability."
The report concludes that the FAA needs to work on certification of aircraft avionics that will account for these vulnerabilities and remove them as possible threats to commercial aviation.
A source briefed on the report tells CNN that cybersecurity experts say these vulnerabilities exist and these scenarios are possible. But it is unclear how far the GAO went to test any of these possible scenarios. In the report, the GAO does not say whether this is based on actual testing or just theoretical mockups.
Pilot Barton notes, "This is going to take a long time, vetted by the best experts in the world and safety people to make this technology secure and safe."
New report finds U.S. airline quality declining
New report finds U.S. airline quality declining 01:52
PLAY VIDEO
In a letter to the GAO, Keith Washington, acting assistant secretary for administration with the FAA, said the agency "recognizes that cyberbased threats to federal information systems are becoming a more significant risk and are rapidly evolving and increasingly difficult to detect and defend against. We take this risk very seriously."
Washington went on to say "It is also important to note that the FAA had already initiated a comprehensive program to improve the cybersecurity defenses of the NAS (National Airspace System) infrastructure, as well as other FAA mission-critical systems. We are significantly increasing our collaboration and coordination with cyber intelligence and security organizations across the federal government and in the private sector."
"The Dreamliner and the A350 were actually designed to have the technology in it going forward to be able to have remote control intervention between the pilot and the ground or if an emergency were to happen in the air," Barton said. But he quickly added, "It's going to take a long time before we get to the point where that technology is safe and secure."
Boeing said it is committed to designing secure aircraft.
"Boeing airplanes have more than one navigational system available to pilots," the company said in a statement. "No changes to the flight plans loaded into the airplane systems can take place without pilot review and approval. In addition, other systems, multiple security measures, and flight deck operating procedures help ensure safe and secure airplane operations."
Airbus released a statement, which read: "Airbus, in partnership with our suppliers, constantly assesses and revisits the system architecture of our products, with an eye to establishing and maintaining the highest standards of safety and security. Beyond that, we don't discuss design details or safeguards publicly, as such discussion might be counterproductive to security."
04-15-2015 | 06:46 PM
#8
Gets Weekends Off
Joined: Apr 2008
Posts: 1,808
Likes: 0
Did anyone read the GAO report, even the summary? It's clear the media either didn't read it, or read it and didn't understand it. To parade John Barton out as a aviation security source? really? 
This is such a non-event.
This is such a non-event.
04-15-2015 | 08:51 PM
#10
Gets Weekends Off
Joined: Jun 2010
Posts: 7,584
Likes: 293
From: DOWNGRADE COMPLETE: Thanks Gary. Thanks SWAPA.
Thread
Thread Starter
Forum
Replies
Last Post
