Hacker’s Into Commercial Airline Systems

Uploaded on 2015-06-01 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Screen-Shot-2015-04-16-at-07.54.43-655x360.png

 

Even as the US questioned a computer researcher’s claims of tampering with a jetliner in flight, his account spotlighted possible cybersecurity risks in commercial aviation. The consultant told the Federal Bureau of Investigation that he hacked into in-flight networks more than a dozen times using onboard entertainment systems, as Wired magazine reported.

While a US official said that lacked credibility, the article drew attention to a US report last month about digital threats to airliners. 

U.S. government officials flagged potential vulnerabilities in the US’s pending shift to satellite-based air traffic control from current ground-based systems. They said there is a theoretical risk that an unauthorized person could gain access to sensitive aircraft systems, even though the computers running the controls are kept separate from in-flight entertainment technology.

Even with firewalls, a breach could occur if the cockpit controls system and entertainment technologies were connected to the same router or use the same networking platform, the US Government Accountability Office wrote last month.
Hacking into cockpit controls would require a combination of expert skills and a network that is sufficiently vulnerable, said Jon Haass, chairman of Cyber Intelligence & Security at Embry-Riddle Aeronautical University’s Prescott, Arizona, campus. But it’s possible because of the interconnectivity of aircraft systems, he said.

“The networks are in some sense connected, even though they’re firewalled off from each other,” Haass said. “If I can trick a network computer or device into thinking I’m OK, that would allow me to then get to the controls which I’m not authorized to touch.”

Chris Roberts, founder of a cybersecurity consulting firm called One World Labs, claimed to have made that threat a reality after being pulled off a flight last month over provocative tweets about airline hacking.
However, there is no credible information to suggest an airplane’s flight control system can be accessed or manipulated from its in-flight entertainment system, a senior law enforcement official who asked not to be identified told Bloomberg News recently.

Even so, hacking a plane’s control systems in flight would represent a dangerous and likely illegal escalation, which has angered security researchers.

While cockpit control systems have historically been isolated and self-contained units, airplane manufacturers have shifted to a concept called integrated modular avionics that run vital functions through fewer central processing units to save weight and increase the ease of software upgrades.

This approach shaved 2,000 pounds off the weight of Boeing’s most advanced commercial jet, the 787 Dreamliner, while cutting in half the numbers of processor units for Airbus Group NV’s A380 superjumbo jet, according to Aviation Today.

Although separated from the entertainment systems by firewalls, security technologies could be breached if connected to the same router or use the same networking platform, the GAO wrote. Some aircraft have controls that have an “air gap” with other airplane computer networks, meaning the different networks have separate wiring that prevents the sharing of information. That closes off that vulnerability, Embry-Riddle’s Haass said. It’s not clear that all planes have this closed-off system, he said.

The FBI is warning airline workers to watch for suspicious activities, such as passengers connecting cables or wires to the in-flight entertainment systems “or unusual parts of the airline seat,” and report any signs of tampering with the entertainment systems, according to Wired.

The Federal Aviation Administration last year ordered Boeing to ensure that computer networks on upgraded versions of its 737 aircraft are protected. Previous versions of the same plane “had very limited connectivity with external network sources” and weren’t at risk, the FAA said in the June 6 notice. The agency has issued similar notices ordering Boeing, Airbus and other aircraft manufacturers to design electronics to protect them from outside interference.

Entertainment systems on Boeing’s commercial airplanes are isolated from flight and navigation systems, and pilots have more than one navigational system at their disposal, said company spokesman Doug Alder.
“No changes to the flight plans loaded into the airplane systems can take place without pilot review and approval,” he wrote.
Airbus has systems and procedures in place to ensure against potential cyberattacks, Mary Anne Greczyn, a spokesman for Toulouse, France-based Airbus, said in an e-mail. “We naturally do not discuss details on our security design and operations in public.”
Pilots form an additional layer of protection, John Cox, president of consulting firm Safety Operating Systems, said in an interview.

On the off chance that it was possible for a hacker to manipulate the flight controls, pilots are trained how to manually override a plane’s automatic systems, said Cox, a former pilot himself. Therefore he says, “The idea that you can somehow get in and take control of the airplane, it isn’t going to happen,” he said.
Claims Journal:  http://bit.ly/1LWLbEB

« Iran Suffering a Techno Gap in Cyber Defense
Keeping Passwords Safe From Cracking »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

44CON

44CON

44CON is an Information Security Conference & Training event taking place in London. Designed to provide something for the business and technical Information Security professional.

CERT.AZ

CERT.AZ

The national Cyber Security Center of the Republic of Azerbaijan.

Fasoo

Fasoo

Fasoo provides data-centric security to protect data within the organizational perimeter and beyond by limiting access to sensitive data according to policies that cover both users and activities.

Internet Storm Center (ISC)

Internet Storm Center (ISC)

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with ISPs to fight back against the most malicious attackers.

ThreatBook

ThreatBook

ThreatBook is dedicated to providing real-time, accurate and actionable threat intelligence to block, detect and prevent attacks.

Plurilock Security Solutions

Plurilock Security Solutions

Plurilock is a real-time cybersecurity solution that uses artificial intelligence to identify, prevent, and eliminate insider threats.

KOBIL

KOBIL

KOBIL is a pioneer in the fields of smart card, one-time password, authentication and cryptography.

Government Communications Security Bureau (GCSB) - New Zealand

Government Communications Security Bureau (GCSB) - New Zealand

GCSB contributes to New Zealand’s national security by providing information assurance and cyber security to the New Zealand Government and critical infrastructure organisations.

AppTec

AppTec

AppTec is a leading software vendor in the field of Unified Endpoint Management and Mobile Security.

Build38

Build38

Build38 provides the highest levels of security for mobile applications.

Mend.io

Mend.io

Mend.io (formerly known as WhiteSource) is an application security company built to secure today’s digital world.

Networks Unlimited

Networks Unlimited

Networks Unlimited is a leading value-added distributor in Africa, providing technology solutions with a focus on security, networking, enterprise systems management and cloud technologies.

Gatefy

Gatefy

Getfy is a cybersecurity company specialized in artificial intelligence and machine learning. We work to solve challenging issues, especially those involving email security.

Tailscale

Tailscale

Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly.

Qwiet AI

Qwiet AI

At Qwiet AI we enable you to prevent cyberattacks by securing code from the start. Secure code in three steps.

Rydal Group

Rydal Group

Rydal Group is an award-winning, fully pledged communications & managed IT, Security and Energy provider supporting over 1,500 businesses across the UK.