The White House’s new National Strategy for Aviation Security calls attention to a rising concern in aviation safety: the potential for cyberattacks on aircraft, a prospect that might just be as scary as it sounds.
The strategy, an update of the previous aviation security plan issued in 2007, highlights the emerging threats that “pose the greatest challenge to the entire Aviation Ecosystem,” putting malicious cyber actors first on a list that includes malicious use of unmanned aircraft, insider threats, sophisticated explosives, and other non-traditional aviation threats. It’s something the Department of Defense, the Federal Aviation Administration, and other agencies have been concerned about for years.
With aircraft increasingly connected and computerized–the F-35 Joint Strike Fighter has more than eight million lines of code–the possibilities of hacking an aircraft have become real. Attacks on commercial aircraft have occurred for the past several years, including the hacks of data communications between pilots and controllers on the ground, airline operations systems, and in-flight entertainment systems, according to Aviation Today. In at least one case, a hack caused flight cancellations in Europe.
A Department of Homeland Security team hacked into a Boeing 757 while it was parked at the airport in Atlantic City, N.J., back in 2016. DHS hasn’t said exactly what its hacking team did, though an official has said the team conducted its hack remotely, without any physical contact with the plane, and got in through the aircraft’s radio frequency communications. However, DHS also pointed out that the hacking team did not gain access to flight control systems.
The Government Accountability Office released a report in the fall citing cybersecurity weaknesses in DoD weapons systems, including aircraft, noting that the systems are more networked and computerized than ever, and that DoD only recently had made the cybersecurity of those systems a priority. “Using relatively simple tools and techniques, [GAO] testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” GAO’s report said. “In addition, vulnerabilities that DoD is aware of likely represent a fraction of total vulnerabilities due to testing limitations.”
The aviation industry puts a lot of effort into safety, including its communications systems, but the increased use of software and digital communications have left some vulnerabilities open. Weak encryption in internal communications systems is one example. And the sheer amount of computer code being used can make it difficult to properly test all of an aircraft’s software.
GPS jamming and spoofing, in which navigational satellite signals are disrupted or faked, are the most common types of electronic attacks on aircraft. Spirent Communications, which tests navigation equipment, reportedly identified 150,000 jamming and interference events between 2016 and 2018. In an example of how available jamming technology is, the company said a chunk of the increase in incidents grew out of spoofing techniques developed by players of the augmented reality game Pokemon Go. GPS jamming also is a major concern for DoD, which has made jamming a major focus of its electronic warfare efforts.
The Air Force is focusing on another potential weak spot with external support systems, which it says is the weakest link in the cybersecurity chain for the F-35. The Air Force noted that the cyber protections inside the aircraft may not extend to external systems, which can also affect operations.
At last year’s Black Hat cybersecurity conference in Las Vegas, Ruben Santamarta of IOActive talked about how, from the ground, he hacked hundreds of aircraft in the air, by exploiting vulnerabilities in satellite communications that would have allowed him (if inclined to cause trouble) to access onboard systems and monitor onboard Wi-Fi and passenger devices. He said the aircrafts’ safety systems weren’t at risk, but he had been able to turn satellite communications into “radio frequency weapons.”
Cyberattacks on aircraft haven’t so far resulted in a catastrophe, but the potential for a consequential hack is there. A report by the Department of Energy’s Pacific Northwest National Laboratory (PNNL), obtained by Motherboard, concluded that it is only a “matter of time before a cybersecurity breach on an airline occurs.”