Registered users can unlock up to five pieces of premium content each month.
Hacks on a Plane |
NEWS |
One World Labs founder Chris Roberts has been making headlines recently with claims that he has been hacking in-flight entertainment (IFE) systems, enabling him to obtain access to the airplane’s networks and possibly even taking momentary control of the thrust management computer. Roberts has been conducting research on aviation security for several years, notably on Boeing and Airbus aircraft, and publishing numerous papers and presenting findings at security conferences.
The news surrounding Roberts comes from several sources, including interviews that he provided himself to the press on his exploits, all of which he claims to have done on simulations. Roberts has also landed himself in trouble by tweeting about conducting these hacks, and most recently, in April 2015 just before boarding a United Airlines flight, Roberts tweeted about tampering with the IFE system, which quickly got him kicked off subsequent flights. The third source comes from the FBI, which has been tracking Roberts and his research for some time. An FBI search warrant application published online recently reveals that Roberts claims to have accessed the IFE and other systems on more than a dozen different flights since 2011.
GAO Recommendations |
IMPACT |
Boeing issued a statement after the claims came to light, stating that such a compromise was not possible since the IFE and navigation systems were isolated. Whether the allegations prove to be true or not is almost beside the point. The issue at hand is clearly critical. Roberts’ ability to enable these hacks, even if only within a simulation, is worrying enough. Like a bad Airplane! sequel, the possibility that a passenger could access internal flight systems is not so remote. In fact, the security of aircraft and air traffic control systems have been debated for several years.
In April 2015, the U.S. Government Accountability Office (GAO) published a report on air traffic control. The report states that during the transitions to next-generation air transportation systems, the Federal Aviation Administration (FAA) will be facing cybersecurity challenges in protecting air-traffic-control information systems, as well as avionics used to guide and operate aircraft. The FAA would need to clarify cybersecurity roles and responsibilities among multiple FAA offices in order to address these and other challenges.
One of the main issues identified by GAO in the report was that the FAA has not developed a comprehensive agency-wide cybersecurity threat model, despite NIST guidance and its own internal efforts to address weaknesses. GAO recommends that the FAA develop such a threat model and also include the FAA’s Office of Safety within its newly created Cyber Security Steering Committee. The Office of Safety is responsible for certifying the avionics systems aboard aircraft, including the cybersecurity of those systems that enable communication with air traffic control and that guide aircraft. The FAA has taken the recommendations on board and is actively working to implement these. However, it is important to note that the GAO audit took 2 years to complete, and the efforts by the FAA to enhance cybersecurity and at the minimum to implement the threat model will likely not be completed before 2016.
Bug Bounties |
COMMENTARY |
In the meantime, airline carriers are taking it upon themselves to minimize some of these risks by embracing the bug bounty culture, albeit a little less openly than technology firms. United Airlines launched a bug bounty program in May 2015, quite likely as a result of Roberts’ actions. However, the program is limited only to discovering flaws in the airline’s websites, apps, and databases. The restrictions include any testing on aircraft or aircraft systems such as in-flight entertainment or in-flight Wi-Fi. This means bugs on entertainment systems or avionics or onboard Wi-Fi are not eligible for submission. Further, the rewards are in miles and require the hunter to be signed up to United Airline’s miles program.
Seemingly, United has not quite understood how to fully leverage a bug bounty program. The true value lies in offering a decent bounty to attract skilled white hats. Further, expanding the scope to IFE and avionics can allow for the disclosure of zero -days and other vulnerabilities in the systems that are the most critical and which could really add value to the United brand if it is able to take in that information and deploy timely security patches. However, they do deserve recognition for implementing one of the first such programs for their industry. This will hopefully set the stage for other airlines like Boeing and Airbus to join and drive a more open cybersecurity discussion in the industry.