Modern aircraft with onboard WiFi systems face the very real threat that they could be hacked, according to a report by the US government.
The US Government Accountability Office (GAO) conducted an in-depth report into the threats posed by cyber attacks as the Federal Aviation Authority (FAA) transitions to a new system for monitoring and communicating with aircraft, called
Next-Generation Air Transportation System (NextGen).
The GAO noted that, while NextGen will bring many benefits, such as improved communication channels between aircraft and ground control systems, it will also require systems to be upgraded.
“The shift to NextGen technologies will require the FAA to replace its proprietary, relatively isolated ATC [air traffic control] computer systems with information systems that interoperate and share data throughout the FAA’s operations and those of its aviation partners,” the report said.
As a result of this shift the GAO warned that there will be increased exposure of these systems to outside threats.
“New networking technologies connecting the FAA’s ATC information systems expose these systems to new cyber security risks, potentially increasing opportunities for systems to be compromised and damaged,” it said.
“Such damage could stem from attackers seeking to gain access to and move among information systems, and from trusted users of the systems, such as controllers or pilots, who might inadvertently cause harm.”
These threats are not limited to ground systems. The GAO report said that modern aircraft that have the ability to access the internet through onboard WiFi systems face the very real threat of being hacked.
“FAA officials and cyber security and aviation experts we spoke to said that increasingly passengers in the cabin can access the internet via onboard wireless broadband systems,” said the report.
“Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors."
Furthermore, while aircraft have firewalls fitted to stop communications from passenger systems infiltrating the cockpit, these protections can never be considered 100 percent effective.
"Four cyber security experts with whom we spoke discussed firewall vulnerabilities, and all four said that, because firewalls are software components, they could be hacked like any other software and circumvented," the report said.
"The experts said that if the cabin systems connect to the cockpit avionics systems (e.g. share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin."
The image below shows the standard setup for wiring and internet connectivity services in modern aircraft.
The GAO said in response that, while it acknowledges that the FAA is taking the issue of cyber security seriously, potential gaps remain.
"The FAA has taken steps to protect its ATC systems from cyber-based threats. However, significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system," it said.
"The FAA has agreed to address these weaknesses. Nevertheless, the FAA will continue to be challenged in protecting ATC systems because it has not developed a cyber security threat model."
Furthermore, the GAO report noted with concern that, despite being alerted to this, the FAA is not addressing the situation adequately.
"While the FAA has taken some steps towards developing such a model, it has no plans to produce one and has not assessed the funding or time that would be needed to do so," it said.
"Without such a model, the FAA may not be allocating resources properly to guard against the most significant cyber security threats."
V3 contacted the FAA for its response to the report but had received no reply at the time of publication.
CNN reported that Keith Washington, acting assistant secretary for administration at the FAA, said in a draft letter to the GAO that the organisation is taking all necessary steps to protect itself and its system from cyber threats.
"[The FAA] recognises that cyber-based threats to federal information systems are becoming a more significant risk and are rapidly evolving and increasingly difficult to detect and defend against," he said.
"It is also important to note that the FAA had already initiated a comprehensive programme to improve the cyber security defences of the National Airspace System infrastructure, as well as other FAA mission-critical systems."
The threat posed by online systems was underlined recently in another major area, after the US CERT revealed that it had been called in to assess 245 incidents of hacks on industrial control systems across the US over a single year.
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons
The One X is already sold out at several retailers