Security Researcher Allegedly Hacks Into Commercial Passenger Airplane Flight Systems
According to the FBI, a security researcher may have hacked into commercial airplane flight systems from poorly-designed and poorly protected inflight entertainment systems (IFEs). If even the high-flying airline industry can’t protect its critical systems, what does that say about our hopes for security in the Internet of Things (IoT)?
Wired writes that: “Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane’s Thrust Management Computer while aboard the flight. He was able to issue a climb command and make the plane briefly change course, the document states.”
Uncertain Claims
What some researchers won’t do in the name of vulnerability disclosure, or to gain notoriety! All we know for sure at this point, however, is that Roberts was arrested, his electronic devices were seized and an application for a search warrant was filed. That application makes interesting reading.
According to the FBI, Roberts told Special Agents he had exploited vulnerabilities with IFE systems approximately 15-20 times during the time period 2011 through 2014. He said he got physical access to video monitors in passenger seatbacks, connected a laptop and used default IDs and passwords to infiltrate the IFE and then hack into flight systems. “He stated that he successfully commanded the system he had accessed to issue the “CLB” or climb command…[and] thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane.”
An Inside View
There is still no proof that Roberts actually succeeded in hacking the flight systems, but the FBI is taking no chances. In the meantime, aviation security experts are debating how likely it is that Robert’s claims are true. According to an aviation industry source:
“There have been rumors about this. What I heard was that only the IFE was penetrated and that system was not connected to any of the others. But if the traffic were flowing across VLANs and he could compromise one of the hosts that had a trunk port attached, then in theory he could read/inject all of the VLANs coming down that trunk – which might include some carrying navigation and/or throttle information.
People in the Industry are not going to admit it. If it is their job to make sure this is secure and they signed off on it, then to admit it means they will be fired. The airlines won’t admit it because that would mean some people might decide not to fly and that is cash money they don’t want to lose. The other thing is they just may not know. They may say, it’s impossible, the traffic is on separate VLANs. They don’t have Hacker mentality. They don’t realize that a hack can let you read traffic from another VLAN.”
Poor Protection, Poor Design?
That this kind of exploit could even be possible boggles the mind. First of all, would-be hackers should not be able to use default ids and password to research their exploits aboard planes. What does that say, if its true, about the level of airlines’ due diligence?
Secondly, proper air gap or at least firewall separation should exist between consumer-grade IFE systems and high-risk-to-safety in flight systems. Any certified security architect should understand that when you have a high risk system (not to mention high threat potential terrorist agents with hacking skills) you need high surety protections with no known residual risks.
Bottom Line
What Roberts said he did is wrong, and endangered passengers on the affected flights. But the airline industry needs to do a lot more than just “shoot the messenger.” After answering these awkward questions honestly, they should set about really securing today’s configuration, and commissioning a major rethink of tomorrow’s architecture.