Hacking into an Aircraft for US$ 80.00

Over the years, security and passenger safety policies, as they relate to aviation, have not included any reference to cyber security. Today, it is one of the most serious challenges the aviation world faces

Hacking into an Aircraft for US$ 80.00

Photo: Bigstock

Referring to the field of aviation in the context of cyber weaknesses and vulnerabilities is by no means a trivial matter. Aviation is one of the world's most strictly controlled fields of activity. Dozens of international standardization organizations are constantly hard at work ensuring stringent aviation standards and operation models that have thus far contributed to the establishment of a safe and efficient transportation branch that has even demonstrated a significant decrease in the loss of human lives over the last decade.

However, over the years, security and passenger safety policies, as they relate to aviation, have not included any reference to cyber security. Today, it is one of the most serious challenges the aviation world faces. For years, analysts, hackers, and various specialists have been warning of potential weaknesses and threats to the aviation world, but each and every warning or document published was criticized by standardization committees headed by veteran flyers who strongly protested against it and dismissed the warnings citing various excuses.

Over time, the ability of the various standardization organizations and administrative bodies to repel the claims of cyber specialists diminished with the increasing number of incidents that clearly demonstrated the vulnerability. Over the last three years, the industry has changed. New standardization organizations focusing on the new technological threat entered the field, which led to initiated activities by airlines, aircraft manufacturers, and government agencies with the intention of minimizing the vulnerabilities of civil aviation.

Hacking into Flight Management Systems

In 2013, Hugo Teso, a cyber analyst who also possesses a pilot's license and is an aviation enthusiast, simulated a hack into classic aviation, flight control and telemetry systems using a Simon type hacking kit. Hugo demonstrated his concerns using used flight control components he had acquired on-line at the cost of just US$80.00, including a Flight Management System (FMS) and a combination of software-based modules.

Hugo Teso managed to alter the configuration of the FMS by sending messages using the Aircraft Communication Addressing and Reporting System protocol. This is a digital communication protocol used for communicating and exchanging updates between ground stations and aircraft by sending short messages as reports and updates during the various stages of the flight.

This protocol is also used for updates regarding the operational status of the aircraft and constitutes a layer of communication with the FMS for flight plan and weather updates and so forth. Teso managed to alter data in the FMS but more importantly – he used a hacking kit that makes all of that possible without any significant processing power. This successful demonstration of the vulnerability of the systems along with the increasing number of incidents where aviation systems were exposed to hostile codes changed the dynamics in the industry.

Software-Based Aircraft

The field of aviation is characterized by macro trends and micro-trends, all of which contribute to a threat-intensive environment. At the micro level, one of the trends is the technological evolution of Software Defined Radio (SDR) applications. As in the information technology (IT) world, in the aviation world, the transition to software-defined applications contributes to enhanced technological flexibility, reduced costs and the ability to develop dynamic configurations. However, these systems are more vulnerable to cyber threats and can become the targets for attacks against ground-based flight management systems that transmit radio signals capable of disrupting radar displays.

Additionally, the increased reliance on GNSS and GPS is potentially risky, as it was often proven that positioning signals may be disrupted relatively easily. The increasing congestion of the airspace generally and the intensifying employment of unmanned airborne vehicles in particular contribute to the enhanced load in data transmissions and to the potential for lateral disruptions.

At the macro level, the technological environment on board the aircraft has changed significantly over the last few years and now constitutes a vulnerability for complex threats. Such systems as the In Flight Entertainment (IFE) system, those multimedia interfaces intended to offer a more pleasant flight experience that may be adapted to the preferences of each passenger have provided a foundation for numerous cyber incidents in recent years. Some of the threats associated with IFE systems turned out to be mere vandalism incidents, but others were more severe.  As of November 2013, aircraft manufacturers have been devoting time and investing efforts in an attempt to find security solutions for these systems.

Airlines have also been investing substantially in the transition to the NextGen and E-Enabled concept (aircraft connected to the Internet). According to this technological-operational concept, the aircraft incorporates a wideband network, wireless networks for passenger use along with electronic tags for baggage monitoring and a significant expansion of the on-board computer infrastructures. All of these solutions provide a foundation for an increasing potential threat.

In addition to the on-board systems, the entire lifecycle associated with civil aviation incorporates an extensive range of vulnerabilities that could constitute targets for damage inflicted by complex hostile codes. That range includes everything from passenger management and registration systems through flight control and management systems to ground systems, logistic systems, and airport support systems.

The need for innovation in the aviation world has undoubtedly presented a complex information security challenge with regard to the supply chain that supports a dynamic environment with an extensive range of users, civilians, and infrastructures. At the same time, the trends of increasing cyber threats and the airlines' increasing awareness of those threats seem to bring about a change that could make the aviation world safer in cyberspace, too. 

 

Tomer Nuri is CTO at the MalamTeam Group.