Malaysia Airlines Flight 370 went down in the southern Indian Ocean, authorities stated Monday, citing a new analysis of satellite data. But nobody knows just what took it so far off course – including whether a cyberattack on the aircraft might have been responsible.
At a hacker conference last April in Amsterdam, Hugo Teso, a Spanish cybersecurity expert and commercial pilot, demonstrated how an airliner could be hacked using a smart phone app he developed, dubbed PlaneSploit.
European and US authorities quickly swatted down Mr. Teso’s claim, proclaiming he had only tested his attack on pilot-training software – not on a real flight management system, which they said was configured differently. So, they asserted, his exploit could not possibly succeed in the real world.
Other security experts disagree, saying minor adjustments would make Teso’s experiment work on the real thing. Undaunted, Teso has continued his research and still warns of vulnerabilities in airplane systems. But he has also publicly dismissed the idea that the Malaysia flight was hacked.
“I would like to make it clear here: I don’t think the MH370 was hacked,” he wrote in a statement on his website recently.
Even so, he and other cyber experts maintain there are serious vulnerabilities in today’s most modern airliners – including the Boeing 777 aircraft that disappeared so mysteriously en route from Malaysia to China – that could make them vulnerable to hackers, these experts say.
Andrei Costin, a French cyber-researcher, and Brad Haines, a Canadian cybersecurity expert, separately reported vulnerabilities in the same key onboard location-tracking system at different hacker conferences last year. Mr. Haines agrees that a Flight 370 hack is unlikely – but says cyberthreats to airliners are real.
“The short version is that I was trying to prove to myself that flights are safe,” Haines says in an interview. “I fly a lot so I started digging and found, ‘Oh, that’s not good.’ I ended up proving problems. If it was a case of just me seeing this I would wonder. But there’s a whole bunch of us finding the same things. So maybe something’s there.”
Indeed, securing new aircraft against cyberattack is a question the Federal Aviation Administration (FAA) and airplane manufacturers are wrestling with in the newest fly-by-wire aircraft. These airplanes rely on networked computers to send electronic signals to engines, flaps, and other vital flight systems rather than through physical hydraulic-mechanical linkages.
Evidence of this concern appeared in a “special conditions” ruling in November, when the FAA ordered that Boeing 777 series airplanes would have to meet a new requirement titled “Aircraft Electronic System Security Protection From Unauthorized Internal Access.”
The integrated computer networks of Boeing 777 series aircraft “may enable the exploitation of network security vulnerabilities and increased risks potentially resulting in unsafe conditions for the airplanes and occupants,” the new rule warns. “This potential exploitation of security vulnerabilities may result in intentional or unintentional destruction, disruption, degradation, or exploitation of data and systems critical to the safety and maintenance of the airplane.”
To prevent that, the rule orders steps that “ensure that the security (i.e., confidentiality, integrity, and availability) of airplane systems is not compromised by unauthorized wired or wireless electronic connections between the airplane information services domain, aircraft control domain, and the passenger entertainment services.”
Carl Herberger, a former Air Force pilot and vice president at Radware, an Israel-based cybersecurity firm, says a cyberattack on the Malaysian flight was at least possible, citing the FAA rule as evidence of that.
“It’s very clear from this FAA release that cybersecurity has not been part of the scope of testing for airworthiness certification up to this point,” he says. “It’s very notable, especially given what happened with this 777 out of Malaysia. I’m not inferring [Flight 370] was a cyberattack, but we have a vulnerability that can’t be ignored.”
A Boeing spokesman declined to answer questions about whether the missing aircraft or the more than 1,100 other 777 aircraft now in service are in compliance with the new FAA “special conditions” cyber-rule, citing the ongoing Malaysia investigation and deferring questions to the FAA.
"We apply special conditions when the existing standards do not contain adequate or appropriate safety standards for new or novel design features,” FAA spokeswoman Laura Brown said in an e-mailed statement. “With the evolution of network technology, the FAA has been issuing special conditions to establish the appropriate standards to protect aircraft systems and networks from intentional or unintentional, unauthorized access.”
While Teso, Haines, and others say it is unlikely the Malaysia flight was hit by a cyberattack, others have suggested it is at least possible.
“When the plane is air-side, you can insert a set of commands and codes that may initiate, on signal, a set of processes,” Sally Leivesley, a former antiterrorism adviser to the British government told London’s Sunday Express newspaper.
“What we are finding now is that it is possible with a mobile phone to initiate a signal to a preset piece of malicious software, or malware, in the computer that initiates a whole set of instructions,” she continued. “It is possible for hackers, be they part of organized crime or with government backgrounds, to get into the main computer network of the plane through the inflight, onboard entertainment system.”
Her comments paralleled Teso’s findings at the Amsterdam conference. There he delivered “Aircraft Hacking: Practical Aero Series,” a presentation that included his PlaneSploit app. He said the app, running on a smart phone, could inject messages into a flight-deck communications system and manipulate it.
In his presentation, Teso describes several onboard systems he exploited in order to ultimately manipulate the “flight management system,” or FMS, that he had purchased for a few hundred dollars on e-Bay.
They included the Aircraft Communications Addressing and Reporting System, or ACARS, which reports, among other things, details of engine performance while in flight. It also includes the Automatic Dependent Surveillance-Broadcast (ADS-B), the next-generation replacement for today’s aging air traffic control radar systems.
Other cybersecurity researchers, in the academic rather than hacker community, also warn of key aircraft communications systems that are potentially vulnerable to hacking either through insertion of malware into flight data uploaded to the flight management system or manipulation through wireless connections.
“Credible examples of potential misuse by such an adversary in future aircraft include: malware to infect an aircraft system, exploit of onboard wireless for unauthorized access to aircraft system interfaces,” a team of Boeing and University of Washington researchers found in a 2011 study.
“Besides vulnerability assessment, mitigation, exploit detection, and response ... aircraft must be certified to have minimal risk from cyber-physical threat,” the study found. Despite some “community efforts” to bridge the gap, “most aviation standards do not yet cover cyber-physical threats.”
Such threats include intentional denial of service to wireless interfaces vital to other aircraft systems, including safety critical systems, as well as the misuse by passengers of personal devices to access aircraft systems, the study says.
One hotbed for current research revolves around the ADS-B system used in onboard aircraft transponders, such as the one on the missing Malaysian flight. ADS-B will be mandatory by 2020 in most airspaces in the world. Australia and Canada have already started deploying ADS-B nationwide and most airlines have already updated their aircraft with ADS-B capabilities.
Using ADS-B, airplanes transmit their own locations by radio (instead of depending on towers to track them) and link to the GPS network.
But while much more accurate, the new ADS-B capabilities are unencrypted and lack other security features, which could lead to trouble, cybersecurity researchers warn. At the Black Hat hacker conference in Las Vegas in 2012, Mr. Costin warned the FAA's new air traffic control system could be hacked.
"Among the threats to ADS-B is that the system lacks a capability for message authentication,” Costin was quoted as saying in his presentation. “Any attacker can pretend to be an aircraft' by injecting a message into the system.”
By faking signals and injecting them into the unencrypted ADS-B system, a hacker on the ground could make a pilot believe he was on a collision course with other aircraft – or swamp ground controllers with a swarm of fictitious “ghost” aircraft, Costin and others have noted.
Computer scientists, too, are finding the same vulnerabilities.
“Our results reveal some bad news: attacks on ADS-B can be inexpensive and highly successful,” Matthias Schafer, a German researcher at University of Kaiserslautern, along with co-authors at Oxford University and armasuisse, a Swiss technology evaluator, concluded in a study last year.
Teso also found ADS-B useful for a hacker gathering information – which could then be used to exploit ACARS. From there, he said, he could wiggle into the Flight Management System.
“If you have got any connections whatsoever between the computing systems, you can jump across and you can get into the flight critical-system,” Dr. Leivesley, the British expert, concurred in her comments to the Express.
The cyberthreat to airliners might not have emerged as a topic of discussion at all – except for the exceptionally long time frame in which Flight 370 has been missing. In that period, media and conspiracy theorists have gone wild.
At this point, Haines and other hackers say there is little to suggest Flight 370 disappeared because of a hacker taking control of the aircraft’s flight management system from his smart phone – or laptop – in the comfort of the passenger section of the aircraft. But it may pressure regulators to ensure the future flights against cyberthreats, he says.
“The Malaysia situation has ended up shining a big light on the cyber-problem,” he says. “Partly it’s because in the absence of fact, people are grasping at things. At the same time, all of us doing this research have been told, “Oh no, no, we’ve secured these systems.’ Well how? ‘We can’t tell you,’ they say. Well, that’s not comforting.”