Warnings of hackers on planes all too familiar to airline security researchers

Fresh government reports and alerts about the hacking threat to airplane avionics systems underscores the challenges facing industry and government as more critical infrastructure becomes Internet connected.

The warnings were certainly alarming: following fresh reports that airline navigation systems were vulnerable to digital attacks, federal agents warned flight crews to be on the lookout for hackers.

And in a sign of how edgy the airline industry and federal agents may be over hacking planes, earlier this month the FBI detained a security researcher after he tweeted about computers flaws within the Boeing 737 on which he was traveling.

But while breaking into aviation networks has become the latest cybersecurity risk grabbing headlines, government watchdogs along with the Federal Aviation Administration (FAA) and computer researchers have been warning for years that the software used in modern airplanes is vulnerable to attacks from criminal hackers. Yet, according to many researchers, despite these alarm bells, the industry as a whole does not appear to have taken the necessary steps to keep their systems secure. 

“We blew a lot of this stuff up four or five years ago at BSides,” said Chris Roberts, a noted researcher and principal at One World Labs, referring to the security conference where he presented evidence of airline security flaws.

In fact, over the past few years, researchers have demonstrated how attackers could take control of in-flight communication systems and avionics equipment that pilots rely on during flight.

The industry and law enforcement didn't take kindly to Mr. Roberts' latest comments regarding its systems. While he was traveling on a flight to Syracuse on April 15, Roberts tweeted about breaking into an airline computer system.

"Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)”. EICAS refers to the Engine Indicating and Crew Alerting System, which is critical in-flight systems.

After the flight, he was detained and questioned by federal agents for two hours. The FBI retained his laptop and other devices, saying it needed to do a forensic analysis of them to determine whether Roberts had, in fact, attempted to hack the Boeing jet. He was also later barred from boarding a separate flight on his way to the RSA Conference, a major security industry gathering last week in San Francisco.

“We knew these things were issues four or five years ago. So I wonder ‘is there a specific threat that they’re not telling us about,’ or are they just [upset] because I’m not shutting up?” Roberts said following the incident.

Latest warnings

The renewed attention to airline security – and what Roberts had been commenting about on Twitter – started when with a Government Accountability Office (GAO) report on April 14.

The report warned that the FAA lacked a systematic approach to assessing security risks in airplanes, relying instead on case-by-case “Special Conditions” rules to address risks in specific airplane models. The FAA’s Radio Technical Commission for Aeronautics (RTCA) has yet to design new regulations that could be used to certify cybersecurity assurance for avionics systems because those systems historically haven’t been accessible in a way that would permit cyberattacks, the GAO noted.

The reaction to the GAO report from lawmakers and law enforcement was swift and pronounced. Rep. Peter DeFazio (D) of Oregon, the ranking member of the House Transportation and Infrastructure Committee, told CNN that the report has exposed serious threats to aircraft in flight and urged the FAA to respond.

“I can’t believe this is just now becoming news,” says Joshua Corman, the chief technology officer at the firm Sonatype and a founding member of IAmTheCavalry, a grassroots organization of security experts who advocate for issues in which computer security intersects with public safety.

Mr. Corman said the failure to address cybersecurity risk by the FAA and airplane makers is symptomatic of what he calls a “cultural defect” in the information security sphere – and more generally in society – that focuses attention on threats but not the bigger questions of prevention.

“Our manner of digesting and discussing topics is biased toward waiting for some in the wild manifestation of an attack,” said Corman. “That really truncates conversations about secure architecture and secure design.”

The consequences of that is a lack of measurable progress in making systems and software more secure over time, as the GAO report suggests.

“That’s disappointing when the stakes are personally identifiable information or credit card numbers being stolen,” Corman said. “But now we’re talking about areas where the cost of failure is measured in human lives.”

Awareness is growing

Even if the GAO report doesn't break new ground, it was "necessary" and a "good idea," said Ruben Santamarta from the firm IOActive, another noted airline security researcher. “It’s better to approach these kind of potential scenarios from a proactive manner, instead of waiting until something happens,” he said. 

And Mr. Santamarta says that awareness is growing within the aerospace sector regarding cybersecurity risks. One bit of proof: in June he’ll be speaking about aircraft security at Aviation Festival Americas, a major conference for the world’s airlines.

The fallout from the GAO report underscores the difficulty that private firms, federal regulators, and lawmakers face as more and more critical infrastructure comes to rely on software and Internet connectivity, experts acknowledge.

After years of operating as little-explored technology islands, firms across the transportation industry are beginning to encounter many of the same issues that software firms such as Microsoft and Adobe Systems have long had to contend with, said Katie Moussouris, the chief policy officer of the firm HackerOne, which helps firms sponsor and run programs to find and fix software flaws.

“Critical infrastructure is not immune from security vulnerabilities,” said Ms. Moussouris. The good news is that firms such as Boeing and Airbus are in a position to learn the lessons of companies such as Microsoft, where she worked as a senior security analyst.

That company spent years battling with independent security researchers over protocol related to the discovery of vulnerabilities in its software. In the process, Microsoft came to be an industry leader, not only in secure software development, but also in its infrastructure for producing and distributing software patches to users, and in communicating with the public about the substance of those.

At a minimum, Moussouris said companies need to create a “front door” for researchers such as Roberts. That means creating something like a spot on their webpages that instructs independent researchers on how to report software vulnerabilities to the company.

 “You need openness, transparency, and acceptance," she said "That’s just a reality when software is running on things."