DBEA55AED16C0C92252A6554BC1553B2 Clicky DBEA55AED16C0C92252A6554BC1553B2 Clicky
March 29, 2024
Care to share?

This issue is now getting a lot of attention.  United just banned a passenger who is an IT cyber security expert, because the airline believes him to be a threat to their aircraft systems.   We are not sure this was the best response from the airline.

The decision now will likely attract every IT person who flies to have at least a twinge of curiosity.  IT people by training are smart and by nature inquisitive.  Getting an IT person to accomplish just about anything can be done by saying these words “I bet you can’t….” – we know because we use it and it works every time.  Smart IT people like these accept challenges because the determination to prove themselves to themselves is a constant driver.

Bear in mind in a knowledge economy, the IT worker is the sharp end of the sword.  Which means that every IT person who flies United might now become a “threat” simply because among these curious people will be some who can’t resist trying out their capabilities to explore any system they can access.  Post flight or even during flight the urge to say “I did it!” is going to be irresistible and will bring with it global fame and adulation from other IT people.  These people are not being malicious.  They don’t want to to hurt anyone.  But United has now ensured its systems are very attractive to people with IT skills.  Talk about unintended consequences.

But believe it or not, it gets worse.  Now we see “the FBI and TSA have issued an alert to airlines advising them to be on the lookout for evidence of tampering or network intrusions.”  Oh boy.  Now if you are seen to be using an IT device, are you going to be watched closely by crew and fellow passengers? A passenger’s delight to escape the awful seating and crowded airplane environment has become a smartphone or tablet.  That escape now is going to attract eyes who will want to see what you’re doing.  This whole thing does not bode well for flying.  Cabins have already become very uncomfortable places; with amazing intimacy among strangers seated cheek by jowl on 17 inch seats for hours on end.  The well established protocol of looking off into the middle distance while your close, very close, neighbor watches a movie or types out emails or texts may be forever changed.

So can a person hack an aircraft?  We would guess, most probably yes they can.  It might be difficult and challenging. But not impossible.  The on-board systems are created by programmers, so other programmers can understand the code if they can access it.  The move to in-flight Wi-Fi means it becomes increasingly possible that a person with the right skills and IT tools probably can access something that normally would not be accessible.  If people can hack banks and steal millions, why couldn’t somebody hack an aircraft’s systems?  After all, on the face of it, you would expect a banks security systems to be far more secure.  Yet we see banks hacked often.

The cat is out of the bag now that United has taken a stand.  They can’t undo what they have done. In making this policy United, we fear, has put every airline on notice.  And every passenger with IT skills or simply carrying a device into a cabin as well. And no airline is going to be secure enough to defeat repeated attempts at testing their systems by a global army of IT experts.

+ posts

9 thoughts on “Can a passenger hack an aircraft?

  1. No doubt the power point Rangers in the corner offices figured they could save a few pennies by using a common server, for the onboard wi-fi for up dating info for crew, etc. And in germany, as a result of Germanwings crash, mention of capability to control from ground. yes, it can be done. So why not add a server, do some ( non trivial ) re routing via software of inflight entertainment systems such that the only common point is a power supply suitably filtered. No doubt there is currently some software ‘ blocks’ -passwords, etc in place now- but IMO it is just a matter of time before those are compromised/ bypassed.

  2. Well, you might take a look at the network architecture of the plane, and which is more vulnerable….
    And I think Boeing has a weak(er) point there on the 787 where, if I’m not mistaking, the architecture is more prone to attacks then Airbus’ A350, where things are totally seperated. This might become an important sales argument in the future. Basic rule. Don’t want any attacks? Don’t connect.

  3. DO178B Level A and B (Flight Critical Systems) have protection that is impervious to some random hacker who simply knows a programming and manipulate code can change the course/heading of the FMS and or shut it down! For someone who has wrote the systems architecture and code I find it ridiculous

  4. So you are saying it cant be hacked except by a pro ? Just like RSA security and other systems that couldn’t be hacked or compromised. and that NO one can hack or disturb various input devices like altimeters, AOA, gps coordinate systems, displays, etc.

    And that there are NO pros who would bother to try ? granted a casual high school nerd probably cant hack the system.

    ” I’m sorry dave- I cannot allow you to do that “

  5. arbe15- by hacking if you mean alter the flight course or other maliciously intended modification or disablement, then no. If you study any of flight data busses used as well as the other flight critical avionics LRUs (FMS, FCC/FCM, TCAS, ADIRU/ADIRS….etc) they have code that cannot be modified by someone hooking a computer to an IFE seat box

  6. Then why would the FAA and other agencies put out public warnings, and why would United refuse to allow someone (claimed expert) to boar? granted its one thing to read the sensors thru the bus, and another to spoof them.

    Industrial senors and micro controllers can be hacked- spelled stuxnet for example.

    Bottom line is – IMO that any-all computer code will have ‘bugs’ despite best efforts. The only sure way is to totally isolate the systems AND provide appropriate shielding for EMP or similar interference and the equivalent of Denial of service attacks.

  7. I have not seen any FAA warnings or other messages from other regulatory agencies. What UA did is a customer service issue, not based on any technical merits. Airlines do a lot of “abnormal” and “weird” service behavior and that doesn’t make it right. Have you seen Boeing or any other OEMs coming out with any statements (one way or another)? That is because this is just noise and the folks that build and certify and flight critical systems know how impervious the systems are.

    I would highly encourage you to talk to some experts that design and certify avionics systems for Part 25 aircraft. Satcom (access for pax wifi) has been flying for at least 10 yrs now

  8. Feds Warn Airlines About Potential Hacks to Flight Systems …
    http://www.nbcchicago.com/…/chris-roberts-airline-hacking-3011...
    WMAQ?TV
    22 hours ago – Feds Warn Airlines About Potential Hacks to Flight Systems … report and warned that the FAA needs to do more to protect airline passengers.

    Feds Warn Airlines About Potential Hacks to Flight Systems
    NBC 5 Investigates last year first reported about the possible flaw in the in-flight entertainment system that allows some planes to be hacked
    By Tammy Leitner and Lisa Capitanini
    View Comments (0) | Email | Print

    Federal authorities this week issued an alert to airlines warning them to be extra vigilant about protecting their systems from tampering and intrusions. NBC Chicago’s Tammy Leitner investigates. (Published Thursday, Apr 23, 2015)
    Updated at 6:40 PM CDT on Thursday, Apr 23, 2015
    Federal authorities this week issued an alert to airlines warning them to be extra vigilant about protecting their systems from tampering and intrusions.
    The alert from the TSA and the FBI was sent privately to airlines just days after a security researcher claimed to have hacked into a United Airlines flight, Wired reported Tuesday.
    “I did not think it would create quite the controversy that it has done,” the researcher, Chris Roberts, told NBC News.

    Source: http://www.nbcchicago.com/investigations/chris-roberts-airline-hacking-301145971.html#ixzz3YGKz4fra
    Follow us: @nbcchicago on Twitter | nbcchicago on Facebook

    ++++

    However, FAA reports that the technique described would not allow a hacker to use the FMS to prevent a pilot from overriding the aircraft’s autopilot system. “The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot. Therefore, a hacker cannot obtain ‘full control of an aircraft’ as the technology consultant has claimed,” FAA said.

    – See more at: http://www.aviationtoday.com/av/web-exclusives/FAA-Dismisses-Aircraft-FMS-Hacking-Claim_78985.html#.VTqtFmRVhBc

    So NOT FULL control ?? Bcrat speak for ‘ we dont know for sure ” and define ‘ full’ control.

    My point is that there are enough uncertainties involved, plus NOT wanting to publicize IF there is a way … etc.

    We dont know what we dont know.

  9. None of the above are directly from FAA or other AVIATION (FBI and TSA don’t know aircraft data bus and system architecture) regulatory authorities

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.