Hugo Teso may not win the prize for having the most familiar household name but he is certainly on the minds of aviation cyber security folks. In recent months Hugo has made the rounds in the hacker community for presentations claiming to show how airliners can be hacked. Hugo may have made a name for himself in the niche hacker world but he has also been widely discredited within government, aviation manufacturing, and the security world for peddling a very flawed theory.
In a nutshell, the probability of an airliner being effectively hacked and controlled in order to create a catastrophic outcome is incredibly remote. So why is that? First there is technical implausibility, practical implausibility, and operational implausibility. And second, not all cyber vulnerabilities lead to an effective compromise by an attacker. Keep in mind that one of the longest serving strategies among security pros is to make your asset secure enough as to not make an attack against you worth the effort or too expensive that the payoff doesn’t justify the cost.
Today’s modern airliners are highly complex in an information technology sense. A Boeing 777 or an Airbus A330 and newer models, for example, are a flying network of wired and wireless data networks. Airliners have multiple data networks on board to serve a variety of functions. There are networks that actually control the movement of the aircraft (control the engines and control surfaces). There are networks which provide navigation and maintenance information to the crew and to an airline’s operations center. There are passenger service networks which control the inflight service and entertainment systems. There are many external and international wireless communications networks which support crew communications, passenger Wi-Fi, data links to airport services, and many others. These contemporary aircraft are so wired that there is term for them: “e-Enabled Aircraft”.
So with the multitude of all these networks there are bound to be lapses and vulnerabilities in some areas of the code or system, right? Sure, that is inherent with any internet protocol-based (IP) architecture. What has emerged within the past 10 years or so is a constant game of “Whack-A-Mole” between the security pros trying to fix these IP software loopholes and the bad guys ever looking for the holes to exploit. The good news is that while a few vulnerabilities may be a concern and need immediate attention in order to take complete remote command of an aircraft a hacker requires so much more along with a whole lot of luck that it is almost impossible to effectively achieve. Let’s look at some major reasons why.
First, there are the technical constraints. For an airliner to be “hacked” so it can be remotely flown the hacker needs to gain remote access to the flight management computer (FMC) system in order to program heading, speed, altitude, navigation or performance commands into the autopilot system which is highly redundant by design to preclude catastrophic system failure. No small feat since there are several factors that the hacker must overcome:
- Wireless access requires an RF (radio frequency) signal from the hacker to the airplane which requires line of sight to an aircraft. A modern airliner travels at greater than 400 miles per hour over the ground so the “window” for the hacker to establish a clear-line of sight connection and pass his hacker code to the aircraft is only minutes in duration. That’s not enough time to be effective since he will likely also have to overcome geographic and atmospheric obstacles.
- If a hacker somehow miraculously is able to establish a connection through other means and inject remote commands into the FMC, he then needs to spoof both the pilots and air traffic into thinking everything is normal…again not a realistic scenario since competent pilots and controllers operate in an environment of procedures and redundancies. Experienced pilots are so skilled and knowledgeable of the flight routes and navigation procedures that their natural airman senses will kick in if they sense anything out of the ordinary or expected flow of activity. Further, commercial aviation in the U.S. is filled with redundancy requirements for both aircraft and pilot alike. Pilots are required to fly with paper or some other form of back-up navigation charts, flight plans, aircraft performance sheets, etc. They also have back-up instruments on their cockpit displays which act independently from the current computerized or “glass” cockpits. Pilot intervention and approval of FMC inputs and changes is deliberately designed into the process so to give the human element final say into what the aircraft’s navigational and flight performance computer are told to do. Nothing gets into the flight computer unless a pilot gives OK through a proactive key press and this approval step is often cross checked by another pilot in the cockpit. That is a commonplace procedural step that airlines require so to prevent human error during data entry into the flight computers. It should be noted that there is now discussion about using broadband connectivity pipes to load system software, but this requires stakeholders to ensure that aircraft networks are designed with adequate segregation of cabin and cockpit, and that particular interfaces are secure and connections are properly authenticated.
- If we are dealing with a hacker located within the cabin and attempting to use the aircraft’s passenger internet or wireless to gain remote access to the flight control system there is a tool available to law enforcement to mitigate that threat. One of the capabilities of the Communications Assistance for Law Enforcement Act (CALEA) is to allow for the shutoff of a commercial aircraft’s passenger internet service during emergency situations. Enacted in 1994, CALEA requires telecommunications service providers and equipment manufacturers to design, modify, and establish features or provisions that support law enforcement functions such as real-time surveillance. And, under an arrangement called Super CALEA, inflight connectivity providers in emergency situations can shut off service to the entire plane or to individuals or groups without shutting it off to US air marshals.
- Air traffic control is also a very automated and procedure-filled environment so any deviation or abnormality is pointed out to the controller who in turn can inquire with the crew if everything is alright. Controllers that staff the scopes in Air Route Traffic Control Centers and Approach Control facilities across the U.S. know the airspace within their coverage area like your dog knows your backyard. The U.S. National Airspace System is a highly complex highway in the sky filled with defined routes and airways all designed to maximize “flow”—the efficient movement of air traffic through the skies. Any deviation from the flow off of established arrival, departure, and cruise routes will be spotted by both the controller and the automated system he or she uses to control traffic.
- Aircraft manufacturers and government regulators are constantly looking out for cyber vulnerabilities in commercial aircraft systems and any exploitation would require an expert level of knowledge of a multitude of avionics systems and how they interact with one another, and a current understanding of undetected exploits or vulnerabilities of those systems which, in reality, only a relatively small population of engineers and regulatory inspections would have. In 2010, the FAA expressed concern to Boeing of cyber vulnerabilities of the then-new 747-8/-8F aircraft through its aircraft certification oversight process. In this instance, the FAA required Boeing to “ensure that electronic system security threats from external sources are identified and assessed, and that effective system security protection strategies are implemented to protect the airplane from all adverse impacts on safety, functionality, and continued airworthiness.”
So in order for a successful remote command of an airliner a successful hacker would need a bunch of luck and have to: (1) Overcome system redundancies; (2) Overcome geography and physics; (3) Overcome pilot and controller procedures and experience; (4) Overcome attentive and proactive cybersecurity engineers employed by aircraft and avionics manufacturers; (5) Overcome security and airworthiness inspectors at government regulatory agencies; (6) Overcome built-in system safeguards; (7) Overcome a personal knowledge gap; and (8) Have access to very specific information on aircraft systems and hardware. Piece o’cake, right? Maybe that explains why we haven’t seen a hacking of an airliner yet in a world full of hacker groups and hacker wannabes. As for Hugo, he is discredited not for what he is theorizing but for what he is not factoring in…and it is those reasons—the points made here—that makes the effective hack of airliner very, very difficult.
There are many security aspects of air travel that concern me but the hacking of the airliner that I am traveling on is not one of them.
Related link: Airlines to tap Boeing’s AHM with broadband connection
About the Author, Rick Charles (@TravelSecurely)
Travel security writer RC is a lifelong airplane geek. He is an international travel risk manager for a global aviation organization based in Washington, DC. He has served in various security, aviation, and risk management roles for close to 25 years. He is a Stanford University/IATA Certified Aviation Management Professional, and an aviation subject matter expert on the Supply Chain and Transportation Security Council of ASIS International, the world’s foremost association for security professionals.