How easy is it to hack an airplane?

  • By Andrea Peterson The Washington Post
  • Tuesday, April 21, 2015 1:22pm
  • Business

Chris Roberts knows a lot about hacking planes, but not because he’s trying to make them fall out of the sky. His job as a security researcher is to prevent those types of breaches from happening – whether’s it’s on a plane or in a major retailer’s computer system.

But a tweet joking about “playing” with a plane’s on-board communications systems made while Roberts was on a United Airlines flight last week landed him in hot water. The FBI questioned him for several hours after he landed, and confiscated his laptop and hard drives. Over the weekend, he was blocked from boarding another United flight while on the way to speak at a security conference.

Roberts was able to book a last-minute flight on another airline. But his research raises a bigger question: How hackable are the planes that millions of worldwide travelers rely on? The answer, it turns out, is up for debate.

Planes are increasingly designed to give passengers more access to technology, mostly through in-flight WiFi. But connectivity may have a dark side. Last week, the Government Accountability Office released a report saying that security researchers have warned that this trend leaves planes less secure by providing a “direct link” between an aircraft and the outside world that could be leveraged by hackers.

Keeping flight-related and entertainment systems separate can be one way to limit an attacker’s access, but not all planes are designed with that in mind. In 2008, the Federal Aviation Administration expressed concern that the Boeing 787 Dreamliner combined some of that digital infrastructure – saying that the design “may result in security vulnerabilities.”

Modern planes use digital defenses called firewalls to protect critical technology used during flight against intrusions from someone who has gained access to other parts of the aircraft such as in-flight entertainment systems, the report said. Some cybersecurity experts worry that isn’t enough, arguing that “because firewalls are software components, they could be hacked like any other software and circumvented,” according to the report. (Some critics of the report say it may have overstated the risks.)

Boeing and competitor Airbus have defended the security of their systems. “Multiple security measures and flight deck operating procedures help ensure safe and secure airplane operations,” Boeing said in a statement to CNN in response to the GAO report.

But over the years, many researchers have warned about potential problems – including Roberts, the founder of One World Labs, who has given several talks about airplane cybersecurity.

Brad “RenderMan” Haines, a researcher who has investigated potential vulnerabilities in aircraft tracking systems, said limited access to the technology can make comprehensive audits difficult. “A lot of our research we can only take so far because we don’t want to cause problems – but all of the evidence seems to point to there being issues that remain unresolved,” he said.

In an interview with CNN after being detained by the FBI, Roberts said he tested theories about how much visibility into avionic systems he had from the passenger cabin – pulling out his laptop and connecting it to a box underneath his seat 15 to 20 times on flights – and was able to view sensitive data. That interview, combined with the tweet, seems to have set off alarm bells at United.

“Given Mr. Roberts’s claims regarding manipulating aircraft systems, we’ve decided it’s in the best interest of our customers and crew members that he not be allowed to fly United,” United spokesman Rahsaan Johnson told The Washington Post. “However, we are confident our flight control systems could not be accessed through techniques he described.”

The Electronic Frontier Foundation, which represents Roberts, called United’s decision “both disappointing and confusing.”

“Security researchers are allies, not opponents, and their work makes us all more safe, not less,” EFF staff attorney Nate Cardozo said. “We fear that United’s actions here will cause a real chilling effect, and that researchers will be less likely to help United improve their security in the future based on its over reaction to Mr. Roberts’s statements.”

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.