In Flight Hacking, Yet Again … Despite Reports It’s Still Unlikely

Back in early April 2013 Hugo Tess, a German IT Security Consultant, made the claims that he was able to bypass two security flaws in the systems that handle aircraft communications using an Android App. The problem with Mr. Tess’ claims were that while he did hack a real in-flight computer system, it was a replica in an ground based simulator for flight training, and as such the flight system computer does not have the same security features as those found on board an aircraft.

 

Now here we are again and experts are again claiming to be able to control aircraft through hacking, this time the claims come from Chris Roberts, a cybersecurity consultant.   Mr. Roberts has reportedly told the Federal Bureau of Investigation (FBI) that he has been able to hack into flight systems of aircraft while on board flights as many as 20 times between 2011 and 2014, and is capable of taking advantage of security vulnerabilities on three different types of Boeing aircraft and one type of Airbus aircraft.

 

Among Mr. Robert’s claims, he says he has been able to hack the inflight systems then over write the code allowing him to manipulate the engines to climb, resulting in the aircraft moving sideways during flight.

 

Now here is where there are issues with Mr. Robert’s claims

 

1) Inflight entertainment systems on board aircraft come from many different manufacturers. With literally thousands of Boeing 737s flying the skies, they have many different variants and manufacturers of their in flight entertainment, so what may work on one 737 won’t work on another

 

2) In flight entertainment systems, and their related boxes under passenger seats, are not interconnected with the flight computer or navigation computers.   The in-flight map information may be shared, but access to the flight controls are entirely different. Should one change the flight computer, that information would need to be manually approved by the pilots.

 

3) Aircraft have redundant flight computers and controls. The redundancy is not to prevent hacking, but to ensure everything is working the way it is supposed to work

 

4) In regard to claiming vulnerability on one type of Airbus … the A318/319/320/321 are all one variant of aircraft. the A330/340 are essentially one variant of aircraft. The only Airbus in the sky that is on its own in their family is the A380 (not counting the brand new A350).   So if you knew of a weakness in the A320 that is vulnerability in four aircraft types … but there are many different types of in flight entertainment from many different vendors, and these in flight entertainment systems, like Boeing, are not related to the flight computers.

 

I would love to see the final results of the FBI investigation, which will likely uncover that Mr. Roberts was in fact playing with a computer onboard the aircraft, but not controlling that aircraft’s engines or flight management.

 

Happy Flying!

 

@flyingwithfish

Comments

  1. Hi. Your first point is irrelevant since the IFE network merely provides transport-level access to the avionics systems. You’re entirely wrong about the second point, as the systems are physically connected, though there are filtering mechanisms in place to prevent certain types of traffic from traversing the boundary. Your third point is true, but also irrelevant as the failover systems are designed to operate in the event of a system failure, which is not what is occurring here. Your fourth point might have some merit, but I don’t really see that as a strong argument by itself against anything.

    Information security is clearly not your area of expertise.

  2. Jonathan,

    Having spoken to two people at Boeing, one person at Airbus and more than one pilot familiar with the aircraft that they fly I stand by what I wrote.

    Happy Flying!

    -Fish

Leave a Reply

Your email address will not be published. Required fields are marked *