“Avionics systems have a limited surface area to attack remotely purely by the nature of the architecture.” Kiley tells CSO. “Avionics systems do go through extensive review by both the manufacturer, industry and the FAA, but these reviews do not exclusively focus on security but are heavily focused on safety.”
Enhancing safety is why modern aircraft avionics systems are so heavily networked. But this trend has not kept pace with the need for enhanced cybersecurity, warns the Thales Group in a blog post. “The aviation industry has reaped the benefits of digitization over the past ten years, but this has also triggered new risks, including social and technical vulnerabilities that had never previously been addressed,” it said.
However, Sean Reilly, VP of air transport management and digital solutions at the ground-to-aircraft broadband service provider SmartSky Networks, disagrees with this negative assessment. “Security protocol on avionics is actually very, very stringent,” says Reilly. To bypass it, a hacker would need to understand the fundamentals of an ARINC 429 bus, which is basically an aircraft’s main data bus, plus insider knowledge of what’s actually inside “the software layer on top of that piece of avionics and be able to tie into” it, he explains. “It’s not just something you can go in and grab at the end of the day.”
Why inflight internet access could be a problem
Ask cybersecurity experts about known hacks of commercial aircraft, and chances are they’ll cite white hat hacker Chris Roberts. According to a 2015 article on Wired.com, “Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane’s Thrust Management Computer while aboard the flight.”
An FBI affidavit filed by Special Agent Mark S. Hurley in support of the Bureau’s seizure of Roberts’ iPad, MacBook Pro, and various storage media stated that Roberts had hacked into various commercial aircraft’s IFE systems by opening up the seat electronic boxes under the seat and connecting his laptop to them using a CAT6 cable.
“He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command,” said the FBI affidavit. “He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways moment of the plane.” In fairness to Roberts, the 15-20 IFE hacks he performed while flying on selected Airbus and Boeing aircraft between 2011 and 2014 were done “because he would like the vulnerabilities to be fixed,” the FBI affidavit says.