Thread: Hackers Could Commandeer New Planes Through Passenger Wi-Fi

http://www.wired.com/2015/04/hackers...ssenger-wi-fi/

Seven years after the Federal Aviation Administration first warned Boeing that its new Dreamliner aircraft had a Wi-Fi design that made it vulnerable to hacking, a new government report suggests the passenger jets might still be vulnerable.

Boeing 787 Dreamliner jets, as well as Airbus A350 and A380 aircraft, have Wi-Fi passenger networks that use the same network as the avionics systems of the planes, raising the possibility that a hacker could hijack the navigation system or commandeer the plane through the in-plane network, according to the US Government Accountability Office, which released a report about the planes today.
A hacker would have to first bypass a firewall that separates the Wi-Fi system from the avionics system. But firewalls are not impenetrable, particularly if they are misconfigured. A better design, security experts have warned for years, is to air gap critical systems from non-critical ones—that is, physically separate the networks so that a hacker on the plane can’t bridge from one to the other, nor can a remote hacker pass malware through the internet connection to the plane’s avionics system. As the report notes, because the Wi-Fi systems in these planes connect to the world outside the plane, it opens the door for malicious actors to also remotely harm the plane’s system.
“A virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines,” according to the report.
Members of the House Transportation and Infrastructure Committee requested the report from the GAO out of growing concern that modern transportation systems, including planes, trains and automobiles, are becoming increasingly computerized and therefore susceptible to some of the same vulnerabilities and attacks that have long plagued desktop and laptop systems.
Boeing responded to the GAO report with a statement saying that a pilot manual override system would prevent someone from successfully commandeering its planes in this way.
This is not the first time the issue of aviation Wi-Fi security has come up for Boeing. In 2008, while Boeing was in the final stages of production on its new Dreamliner line of planes, the Federal Aviation Administration issued a report directing Boeing to address concerns about the passenger Wi-Fi system. The report was a “special conditions” document that the FAA produces whenever it encounters new aircraft designs and technologies that aren’t addressed by existing regulations and standards.
That report was pointing out the same problem that’s getting the company in trouble today. Boeing’s design for the Dreamliner’s Wi-Fi network, the FAA noted in the document, connected it to the plane’s control, navigation and communication systems, thereby establishing “new kinds of passenger connectivity to previously isolated data networks” that are critical to the safe operation of the plane. The FAA called on Boeing at the time to demonstrate that it had resolved this issue before the new line of planes could be put into service.
Boeing spokeswoman Lori Gunter told WIRED in 2008 that the company did indeed design a solution to address the FAA concerns. She wouldn’t go into detail about how Boeing was tackling the problem but said Boeing was employing a combination of solutions that involved some physical air-gapping of the networks as well as software firewalls. “There are places where the networks are not touching, and there are places where they are,” she had said.
Gunter added that although data could pass between the networks, “there are protections in place” to ensure that the passenger internet service didn’t access the maintenance data or the navigation system “under any circumstance.”
But security experts had warned at the time that software firewalls were still insufficient to separate critical networks from the Wi-Fi network.
It’s unclear if the authors of the new GAO report tested or examined Boeing’s solution and found it was still vulnerable to hacking or if they simply based their report on statements from experts that any design that doesn’t involve complete air-gapping of networks is vulnerable to hacking.
Boeing responded to the GAO report with a statement saying that “Boeing airplanes have more than one navigational system available to pilots” and that “[n]o changes to the flight plans loaded into the airplane systems can take place without pilot review and approval. In addition, other systems, multiple security measures, and flight deck operating procedures help ensure safe and secure airplane operations.”
Airbus also released a statement, which said only that it “constantly assesses and revisits the system architecture of our products, with an eye to establishing and maintaining the highest standards of safety and security. Beyond that, we don’t discuss design details or safeguards publicly, as such discussion might be counterproductive to security.”

Joke tweet sparks debate over airline computer security


A joke tweet has sparked debate over whether hackers can get access to an airline's avionics system through a plane's Wi-Fi system.
(Alaska Airlines)

By HUGO MARTIN contact the reporter

• 
  

A government study says airline computers may be vulnerable to hacks

Airlines and manufacturers downplay the risk of hacks getting in through a Wi-Fi system


When it comes to security, airlines have never been known for their sense of humor.

lRelated
BUSINESS Top airline: Virgin America, report says SEE ALL RELATED

That became particularly apparent this month to a cybersecurity expert who joked during a flight about hacking into a commercial airplane’s avionics computers through its wireless Internet system.

It prompted a quick response from airlines, plane manufacturers and onboard Wi-Fi makers who insist that it cannot be done. Security experts say nothing is impossible.

Safety risk of shrinking airline seats questioned

The debate erupted after cybersecurity expert Chris Roberts, founder of One World Lab in Denver, sent a tweet while he was a passenger on a United Airlines flight, suggesting he could hack into the airline’s onboard system to trigger the oxygen masks to drop.

When he landed in Syracuse, N.Y., FBI agents were waiting to question him and confiscate his electronic devices, according to astatement from Roberts’ attorneys.

United Airlines, too, was not amused and banned Roberts from flying on the carrier.

Roberts’ tweet came a day after the U.S. Government Accountability Office released a report saying modern planes are increasingly connected to the Internet, opening the risk that hackers could access the aircraft’s avionics system. The GAO recommended more cooperation among federal agencies to study the threat.

United Airlines released a statement about Roberts, saying, “We are confident our flight control systems could not be accessed through techniques he described.”

Global Eagle Entertainment, a Los Angeles-based company that provides onboard Wi-Fi, entertainment and technology for 150 airlines worldwide, said it is not possible to hack into the airline’s avionics system through its Wi-Fi because the two systems do not share any wiring or routers.

Airline manufacturers Boeing Co. and Airbus both issued statements downplaying any hacking vulnerability.

Still, the FBI and the Transportation Security Administration posted a notice to the nation’s airlines, warning them to be on the lookout for any “suspicious activity involving travelers connecting unknown cables or wires to the [in-flight entertainment] system or unusual parts of the airplane seat.”

The notice was first published by Wired Magazine.

The FBI declined to elaborate, saying only that the agency “routinely provides information to private industry in order to help partner entities remain aware of observed or reported threats.”

http://www.latimes.com/business/la-f...424-story.html