Vulnerability Management

DefCon: You cannot ‘cyberhijack’ an airplane, but you can create mischief

Hacking a plane and taking control of the aircraft is a considerably scary prospect, but two speakers at DefCon 22 in Las Vegas quashed the notion and put worries to rest.

“Let me get this out of the way to start with,” Phil Polstra, associate professor of digital forensics at Bloomsburg University of Pennsylvania, said. “One thing everyone needs to understand, you cannot override the pilot. You cannot override the pilot's inputs in flight control. That system is closed.”

All aircraft feature unhackable mechanical backup instruments, Polstra said, adding that while someone may be able to affect autopilot operations, attempts will result in alerts and pilots that notice anything will disconnect it.

Additionally, most avionics networks are not connected to anything useful, Polstra said. The popular ARINC 664 is built on Ethernet, but it is never wireless and is not connected to in-flight Wi-Fi or entertainment, he said, adding that someone cannot just send packets.

So what could someone do?

It is possible to compromise the Aircraft Communications Addressing and Reporting System (ACARS), a system used to send messages – about weather, delays, updated flight plans, and maintenance information – between aircraft and ground stations.

By attacking it, someone could attempt to create a bogus flight plan update or bogus weather alerts, Polstra said, but he added it is not very practical.

In a funny video introduced by Captain Polly, associate professor of aviation at University of Dubuque, actors as pilots are shown reaching out to operators on the ground when messages coming in seem fishy, resulting in them ignoring the ACARS.

Also, the ADS-B and ADS-A – which are similar and can be used to improve flying where radar is limited, to send messages, and provide traffic and weather where available – can be jammed, or attacked to create “phantom aircraft” or fake weather reports, Polstra said. 

Ultimately, airlines are very safe, Polstra said, but he added that nearly every protocol used in aviation is unsecured – meaning no encryption – and that there is potential to annoy air traffic control and small aircraft.

“Increasing automation while continuing with unsecured protocols is problematic,” according to Polstra.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.