The chief of Europe's top airline safety agencies warned that cyber-criminals could hack into critical systems on an airplane from the ground.
Patrick Ky, director of the European Aviation Safety Agency, told European aviation journalists at a meeting of the Association des Journalistes Professionnels de l'Aéronautique et de l'Espace (AJPAE) that his organisation had hired a penetration tester to find and exploit vulnerabilities in the ACARS (Aircraft Communications Addressing and Reporting System) used to transmit messages between aircraft and ground stations.
Over the past two years, there has been an increasing number of cyber-security incidents reported in the aviation industry.
As reported by French newspaper Les Echoes, Ky said the white-hat hacker, who was also a professional pilot, took five minutes to crack the messaging system. It was another couple of days before the same consultant managed to gain access to aircraft control systems.
“For security reasons, I will not tell you how he did it, but I'll let you judge if the risk is high or low,” Ky told reporters.
According to the report, research conducted by the International Civil Aviation Organisation last year said that as aircraft navigation and other control systems are effectively separated from non-critical systems such as entertainment, that the risk of hacking critical systems was low.
But experts rejected this and warned that because ACARS uses a proprietary encoding/decoding scheme in use since 1978, this was not designed with cyber-security in mind and therefore vulnerable to attack.
Ky said that the next generation of air traffic management systems such as the Single European Sky ATM Research, or Sesar, will need protecting. Sesar relies a lot on satellite-based communications, navigation and surveillance systems.
“With the introduction of SESAR and the possibility for the air traffic control to directly give instructions to the aircraft control system, this risk will be multiplied,” said Ky. “We need to start by putting in place a structure for alerting airlines on cyber-attacks.”
He said in the longer term, the EFSA, which is responsible for making sure aircraft are safe, could also certify airline equipment against being hacked.
Mike Westmacott, cyber consultant at Thales UK, told SCMagazineUK.com that as the article does not disclose the attack vectors, tools or techniques used, it is impossible to determine the level of risk associated with the claims.
“It is, however, possible to present levels of risk for theoretical situations. If the penetration tester (who was also a pilot) was able to obtain access to the ACARS message system from the on-plane public Wi-Fi, or from any facility that the public has access to, then the risk would be substantial – and any aircraft exposing such a vulnerability would likely be immediately grounded,” he said.
“If on the other hand the tester (as a pilot) was able to use a connection that was restricted access (physically – such as in the cockpit or staff areas) then the risk is reduced, potentially significantly.”
Westmacott added that airlines must ensure that safety critical systems and control networks are segregated from publicly accessible facilities, and that aircraft designs and their systems are subject to a full and thorough risk assessment and suite of technical assessments.
Trey Ford, global security strategist at Rapid7, told SC that a simple review of message validation and workflows around questionable or suspected manipulated communications would effectively manage this.
“The workflows already exist, but not with an expectation of malice as much as failed equipment,” he said.
Carl Herberger, who looks after security solutions for Radware, used to be in the US Air Force and was an Electric Warfare Officer on B52 bombers. He told SC that an attack on airplanes was “absolutely possible”.
“It's long been recognised that hackers can get access to the Aircraft Communications Addressing and Reporting System (ACARS). In fact, in 2013 it was proved that the ACARS could be intercepted and hackers could sabotage this communication channel via a purpose-built Android app. It's possible because this system does not have any real authentication features nor prevention of spoofed commands build in,” he said.
He added that Boeing warned the US government about it with regards to its Boeing 777 when it was seeking certificates for airworthiness. It said at the time that the way the on-board network is designed doesn't allow for cyber-security, added Herberger.
“Security professionals have long understood the threat that embedded systems create for modern day critical infrastructure – the airline industry is no different. There needs to be collaboration between the industry, security experts, aviation authorities and governments to test and protect these systems but above all drive best practice for detecting and mitigating attacks into the engineering, to ensure public safety is built in well before the plane has left the drawing board,” said Herberger.
