Airlines Are at Risk of Being Hacked, GAO Warns

Can an attacker jump from an in-flight entertainment to control an aircraft's avionics? A GAO report claims yes.


A report published on April 14 by the U.S. Government Accountability Office (GAO) details alleged risks in air traffic control and aircraft avionics systems that could enable a hacker attack.

"Modern aircraft are increasingly connected to the Internet," the GAO stated. "This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems."

The report noted that while the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control (ATC) systems, "significant security-control weaknesses remain." The GAO warned that one of the challenges the FAA faces is that it has not developed a complete cyber-security threat model for protecting ATC systems.

The idea of weakness in ATC and airline security is not a new one. At the Black Hat USA 2014 conference, a session was given on hacking airplane satellite communications by Ruben Santamarta, principal security consultant for IOActive. Regarding the new GAO report, he said it is useful to help raise awareness.

"New air-to-ground technologies will equip modern aircraft with a new set of capabilities," Santamarta told eWEEK. "However, in terms of security, this poses a major challenge."

While airplane and ATC hacking has not been publicly reported as something that has actually happened, Santamarta noted that in his view and that of IOActive, it is better to approach potential attacks proactively, instead of waiting until something happens.

One of the risks the GAO warns about is the possibility of an attack that could jump from an in-flight system to an aircraft's avionics system.

"There are cases where it would be physically impossible to perform such an attacks, while others remain feasible," Santamarta said. "The ability to cross the red line between passenger entertainment-owned domains and the aircraft control domain heavily relies on the specific devices, software and configuration deployed on the target aircraft."

One of the main concerns, according to Santamarta, are the communication devices, such as those used for Satcom (satellite communications) that are shared between different data domains. "Therefore, this equipment might be used to pivot from in-flight entertainment systems to certain avionics," he said. "Anyway, aircraft's security posture needs to be analyzed case by case."

Santamarta added that IOActive is actively researching the security of in-flight entertainment systems and avionics. "We're helping our aviation clients to secure their systems, devices and applications so they can keep a solid position to face these technological challenges," he said. "IOActive is always trying to keep one step ahead and will share our findings, as we have done before, with the community whenever it may be possible."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.