GAO Report Finds Airplanes With WiFi Connections May Be Vulnerable To Cyber Attacks

Just as a report found in early February that the newest models of connected cars aren’t adequately guarded from security and privacy hacks, a new report from the U.S. Government Accountability Office found the same issue currently plagues another transportation segment: flying.

The recently released GAO report [PDF] identified several emergency cybersecurity weaknesses faced by the Federal Aviation Administration, including the fact that hundreds of commercially flown planes – such as the Boeing 787 and Airbus A350 – may be vulnerable to hacking over their interconnected WiFi systems.

The report, which was initiated as a review of the FAA’ cybersecurity efforts, comes at a time when the agency is transitioning to the Next Generation Air Transportation System (NextGen) that will move the current radar-based air traffic control (ATC) system to one that is based on satellite navigation and automation.

In reviewing the FAA’s systems, the GAO report notes there are several cybersecurity weaknesses that “threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system.”

Chief among the weaknesses is the increased internet connectivity aboard aircraft.

“This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems,” the report states. “According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors.”

While the FAA has taken steps to increase airplane security through the use of firewalls separating the passenger WiFi from the plane’s avionic systems, experts tell investigators that could also be breached.

“Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented,” the report states. “The experts said that if the cabin systems connect to the cockpit avionics systems and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin.”

Pointing to additional weaknesses, a cybersecurity expert tells the GAO that a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines.

In addition to vulnerabilities over interconnected WiFi networks, the report found that planes could also be vulnerable though a physical connection made by a USB plug.

Security experts tell GAO investigators that if the wires of a USB ports in a passengers’ seats is anyway linked to the plane’s avionics, it would be considered a cybersecurity vulnerability.

Although the GAO points out that the FAA has made strides in protecting aircraft from hacking vulnerabilities by clarifying cybersecurity roles and responsibilities among multiple FAA offices, such as creating a Cyber Security Steering Committee to oversee information security, members of Congress are urging the FAA to address the issues immediately.

Oregon Representative Peter DeFazio, ranking member of the House Transportation and Infrastructure Committee which requested the GAO investigation, tells CNN that the report has exposed serious threats to aircraft in flight.

To better protect passengers and crew members, he says the FAA “must focus on aircraft certification standards that would prevent” the possibility of an aircraft being hacked.

Keith Washington, acting assistant secretary for administration with the FAA sent a response letter to the GAO maintaining that the FAA takes the risk of cyberbased threats very seriously, CNN reports.

“It is also important to note that the FAA had already initiated a comprehensive program to improve the cybersecurity defenses of the NAS (National Airspace System) infrastructure, as well as other FAA mission-critical systems,” he said in the letter. “We are significantly increasing our collaboration and coordination with cyber intelligence and security organizations across the federal government and in the private sector.”

Both Boeing and Airbus, the two largest makers of commercial airplanes, provided statements to CNN saying they are committed to ensuring the design of secure aircraft.

GAO: Newer aircraft vulnerable to hacking [CNN]
FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen [Government Accountability Office]