German and US authorities are starting to take the threat of airline hacking seriously. According to Der Spiegel, recent events have led drawn attention to the warnings hackers have spoken of for years.
Chris Roberts, a US security researcher was removed from a United Airlines flight in April for tweeting about security vulnerabilities. Roberts claimed he had hacked the entertainment system on his flight.
According to Wired, FBI search warrant documents show Robert is said to have issued a command to make a plane change course in February, and the engines reacted. Roberts admits to hacking entertainment systems on flights numerous times.
Two years ago, the European Aviation Safety Agency (EASA) was told of the weaknesses existing in cockpit computers. Hugo Teso, a Spanish hacker and pilot demonstrated this by sharing how he bought parts from aviation suppliers on Ebay, highlighting the access people have to aviation goods. He then successfully stimulated a data exchange between air traffic control and passenger planes. Teso has also demonstrated how to hack an airline from a smartphone app.
Hugo Teso speaking at Hack in the Box Security Conference in 2013
Airlines and airplane manufacturers play down the risk, but hackers have long been aware of these weaknesses, and cockpit computer weaknesses have been a topic at many hacker conferences.
In May, United Airlines grounded US flights for an hour after issues with flight plans. Wired speculates this may have been the result of a hacking.
In June, 10 Polish planes were grounded after flight plan systems of LOT airlines were accessed by hackers. The flight plan-delivery protocol used by every airline was the reported weakness.
“We’re using state-of-the-art computer systems, so this could potentially be a threat to others in the industry,” LOT’s Adrian Kubicki told the BBC at the time.
The FBI investigation into Roberts has forced the conversation to address this vulnerability. Roberts has previously spoken to Boeing and Airbus about weaknesses uncovered during his extensive research into airplane networks, but didn’t receive an adequate response.
In April, the TSA and the FBI issued an alert to airlines, advising them to be on the lookout for people trying to connect with the network ports, and to report any suspicious activity or signs of system tampering. Passengers were originally told to put laptops away during take off and landing because of the risk of laptops causing injury in turbulence, but now hacking is another reason for attendants to ensure everyone follows the rule.