Our planes are now 'big flying mobile devices' and top hacking targets

If we don't change our "closed network thinking," the situation could become very serious in the future.
Written by Charlie Osborne, Contributing Writer

A rapid increase in the power and scale of cyberattacks has affected industries worldwide and the aviation sector is no exception.

We've begun to skim the top of what a successful cyberattack against a player in the aviation industry can achieve. In 2015, for example, LOT was forced to cancel 10 flights and delay over a dozen after a successful cyberattack was launched against the Polish airline's ground systems.

We've also seen passport control systems disrupted at Istanbul's Ataturk and Sabiha Gokcen airports and earlier this year, cyberattackers were able to hijack flight information screens and sound systems inside Vietnam's Noi Bai and Tan Son Nhat airports to display their own political messages.

See: China targets aviation industry to spy and steal secrets

Fortunately, there have been no incidents so far which have seriously placed fliers at risk while they are in the air and are the responsibility of air traffic control and pilots.

However, some security experts believe it is only a matter of time before cyberattacks lead to something far more dangerous than a canceled flight or long check-in queue.

Venafi chief cyber-security strategist Kevin Bocek told ZDNet that in many cases aviation computer systems are "more vulnerable to attack than other critical systems such as those used in banking and retail" and are yet to catch up to modern cybersecurity standards.

Booking systems, for example, are updated often and designed with threat defense in mind but other systems -- such as air traffic control and ground-to-aircraft communications -- were created originally to operate over closed networks, and are therefore updated with security improvements and threat signatures less often.

According to Bocek, while modern applications are "built assuming there is no perimeter," the use of outdated software and old, vulnerable code in aviation systems highlight "closed network thinking" which offers fewer internal defenses against attackers that breach a system.

In order to get there, however, attackers need to pick an attack vector.

In-flight Wi-Fi and entertainment systems alongside air traffic control, booking systems and communication systems may be targets. On the aircraft itself, the network topology of the aircraft -- including passenger entertainment and owned devices domains, airline information services, aircraft control domain and data processing systems which all share SATCOM equipment - are also potential areas to exploit.

Ruben Santamarta, principal security consultant at IOActive told ZDNet that an additional problem is that avionics systems should be present in the aircraft control domain, which ideally should be physically separate from passenger network domains.

However, this is not always the case -- and when a physical path between these two network layers exist, the risk of attack increases.

Another issue is the Internet of Things (IoT) and connected networking technology. The introduction of everything from embedded manufactured devices with Internet capabilities to in-flight Wi-Fi is posing a problem as they pave the way for attackers to exploit yet another avenue to infiltrate systems.

Bocek says that airplanes are now basically "big, flying mobile devices," and as such, just as newly-connected smart cars are not ready to repel cyberattacks, nor is the aviation industry.

"While the aviation industry has perfected testing application code to operate aircraft safely, it will take some time and learning to make sure connected aircraft are immune to attack," the executive commented.

There are a number of potential attacks which can be levied against planes and the aviation industry. Phishing campaigns can be used to deploy malware into on-the-ground aviation systems, and insecure radio communications can be targeted using Software Defined Radio (SDR) devices, which are now freely available.

Man-in-the-Middle (MiTM) attacks, for example, occur when a cyberattacker is able to compromise a channel in order to eavesdrop on communications, potentially leading to the theft of data or information which should otherwise be transferred securely.

By intercepting such information, hackers could theoretically deliver instructions to a plane or air traffic control from what appears to be a trusted source, potentially putting fliers in danger.

"One of the biggest risks to the public is if the computer systems are receiving instructions from bad guys who are able to appear trusted or impersonate the communications," Bocek says.

However, as noted by IOActive's executive, pilots are trained to handle high-pressure events like this and a single failure in security does not automatically mean all defenses fall apart.

In addition, such attacks would have to be very specific and keep both the model of the aircraft and airline in mind.

Aviation vendors have not been static while these new security aspects have emerged. Encryption and authentication procedures are being used more often -- an odd concept when you consider how commonplace they are in the devices we carry in our pockets -- and companies such as Boeing and Rambus are working together to develop countermeasures against cyberattacks including differential power analysis (DPA) technologies which prevent vulnerability exploitation.

Bocek commented:

"Vendors and the airlines that operate new e-enabled aircraft still often operate with a disconnected or behind-the-firewall mentality. The aviation will do well to learn from recent attack on Internet-connected devices used to launch attacks or hacks on connected cars.

We must assume attackers are in our networks at air traffic control, the airlines, and even on the planes. [..] While the banking and retail industry have had decades of experience to use digital certificates to safely encrypt traffic and authenticate applications, the aviation industry still has a great deal of learning to do to keep all of us safe."

2016 Holiday gift guide: Top tech, gadgets to give this season

Editorial standards