US government researchers believe it is only a matter of time before a cybersecurity breach on an airline occurs, according to government documents obtained by Motherboard. The comment was included in a recent presentation talking about efforts to uncover vulnerabilities in widely used commercial aircraft, building on research in which a Department of Homeland Security (DHS) team successfully remotely hacked a Boeing 737.
The documents, which include internal presentations and risk assessments, indicate researchers working on behalf of the DHS may have already conducted another test against an aircraft. They also show what the US government anticipates would happen after an aircraft hack, and how planes still in use have little or no cybersecurity protections in place.
“Potential of catastrophic disaster is inherently greater in an airborne vehicle,” a section of a presentation dated this year from the Pacific Northwest National Laboratory (PNNL), a Department of Energy government research laboratory, reads. Those particular slides are focused on PNNL’s findings around aviation cybersecurity.
“A matter of time before a cyber security breach on an airline occurs,” the document adds.
A separate 2017 document obtained by Motherboard says “early testing indicates that viable attack vectors exist that could impact flight operations.”
Motherboard obtained the documents through a Freedom of Information Act request to the DHS Science & Technology Directorate (S&T).
In 2016, the DHS S&T established a multi-agency group to carry out cybersecurity vulnerability evaluations of airplanes. That same year, the team of government, industry, and academic officials demonstrated how to remotely hack a commercial aircraft in a non-laboratory setting, trade publication Avionics reported last year. Robert Hickey, the DHS S&T’s aviation program manager, said the details of that hack are classified, but added that the team accessed the aircraft’s systems through radio frequency (RF) communications and equipment that could be passed through airport security, according to the original Avionics report.
The documents obtained by Motherboard suggest the DHS-backed team may have already conducted another test against an aircraft. Listed in a 2016 DHS presentation are several planned tests, including “external RF,” seemingly referring to the previously reported test. The document then mentions another test, this time focused on Wi-Fi and in-flight entertainment systems, and designated to the PNNL researchers.
PNNL’s own presentation, dated January 10, 2018, indicates it attempted to hack the aircraft via “Wi-Fi internet & information distribution system.” One line in the presentation adds “Validated: establish actionable and unauthorized presence on one or more onboard systems.” However, another line reads “Disproved (partial): unable to penetrate via selected access vector,” making exactly what PNNL achieved unclear.
PNNL directed a request for comment to the DHS’ National Protection & Programs Directorate (NPPD). The DHS told Motherboard in a statement that it "takes aviation cybersecurity seriously and works with both researchers and vendors to identify and mitigate vulnerabilities in the aviation sector. The aviation industry, including manufacturers and airlines, has invested heavily in cybersecurity and built robust testing and maintenance procedures to manage risks."
In a 2015 application for a search warrant, an FBI agent wrote that security researcher Chris Roberts said in an interview he had hacked the in-flight entertainment system of an aircraft, overwritten code on the plane’s Thrust Management Computer while on the flight, and caused the plane to briefly change course. A report from the US Government Accountability Office released that same year said some Boeing and Airbus planes have Wi-Fi networks for passengers that are connected to the avionic systems of the aircraft themselves.
The DHS has withheld large sections of the files under exemptions dealing with, among other things, protecting trade secrets and information intended for law enforcement purposes.
But other sections of the documents obtained by Motherboard indicate some of the issues researchers may have encountered while probing aircraft for vulnerabilities.
“Today’s commercial aviation backbone is built upon a network of trust; most commercial aircraft currently in use have little to no cyber protections in place,” a 2016 DHS presentation says. Boeing estimates a 20 year plus service life for its current aircraft which means “15-20 years of higher cyber vulnerability,” the DHS document adds.
In a statement, Paul Bergman, media relations lead for Boeing Commercial Airplanes, told Motherboard “Boeing is confident in the cyber-security measures of its airplanes. Multiple layers of protection, including software, hardware, network architecture features, and governance are designed to ensure the security of all critical flight systems from intrusion.”
The documents also spell out various impacts the DHS sees could stem from a hack of an aircraft, including “create conditions where public perceives there is risk to aircraft operations”; a disruption to air cargo for both commercial and military operations, and effects on a competitor if a single airline is targeted.
“Due to the nature of this testing, any potential vulnerabilities discovered could have wide-ranging and significant economic impact to industry stakeholders [and] to the aviation transportation community,” another 2017 risk assessment document reads.
Indeed, the 2016 DHS presentation says the agency anticipates “significant reluctance by the commercial world to expend resources to prevent penetration & attack.” (Boeing’s statement to Motherboard added “The Boeing Company has worked closely for many years with DHS, the FAA, other government agencies, our suppliers and customers to ensure the cybersecurity of our aircraft and will continue to do so.”)
According to one of the documents, last year the DHS team planned to begin moving from penetration testing to mitigation development.
John Hultquist, director of intelligence analysis at cybersecurity firm FireEye, told Motherboard that "In the instances where we have seen targeting of airports, the targeting was done by actors who we believe were carrying out reconnaissance for attack. Airlines have been targeted as well. The information they have could be valuable to an actor seeking to identify and track persons of interest." Hultquist recently tweeted "The actors who shut off the lights twice in Ukraine and caused over a billion dollars in economic damage with NotPetya have probed airports," referring to a likely Russian hacking group.
"We have no information suggesting there has been any attempt by nation state actors to hijack or manipulate airplanes. Even if such a thing were possible, the repercussions from such an operation would probably dissuade the most sophisticated nation states," he told Motherboard.
A slide from one of DHS’ Hickey’s public talks, also included in the document cache, reads, “Some things are too important NOT to share.”