How serious is a cybersecurity consultant’s claim that he hacked into airliner computer systems and controlled an aircraft engine during a flight?
It could happen, according to a Government Accountability Office report issued last month.
The GAO said hundreds of planes flying commercially today could be vulnerable to having their onboard computers hacked and remotely taken over by someone using the plane’s passenger Wi-Fi network, or even by someone on the ground.
The FBI is investigating statements by Chris Roberts about airplane hacking. Agents detained him in April following a United Airlines flight to Syracuse, New York, after officials saw Twitter posts in which he talked about hacking the plane on which he was traveling. No charges have been filed.
During FBI interviews in February and March, federal court document say, Roberts told investigators he hacked into in-flight entertainment systems aboard aircraft. He claimed to have done so 15 to 20 times from 2011 to 2014.
He also said, according to the document, that once he had hacked into the systems and then overwrote code, enabling him to issue a “CLB,” or climb, command.
One of the plane manufacturers has cast doubt on his claims.
Boeing said its entertainment systems are “isolated from flight and navigation systems.” Boeing also said its planes have more than one navigational system and that “multiple security measures, and flight deck operating procedures help ensure safe and secure airplane operations.”
One of the GAO report authors noted that although modern aircraft could be vulnerable, there are a number of redundancy mechanisms built into the plane systems that could allow a pilot to correct a problem.
The GAO report said someone would have to bypass the software firewall that separates the Wi-Fi from the rest of the plane’s electronics.
GAO Investigators said they spoke with four cybersecurity experts about the firewall vulnerabilities, “and all four said that because firewalls are software components, they could be hacked like any other software and circumvented.”
The report concludes that the FAA needs to work on certification of aircraft avionics that will account for these vulnerabilities and remove them as possible threats to commercial aviation.