It is possible to gain access to an aircraft’s systems from the outside, according to a report from a team of DHS experts. For perhaps obvious reasons, any details about the attack are classified, but reports still leave a bitter aftertaste. In the end, things come down to money yet again.
The website „Defense Daily Network“ states that the expert team only used tools which would raise no suspicions during an airport security check. Furthermore, no physical access and no insider was required to successfully compromise the systems. The details about the type and extent of the attack are kept under wraps. The only disclosed information is that radio communications played a part in accessing the aircraft’s systems. Nearly every aircraft has those systems in place. This leaves a lot of room for speculations. What we can say for sure is that experts have come across a problem which is going to be very difficult to address. The machine used for this test was a legacy Boeing 757. The scenario itself is not new – the automotive industry is familiar with it, too. They had their rude awakening in 2015, when reports on the infamous Jeep hack emerged. So, as much as cars are networks on wheels, aircraft are basically IT systems in the air. Any components used in a passenger aircraft need to comply with a very strict set of security guidelines before being considered fit for use. Regular maintenance checks after a fixed number of operating hours are compulsory.
What is normally not undergoing maintenance during those routine checks, which can cost several hundred thousand Euros, is the software that controls the aircraft’s critical components. In general, aviation software seldom undergoes any changes, as each piece of software requires a certification for use in aircraft. Similar to what is done for medical devices, those certification processes are very costly and take a long time to complete. Therefore, any major changes are introduced „in bulk“, so as to prevent having to re-certify a software for each minor change. As long as it can economically be justified, an aircraft might receive a completely new avionics package during a major overhaul – but those are basically delivered “as is” and are built in as they are. As of today, you would be hard-pressed to find an IT security specialists working on an airplane in any maintenance hangar of a commercial airline.
When it comes to introducing anything new, manufacturers and pilot prefer a conservative approach. Manufacturers cannot deliver anything “half-baked” and pilots need to rely 100% on the information they get from the manufacturer. If an incident occurs with a particular type of aircraft, the manufacturer usually issues bulletins with possible mitigation strategies to all the airlines, which have the same type of aircraft in operation. Those can be special instructions for pilots as well as maintenance advisories for ground crews to keep their eyes peeled for particular things during maintenance.
Some of the systems and programs which are used in commercial aircraft might be ten years or older. Whenever you board a plane, there is a good chance the software controlling it is way older than any of the software you have on your smartphone. This might sound dramatic, but it really is not. The requirement profile for aircraft systems has not undergone any major changes in the past few years. Also, you can be sure that this particular combination of hard- and software has clocked up hundreds of thousands of flying hours with no failures. This is one of the reasons why flying is statistically the safest mode of transportation.
What is particularly interesting in this case is that manufacturers apparently have been aware of the flaws for a long time, but did not deem them critical enough to inform their customers. It was thought of as “no big deal”. A statement of a Boeing spokesman suggests that they consider the information gathered by the expert team valuable, but of little practical relevance as the type of attack requires expert knowlegde not everybody has access to. Therefore it was not seen as a general security threat. Pilots on one hand could justifiably ask themselves what other information manufacturers might withhold. On the other hand, there is the question of what practical use such a notification would have had. Pilots are not IT security experts and they have little to no way of dealing with any cyber threat on board an aircraft. The same is true for maintenance crews, because there are no IT security experts present (yet?).
IT systems and networks in passenger aircraft are vastly different from the „normal“, ground-based PC and network infrastructure that we are familiar with. Fixing any flaws in an avionics software is hugely complicated and, above all, very costly. According to a member of the DHS team, fixing a single line of code in such a program can cost upwards of a million dollars and take years to make it into production. Add to this the cost of replacing the software in the field: every hour that a plane is not in the air costs its operator money. Individual machines are often planned into the flying schedule weeks in advance. A jet which goes into a six-week general overhaul (called the „D Check“), its first flight is often scheduled for the same day the overhaul expected to be completed. Under these circumstances, the costs that manufacturers and operators incur for fixing any flaws quickly spiral out of control and make fixes almost prohibitively expensive.
The good news is: modern systems and newer machines are planned with improved (IT-) security in mind. However, older aircraft often do not benefit from those changes, unless they undergo a full upgrade – which will they only do if it its operator can economically justify it. The majority of the planes that are in operation today is at least a few years old. It is not uncommon for a passenger jet to remain in active service for 15 to 20 years, sometimes more. The aircraft industry is now facing a challenge this other industries have to face now: they need to secure a system that was never designed with a world in mind where everybody and his brother has access to tools which can put those systems in serious danger.
There is still one fact, though, that might give some people some peace of mind: even with all the automation in a modern airliner, there is still a human in the pilot’s seat who has the final word.