Cybersecurity experts’ concerns that terrorists or malicious actors could hack into the networked systems of specific contemporary passenger aircraft and take control of them — which Homeland Security Today reported last week — has drawn fire from several quarters, including airline manufacturers and engineers.
And, from the Twitterverse, one person tweeted, “This story is a bit ‘over-the-top’ with its doomsday scenarios. It’s not that serious a threat. It’s a vulnerability."
Another tweeted, "it [must have been] a slow news week.”
Homeland Security Today reported that concerns about potential security problems in airliners’ in-flight systems blew up after Denver-based One World Labs founder and CTO Chris Roberts said he’d identified vulnerabilities in the In Flight Entertainment (IFE) systems on Boeing 737-800, 737-900, 757-200 and Airbus A-320 aircraft.
Roberts made news by tweeting what was assumed to be a joke about “playing” with a United Airlines plane’s IFE and crew-alerting system on April 15. Federal authorities weren’t amused over whether he’d actually been able to hack into and take control of modern passenger planes he’d flown on.
Roberts’ had tweeted, “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :).”
On the ground waiting for Roberts at the United Airlines flight’s final destination in Syracuse, New York were FBI agents who wanted to talk to him, which they did for several hours. The FBI also seized some of his computer equipment and prevented him from boarding another United flight.
“Lesson from this evening, don’t mention planes,” Roberts later tweeted. “The Feds are listening, nice crew in Syracuse, left there naked of electronics.”
Asserting Roberts had earlier told FBI agents he’d taken control of aircraft, the following day, April 17, the FBI obtained a search warrant to seize a variety of computers and related equipment owned by Roberts, basing its application for the search warrant on the basis the technology will reveal “evidence of a crime;” “contraband, fruits of crime, or other items illegally possessed;” and “property designed for use, intended for use, or used in committing a crime.”
“[Roberts] stated that he … caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” FBI Special Agent Mark Hurley wrote in his warrant application. He also stated Roberts “used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks [and] used the software to monitor traffic from the cockpit system.”
In interviews with an FBI agent on February 13, and again on March 5, according to the application for the search warrant, Hurley stated “to obtain information about vulnerabilities with In Flight Entertainment systems on airplanes … Roberts advised that he had identified vulnerabilities with IFE systems on Boeing 737-800, 737-900, 757-200 and Airbus A-320 aircraft.”
Hurley then stated, “Chris Roberts furnished the information because he would like the vulnerabilities to be fixed.”
Continuing, the search warrant stated that, “During these conversations, Mr. Roberts stated … he had exploited vulnerabilities with IFE systems on aircraft while in flight. He compromised the IFE systems approximately 15 to 30 times during the time period 2011 through 2014. He last exploited an IFE system during the middle of 2014. Each of the compromises occurred on airplanes equipped with IFE systems with video monitors installed in the passenger seatbacks.”
In addition, the warrant application stated “the IFE systems he compromised were Thales and Panasonic systems … he was able to exploit/gain access to, or ‘hack’ the IFE system after he would get physical access to the IFE system through the Seat Electronic Box (SEB) installed under the passenger seat on airplanes. He said he was able to remove the cover for the SEB under the seat in front of him by wiggling and squeezing the box.”
Editor’s note: For the complete earlier Homeland Security Today report, click here.
FAA raised concerns about security of networked systems on aircraft
Following theconcerns about networked systems security, Boeing and Airbus refuted claims their planes have flaws in their networked systems designs that can allow them to be hacked. Both companies declined to discuss any of the security features deployed pursuant to a Federal Aviation Administration (FAA) special conditions rule for the networked systems on jetliners in question.
Boeing said in a statement that the "In Flight Entertainment systems on commercial airplanes are isolated from flight and navigation systems. While these systems receive position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions."
Boeing told SecurityWeek last month that, “IFE systems on commercial airplanes are isolated from flight and navigation systems. While these systems receive position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions.”
WIRED reported Tuesday that airline engineers it interviewed said they agree with Boeing that what Roberts claim he was able to do isn’t possible.
“Airbus has robust systems and procedures in place for our aircraft and their operations to ensure security against potential cyber attacks,” the company said in a statement. “We naturally do not discuss details on our security design and operations in public.”
Yet, it was because of concerns regarding the security of IFE and other networked systems on these aircraft that on November 18, 2013, the FAA issued a proposed Special Condition allowance, "Aircraft Electronic System Security Protection From Unauthorized Internal Access, for Boeing Model 777-200, -300, and -300ER Series Airplanes."
The FAA stated the Special Condition was “issued for the Boeing Model 777-200, -300, and -300ER series airplanes” because, “as modified by the Boeing Company, will have novel or unusual design features associated with the architecture and connectivity of the passenger service computer network systems to the airplane critical systems and data networks.”
“This onboard network system will be composed of a network file server, a network extension device and additional interfaces configured by customer option,” the FAA explained, noting, however, that, “The applicable airworthiness regulations do not contain adequate or appropriate safety standards for this design feature. These special conditions contain the additional safety standards that the [FAA] Administrator considers necessary to establish a level of safety equivalent to that established by the existing airworthiness standards.”
On August 21, 2012, The Boeing Company applied for a change to Type Certificate No. T00001SE Rev. 30 dated June 6, 2012 for installation of an onboard network system, associated line replaceable units (LRUs) and additional software functionality in the Boeing Model 777-200, -300, and -300ER Series Airplanes. The Boeing Model 777-200 airplanes are long-range, wide-body, twin-engine jet airplanes with a maximum capacity of 440 passengers. The Boeing Model 777-300 and 777-300ER series airplanes have a maximum capacity of 550 passengers. The Model 777-200, -300, and -300ER series airplanes have fly-by-wire controls, software-configurable avionics, and fiber-optic avionics networks.
FAA said, “The proposed architecture is novel or unusual for commercial transport airplanes by enabling connection to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane. This proposed data network and design integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane. The existing regulations and guidance material did not anticipate this type of system architecture or electronic access to aircraft systems. Furthermore, regulations and current system safety assessment policy and techniques do not address potential security vulnerabilities, which could be caused by unauthorized access to aircraft data buses and servers.”
Continuing, the FAA stated, “The Boeing Model 777-200, -300, -300ER series airplanes will incorporate the following novel or unusual design features: An onboard computer network system, and a network extension device. The network extension device will improve domain separation between the airplane information services domain and the aircraft control domain. The proposed architecture and network configuration may be used for, or interfaced with, a diverse set of functions, including:
- “Flight-safety related control and navigation systems;
- “Operator business and administrative support (operator information services);
- “Passenger information systems; and,
- “Access by systems internal to the airplane.”
“The integrated network configurations in the Boeing Model 777-200, -300, and -300ER series airplanes may enable increased connectivity with external network sources and will have more interconnected networks and systems, such as passenger entertainment and information services than previous airplane models,” FAA said, noting that, “This may enable the exploitation of network security vulnerabilities and increased risks potentially resulting in unsafe conditions for the airplanes and occupants.”
“This potential exploitation of security vulnerabilities may result in intentional or unintentional destruction, disruption, degradation or exploitation of data and systems critical to the safety and maintenance of the airplane,” the FAA stated. “The existing regulations and guidance material did not anticipate these types of system architectures. Furthermore, 14 CFR regulations and current system safety assessment policy and techniques do not address potential security vulnerabilities which could be exploited by unauthorized access to airplane networks and servers. Therefore, these special conditions are being issued to ensure that the security (i.e., confidentiality, integrity and availability) of airplane systems is not compromised by unauthorized wired or wireless electronic connections between the airplane information services domain, aircraft control domain and the passenger entertainment services.”
For those reasons, FAA said, “special conditions contain the additional safety standards that the [FAA] Administrator considers necessary to establish a level of safety equivalent to that established by the existing airworthiness standards.”
“This action affects only certain novel or unusual design features on Boeing Model 777-200, -300, -300ER series airplanes. It is not a rule of general applicability,” FAA stated.
The FAA said, “The substance of these special conditions has been subjected to the notice and comment period in several prior instances and has been derived without substantive change from those previously issued. It is unlikely that prior public comment would result in a significant change from the substance contained herein. Therefore, the FAA has determined that prior public notice and comment are unnecessary, and good cause exists for adopting these special conditions upon publication in the Federal Register.”
The FAA’s “Final Special Condition” rule for Boeing Model 777-200, -300, -300ER series airplanes modified by The Boeing Company were issued on May 5, 2014 by FAA Manager, Transport Airplane Directorate, Aircraft Certification Service, Jeffrey E. Duven, and published in the Federal Register. The effective date of these special conditions was June 6, 2014.
The special conditions required by the FAA are:
- The applicant must ensure that the airplanes’ electronic systems are protected from access by unauthorized sources external to the airplane, including those possibly caused by maintenance activity.
- The applicant must ensure that electronic system security threats are identified and assessed, and that effective electronic system security protection strategies are implemented to protect the airplane from all adverse impacts on safety, functionality, and continued airworthiness.
- The applicant must establish appropriate procedures to allow the operator to ensure that continued airworthiness of the airplane is maintained, including all post type certification modifications that may have an impact on the approved electronic system security safeguards.
Security authorities aren’t persuaded
Although public comment is supposed to follow proposed federal rule-making, the FAA stated it “determined that notice of, and opportunity for prior public comment on, these special conditions is impracticable because these procedures would significantly delay issuance of the design approval and thus delivery of the affected aircraft. In addition, the substance of these special conditions has been subject to the public comment process in several prior instances with no substantive comments received. The FAA therefore finds that good cause exists for making these special conditions effective upon publication in the Federal Register.”
There was, however, one very interesting comment submitted by an unidentified respondent.
“As a cybersecurity professional and a member of the flying public, I am concerned about the issuance of these special conditions,” the respondent said, pointing out that, “Without specific details it is impossible to comment on the wisdom of allowing or disallowing the applicant to move forward with this proposal. However, connecting networks with arguably different purposes (e.g. aircraft control and passenger entertainment) and presumably different security requirements is counter to the industry best practice.”
“I appreciate the FAA’s candid admission that current regulations and guidance in this area are lacking,” the commenter said, “However, the three special conditions stipulated in 2014-13244 lack the objective requirements that I believe are necessary to ensure that adequate protections are in place.”
“As a result,” the commenter stated, “I am suggesting that the FAA consider the following additional special conditions:
“Require that the benefits of increasing the network connectivity between the different networks be spelled out, and balanced against the additional risk. The applicant should provide this information as part of this and future requests.
“Require that the following independent assessments be performed by contractors not directly associated with the applicant:”
- A formal risk assessment of increasing network connectivity;
- An independent review of the network connectivity and security protections proposed; and
- A vulnerability assessment and penetration test of the systems under operating conditions as close as possible to those anticipated in flight.
“Note that it is in the best interest of the FAA, the applicant and the flying public that these assessments be contracted for, and performed in a manner that assures their validity and independence,” the respondent continued. “Furthermore, I am suggesting that the FAA undertake the following action:”
“Form a working group of recognized cybersecurity experts from the federal and private sectors to develop specific guidelines and recommendations for the FAA to adopt, and to ensure that the working group’s work is conducted in an open and publicly accessible manner.”
Cyber authorities respond to critics
Several veteran cybersecurity authorities who expressed their concerns about Roberts’ claims in interviews for Homeland Security Today’s report on this issue provoked criticism from some quarters, which did not set well with authorities Homeland Security Today interviewed.
Among the seasoned cybersecurity authorities interviewed by Homeland Security Today for its original report is Winn Schwartau, CEO of The Security Awareness Company who is considered “The Civilian Architect of Information Warfare,” and coined the phrase, “digital Pearl Harbor," more than 20 years ago. His seminal 1993 book, Information Warfare: Chaos on the Electronic Superhighway, first introduced the concepts of cyberterrorism to the public.
“I really believe in this. This is serious shit,” Schwartau originally exclaimed in Homeland Security Today’s earlier report in response to concerns terrorists or malicious actors could hack the computerized systems of certain contemporary passenger aircraft.
“I, and many of my security professional colleagues, are not so sure that it’s safe to fly anymore. I know I cannot, without any level of confidence, say whether inflight onboard networks are secure, or whether they present a clear and present danger to the flying public,” Schwartau said.
“What I am saying, is, let’s take a pause,” he said.
“In light of the myriad cybersecurity questions about the differing current implementations of onboard entertainment on commercial aircraft, I ask that, in the name of passenger safety first, airlines voluntarily shut off their aircraft Wi-Fi and entertainment systems until proper open-source security reviews can establish their safety for the flying public,” Schwartau said.
“The evolution of passenger comfort and profit via onboard electronic systems, raises questions about the potential for miscreant and cyber-terrorist actions,” Schwartau cautioned.
“Defensive protestations about ‘no known vulnerabilities,’” he said, “invokes a level of arrogance that cyber history has proven to be profoundly wrong, and a guaranteed recipe for failure. Political and profit driven hubris must not be permitted to dominate while thousands of planes hurtle millions of passengers around the world at 530 mph.”
Schwartau outlined a number of security issues he believes need to be addressed immediately.
Critics of Schwartau and other experts’ concerns, however, as well as the FBI, said worries about the security of aircraft networked systems is so much hooey.
In response, Schwartau told Homeland Security Today, “To those folks who might disagree with my assessment, I am not a doomsayer any more today than when I wrote Information Warfare in 1992; it’s about security, systems and capabilities. I have rarely dealt with intent. That’s for other folks.”
“I am saying something very simple: I don’t know, and I don’t know anyone else, who really does know, for absolutely sure, how secure the various networks and systems on airplanes are,” Schwartau said, stressing, “I do know that when an IT person says they are secure because they use a firewall, I am skeptical. I am not a fan of security by obscurity, often favoring open source reporting by an independent security review on a periodic basis. I also know that physically isolated networks are sure a whole lot more secure than two network segments that are electronically isolated. Lastly, I know, for absolutely sure, I would be a boatload more comfortable really knowing that airplanes, of all things, maintain the highest level of security possible.”
So, “If you call that doomsday thinking, fine,” he continued, saying, “I call it serious engineering-based security in mission-critical life-or-death situations. I put hospital networks and nuke plants in that same category.”
“No, I am not saying it’s a vulnerability,” he continued. “I am saying, maybe it’s a ‘potential‘ vulnerability; I don’t know all the facts, but I am suspicious. I never used the word ‘threat,’ which is generally accepted to mean a suspected or known intent to inflict harm or act with hostility. I just want this seriously checked out by people other than the vendors or airlines or others with vested interests. This has to be 100 percent agnostic.”
“Lastly,” Schwartau added, “this topic is not new (and for me, at least, has nothing to do with any news cycle). Hugo Teso, a pilot, gives technical briefings on security aspects of air born avionics and communications.” And, “Renderman has also spoken on similar topics.”
Last year at a security conference, Teso presented, "Going Deeper on Aviation Security." According to Teso, his research did “not release exploits or vulnerabilities that can be used against aircraft irresponsibly."
“So, when I say this is serious shit,” Schwartau concluded, “I mean it and stand by it. The sky is not falling, no; but damn, I don’t want any planes falling out of the sky because we screwed up cybersecurity at 37,000 feet, either.”