Debate: Could a hacker really gain control of a passenger jet?

Experts, including Emirates, flydubai, Boeing, a US gov't watchdog and IAG address recent claims by a US hacker
Debate: Could a hacker really gain control of a passenger jet?
By Staff writer
Mon 25 May 2015 10:10 AM

A US-based hacker reportedly told federal investigators earlier this month he managed to gain control of the engines of a commercial aircraft mid-flight, using just his laptop and an Ethernet cable, and claimed to have performed a climbing manoeuvre.

Chris Roberts, who was already known to the FBI before the investigation, told agents he had hacked into the engines' systems by first infiltrating an aircraft's inflight entertainment (IFE) system. He has been interviewed by the bureau three times this year, but has yet to be charged with a crime. According to a search warrant, the FBI believes he is capable of achieving what he claims.

Roberts is the founder of One World Labs and bills himself as a White Hat consultant, identifying vulnerabilities before they can be exploited. In mid-April Roberts took a United Airlines flight from Denver to Chicago. While on board he tweeted about hacking into the aircraft's oxygen mask system through its inflight entertainment.

Roberts also claimed he had accessed aircraft networks and was able "to monitor traffic from the cockpit system".

So could someone access a plane’s controls simply by hacking into the entertainment system? Such a scenario opens up a whole myriad of security issues. In a bid to understand the issues behind the debate, we looked to a diverse range of experts, both local and regional and in a variety of fields, for their opinion:

- A spokesperson from Dubai’s Emirates

- A spokesperson from flydubai

- US Government Accountability Office, a federal watchdog agency

- Steve Wozniak, former Apple founder and technology legend

- Willie Walsh, CEO of International Consolidated Airlines Group (IAG), the parent company of British Airways, and a trained pilot

- Nicolai Solling, one of the Middle East's foremost IT experts and director of technology services at Help AG, a regional IT security company

A spokesperson from Dubai’s Emirates, the world’s largest international airline, issued the following statement: "Emirates’ ice inflight entertainment system, by design, is completely and totally independent from all flight deck systems and has been designed and installed by the Aircraft Manufacturers in accordance with all regulatory requirements. On all Emirates aircraft, there is no physical Ethernet link between the inflight entertainment system and the flight deck systems or Electronic Engine Controls.

"Additionally, the fly by wire flight control computers are independently wired and cannot be accessed through a Wi-Fi connection.

"When it comes to flight operations and safety, Emirates’ standards meet and very often exceed manufacturer, international regulator and local aviation authority requirements. The safety of our passengers and crew is of paramount importance and will never be compromised. "

A flydubai spokesperson issued the following statement: “On all commercial Boeing aircraft the IFE and operational systems are isolated and this is the case on flydubai’s fleet of 47 Next-Generation Boeing 737-800 aircraft.”

A Boeing spokesperson issued the following statement: “IFE systems on commercial airplanes are isolated from flight and navigation systems. While these systems receive position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions.

“Boeing is committed to designing airplanes that are both safe and secure - meeting or exceeding all applicable regulatory requirements for both physical and cyber security. For security reasons, we do not discuss specific airplane design features.

“It is worth noting that Boeing airplanes have more than one navigational system available to pilots. No changes to the flight plans loaded into the airplane systems can take place without pilot review and approval. In addition, other systems, multiple security measures, and flight deck operating procedures help ensure safe and secure airplane operations.”

US Government Accountability Office, a federal watchdog agency: US commercial airliners could be hacked by passengers using a plane's wireless entertainment system to access its flight controls, a federal watchdog agency warned back in April this year.

A new report from the US Government Accountability Office identified the danger as one of several emerging cybersecurity weaknesses that the Federal Aviation Administration must address as the air traffic control systems move toward next generation technology.

"Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors," the report said.

FAA Administrator Michael Huerta concurred with the GAO's findings and said the aviation regulator has begun working with government security experts including the National Security Agency to identify needed changes.

"This threat will continue to evolve and it is something that needs to be at the forefront of our thinking," he told a Senate oversight panel.

GAO investigators spoke to cybersecurity experts who said onboard firewalls intended to protect avionics from hackers could be breached if flight control and entertainment systems use the same wiring and routers.

One cybersecurity expert told investigators that "a virus or malware" planted on websites visited by passengers could provide an opportunity for a malicious attack.

Lawmakers in Congress called on FAA to act.

“This report exposed a real and serious threat - cyberattacks on an aircraft in flight," said US Representative Peter DeFazio, ranking Democrat on the House Transportation and Infrastructure Committee.

"FAA must focus on aircraft certification standards that would prevent a terrorist with a laptop in the cabin or on the ground from taking control of an airplane through the passenger Wi-Fi system."

Steve Wozniak, former Apple founder and technology legend, was asked about the incident this month: "First of all we have to thank [Roberts] because whatever he did, whether it's real or made up, it sure brought to our attention how critical this is," Wozniak said when the question was put to him while on a visit to Dubai. "Why do people leave out security all the time? It's just how we are as humans. We grew up with very little security in our homes. Just a lock on the door.

"Every new technology leaves out security and protections; they just want to accomplish something that hasn't been done before, and then later on, once they get attacked, they have to go back and think out the security. And operating systems are not very good at being preventative. So that is a huge worry to people, but I'm sure that aeroplane companies are going back already making sure that their internal electronics are not reachable."

Last year, during an interview with Arabian Business in London, we put the following query to Willie Walsh, CEO of British Airways' parent company International Consolidated Airlines Group (IAG), and a trained pilot: In the second film in the Die Hard series, Bruce Willis’ John McClane character tries to fight terrorists who tap into a plane’s operating systems and hold an airport to ransom. With the recent spate of cyber hackings and terrorists in Syria targeting websites and stock markets as part of the campaign, is this a likely scenario in the future?

“I don’t think that is a risk today and I think the industry has been very aware of that as a potential risk,” Walsh said at the time. “We don’t always disclose what it is we do and why we do things and that is the right way from a security point of view.

“I am convinced that our industry is safe and the procedures we have in place have been tested and yes there will be mistakes and we will learn and we will learn and adapt but the idea that we should throw everything we have and years and years of very good work because of one incident would be wrong.”

Nicolai Solling, one of the Middle East's foremost IT experts and director of technology services at Help AG, a regional IT security company issued the following opinion piece: “The recent story about a cyber security consultant who allegedly hacked into the IT systems of a commercial airliner and gained access to its inflight controls has made headlines across the globe. With security always being a prime concern in the airline industry, this has raised a number of questions and experts as well as the general public are eager to know the extent to which this story is true.

“Here’s a brief background: Historically a plane’s control systems have been very manual, based on hydraulics and mechanical circuits, with some form of automation of the control systems, however in the last couple of decades, the control systems have been upgraded and today most modern jets are controlled by electronic control systems – also known as a fly-by-wire controls. These upgrades have been required in order to increase reliability as well as support the increased functionality required by the control systems to operate more sophisticated engines and bigger and bigger planes.

“These electronic control systems have a lot of resemblance to the normal Ethernet cables that you know are likely to have used at home in order to connect your Internet connection, telephones and other such electronic services. However apart from a control system, there is also other systems in a plane which rely on electronics. These now include the inflight entertainment systems as well as the Wireless Internet systems we utilize when we surf the Internet on the plane.

“The article which recently made headlines has raised some speculation around the interfaces between the control networks and entertainment networks, and forced concerned parties to question whether a hacker can modify the planes control systems from the entertainment networks.

“Should I worry? There are some fundamental things that airplane manufacturers and their related partners have done to protect against such attacks. First of all, there is a strong separation between the entertainment system and the avionics control systems.

“Of course after the recent claims there has been a lot of scrutiny around ensuring that this separation is sufficient. Unfortunately, we do not know the veracity of the claim made by the Security Researcher, and until there is precise information, it is very difficult to say what is possible, or if it is indeed possible. The positive impact that this has had will be evident in the long run, as it will hopefully allow the cyber security community to identify and implement the necessary levels of separation such that passengers can be assured that hackers can do no harm to a plane in the air.

“One thing I would like to highlight though is that I would much rather be on a modern plane with modern control systems then an older one, and the technology in question still holds a lot of benefits to safety. As an example, the past couple of years, we have seen some deeply disturbing fatalities in airplanes that have been traced to intentional or unintentional pilot error. In these cases, technology holds a lot of promise in making sure such actions are not possible.

“The story also highlights some other more general concerns which is that our world is becoming more and more connected. How do we deal with modern cyber security threats when our devices are becoming more and more connected? A good example is connected cars, which are starting to have various levels of automation, even to the level of being self-driving and steered. How do we protect these, and is the right level of cybersecurity resilience build into the design of such devices.

“One thing is quite certain – When you buy an Airbus A380 for $450 million, there is bound to be more security technologies installed in it than in a $20,000 car. So how do we make security affordable and efficient enough even in consumer grade products?

“Back to the topic of planes however. Yes, it is safe to fly! There are significantly more people injured in traffic on the way to the airport then in plane crashes - but as with the security of anything else, it is important to scrutinise any potential issues, especially in the cyber domain as a sophisticated attack today may become commodity the next day.”

Join the debate in the comments section below

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.

Subscribe to our Newsletter

Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.