Federal officials say that the very things that are making flights more fun could be opening airlines to greater security risks.
"People should definitely look for strange Twitter or Facebook posts."
- Jeff Price, aviation security expert
Last Wednesday, a report from the Government Accountability Office stated that security issues with passenger Wi-Fi and In-flight Entertainment networks (IFE) on several models of aircraft could allow hackers to access critical avionics systems and hijack the flight controls.
This prompted the Federal Bureau of Investigation and Transportation Security Administration this week to issue an alert to airlines advising them to be on the lookout for evidence of tampering or network intrusions.
The FBI and TSA said currently they have no information to support claims that an attacker could commandeer a plane’s navigation system through the passenger Wi-Fi or IFE networks.
Jeff Price, aviation security expert and CEO of Leading Edge Strategies, said the report and warning will help get airlines--and even passengers --alerted to the potential dangers.
“Airlines and airports need to conduct assessments of their own computerized systems and technologies, and (have a) red team to look for areas of penetration or weaknesses in the system. Everyone needs to keep software as up-to-date as possible.”
Among the FBI recommendations listed in a private industry notification obtained by Wired magazine, are:
--Report any evidence of suspicious behavior following a flight, such as IFE systems that show evidence of tampering or the forced removal of covers to network connection ports.
--Review network logs from aircraft to ensure any suspicious activity, such as network scanning or intrusion attempts, is captured for further analysis.
--Report any evidence of suspicious behavior concerning aviation wireless signals, including social media messages with threatening references to Onboard Network Systems, ADS-B, ACARS, and Air Traffic Control networks.
Last week, a tweet from a passenger flying from Syracuse had United Airlines scrambling. Airline security researcher Chris Roberts jokingly tweeted—while on an airplane—about tampering with aircraft equipment to deploy the aircraft’s oxygen masks.
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)
— Chris Roberts (@Sidragon1) April 15, 2015
Roberts was detained by authorities and has since been banned from all United flights.
But the incident underscores the growing concern in the aviation industry of how it's possible for a hacker to gain access to navigational controls and commandeer a plane. This is happening as the airlines are trying to lure in customers with more Wi-Fi services and expanding in-flight entertainment options.
Some aviation experts say one idea may be keeping entertainment systems separate from the aircraft control systems to limit an attacker's access, although planes today are not designed for that. While each aircraft is built with numerous systems and redundancies within the system, the industry largely relies on firewalls to protect critical technology used during flight against intrusions. According the GAO report, that isn't enough "because firewalls are software components, they could be hacked like any other software and circumvented."
Price said that the public also has a role in detecting security threats, especially frequent fliers or those frequenting social media.
“People should definitely look for strange Twitter or Facebook posts, but this is really a new definition of the “see something, say something” program. Instead of physical behaviors or statements the person may make audibly, now we need to watch for the statements people make digitally.”
Roberts said that his tweet was meant to make the aviation industry wake up to potential danger. But the incident is a reminder that in the Post 9/11 era, airline security is no joking matter.
"The world of cyber security is unfortunately wide-open. Some of the best experts out there have basically been saying no one is secure,” Price said.