US Government Probes Airplane Vulnerabilities, Says Airline Hack Is 'Only a Matter of Time' (vice.com) 125
Joseph Cox, writing for Motherboard: U.S. government researchers believe it is only a matter of time before a cybersecurity breach on an airline occurs, according to government documents obtained by Motherboard. The comment was included in a recent presentation talking about efforts to uncover vulnerabilities in widely used commercial aircraft, building on research in which a Department of Homeland Security (DHS) team successfully remotely hacked a Boeing 737.
The documents, which include internal presentations and risk assessments, indicate researchers working on behalf of the DHS may have already conducted another test against an aircraft. They also show what the US government anticipates would happen after an aircraft hack, and how planes still in use have little or no cybersecurity protections in place.
"Potential of catastrophic disaster is inherently greater in an airborne vehicle," a section of a presentation dated this year from the Pacific Northwest National Laboratory (PNNL), a Department of Energy government research laboratory, reads. Those particular slides are focused on PNNL's findings around aviation cybersecurity. "A matter of time before a cyber security breach on an airline occurs," the document adds.
The documents, which include internal presentations and risk assessments, indicate researchers working on behalf of the DHS may have already conducted another test against an aircraft. They also show what the US government anticipates would happen after an aircraft hack, and how planes still in use have little or no cybersecurity protections in place.
"Potential of catastrophic disaster is inherently greater in an airborne vehicle," a section of a presentation dated this year from the Pacific Northwest National Laboratory (PNNL), a Department of Energy government research laboratory, reads. Those particular slides are focused on PNNL's findings around aviation cybersecurity. "A matter of time before a cyber security breach on an airline occurs," the document adds.
Just a matter of time... (Score:2)
Commercial aircraft connected to the Internet? (Score:1)
Re:Commercial aircraft connected to the Internet? (Score:5, Interesting)
So passengers can use WiFi while on board. Duh.
The real question is "why is the cockpit navigational equipment connected to the Internet," and the answer is "it isn't." Nor is the autopilot on most designs.
Re: (Score:2)
Sandwiches also existed "before das intertubularz" so people should also not use the internet during lunch.
Given the amount of germs that sit on keyboards and the increased chance of users spilling liquid on their computer, this is actually wisdom valued far beyond the sarcasm that was intended. It's about risk mitigation.
Re: (Score:2)
Those also existed before "before das intertubularz" so according to your reasoning no one should use wi-fi on those modes of transport either.
Security is a lot about risk mitigation. If WiFi or other extraneous services start introducing vulnerabilities to any form of transport, particularly the ability to safely control it, then you properly weigh those risks against the reward of satisfying a tube full of internet junkies.
Honestly, the proper decision should have been made back on the drawing board when the extraneous-services-network was being built into the plane; No ability to communicate in any way with the transport or its control systems
Re: (Score:1)
Re: (Score:2)
good luck with that last one, too heavy for aircraft.
I wonder how heavy a class-action lawsuit is against an airline? From a financial standpoint, probably heavy enough to tip the scales of insolvency.
Someone should probably weigh the risks of electronic manipulation via exposed communications.
Re: (Score:2)
People flew fine, lived fine, without such nonsense.
Now convince some sperglord that he can't play his MMPORG while stuck in an airplane for 6 hours. Watch the neurotic fits ensue.
Re: (Score:2)
Re: (Score:2)
GPS satellite spoofing certainly seems technically feasible. Wikipedia even has a paragraph or three on the subject. https://en.wikipedia.org/wiki/... [wikipedia.org]. Of course there is some possibility that an aircraft crew might be capable of recognizing the problem and of navigating without GPS. My understanding is that Charles Lindbergh managed to find Europe without GPS.
Re: (Score:3)
who said the attack was via internet? planes act on received radio signals, have internal signal buses, etc.
Re: (Score:1)
Internet isn't required if someone that's suppose to be maintaining the plane decides to tamper with it. Someone could hack in and leave a nasty time bomb for later or when certain conditions are met. Doesn't have to be connected to any kind of network at all.
Re: (Score:2)
it's interesting in that report they say attacks were done from passenger's seats
Re: (Score:2)
737? (Score:2)
Isn't a 737 mostly hydraulic flight controls with manual reversion? Hacking the flight control systems on such an aircraft shouldn't be possible. Same goes for other mostly-manual aircraft like MD-80/90 and the CRJ/Dash 8 series.
True FBW systems should also be air-gapped from anything like in-flight WiFi and entertainment. Ideally running a RTOS with programs stored in ROM that's only updated by either (1) removing a card and installing a new out, or (2) using a serial programmer directly connected to th
Re: (Score:2)
they all have autopilot that can work those hydraulic controls, the autopilot is a hydraulic system that the flight management computer directs
Re: (Score:2)
Re: (Score:2)
and suppose part of the nefarious plan is to incapacitate the pilot, which can be done by subverting certain systems?
Re: (Score:3)
Autopilot systems are generally designed to allow the pilot--with sufficient force--to override the autopilot motors in the event the autopilot acts up.
(I once flew a DA-40 whose autopilot decided a hard left turn was the right answer--it took a little upper-body strength, but not a lot, to force the plane from flipping over while I reached for the breaker to turn off the autopilot. Same principle applies in large aircraft like 737s, and that's by design.)
Re: (Score:2)
Re: (Score:1)
That's just bad design.
Because the correct way to design an airplane is to assume everything is going to go haywire: that the GPS satellites have all been taken over by Skynet, the computer has become depressed and suicidal, and the autopilot motors have all decided to play poker in the cargo hold.
Re: (Score:3)
Re: (Score:2)
The benefit of a mechanical system is actually the non-zero wear rate. I know when my elevator cables are worn by running a cloth down them. I know by wheel bearing need replacing when there is shimmy in the wheels. I know the attitude indicator is on it's last leg when it starts taking longer to settle down after start-up or whine with the wrong tone after shutdown. In each case, the "wearing out" is progressive and provides clues that maintenance is necessary.
The electronics failure mode is that one d
Re: (Score:2)
But the control yoke on a 777 doesn't have direct control of surfaces; it just has a reactive force motor that you work against, no?
Re: (Score:2)
"you're not thinking 4th dimensionally, Marty" -- Dr. Brown
but suppose part of the compromising of systems also renders the pilot unconscious or immobile before he can override AP?
Re: (Score:2)
Re: (Score:3)
No fly by wire system is updateable
Not true. Having worked at Boeing, I've seen numerous systems updated by plugging a laptop into the controller and uploading a new s/w version. With some, you do have to pull the box, open a cover and access a port (JTAG). But at the other end of the spectrum, 787 systems can be accessed over the on-board network.
Boeing applied for and received approval from the FAA [federalregister.gov] to allow connection between passenger entertainment and avionics networks on the 787. Now all that one needs to do is to upload a malicious ap
Re: (Score:3)
Not really. The 'firewall' is an enhancement to Ethernet that checks packet sources against a list of 'approved' hardware MAC addresses. But if you cat trick the passenger entertainment equipment into running Evil applications, you are in the system talking to the avionics.
Re: Remotely hacked 9/11 (Score:2)
Horseshit. The article is pure FUD. Nobody has ever demonstrated a way to remotely control any of the aircraft currently flying without first installing a bunch of new software and hardware. Given the way mission computers and flight controls are designed, it's insanely unlikely that anyone ever will.
Re: (Score:1)
Before "9/11" anyone would have told you that the US Air Force would have shot down any hijacked commercial planes if it would have saved lives of people in buildings on the ground. The 1 in 365 chance that terrorists would get lucky and pick the one day the entire Air Force is having a picnic was considered "insanely unlikely."
Re: Remotely hacked 9/11 (Score:2)
Before "9/11" anyone would have told you that the US Air Force would have shot down any hijacked commercial planes if it would have saved lives of people in buildings on the ground.
Ans this anyone would have been an idiot with no understanding of the subject. If instead of asking "anyone" you had asked the people who do that work for a living you would have gotten a much different answer.
Re: (Score:2)
Before "9/11" anyone would have told you that the US Air Force would have shot down any hijacked commercial planes if it would have saved lives of people in buildings on the ground. The 1 in 365 chance that terrorists would get lucky and pick the one day the entire Air Force is having a picnic was considered "insanely unlikely."
They weren't having a picnic they were practicing for that exact thing happening.
Re: (Score:2)
I think military aircraft might be more vulnerable than civilian airliners. On a lot of missions, military craft use information/receive orders from external sources while in flight. Plus which, they may be operating in an environment with sophisticated jamming and countermeasures in place. That said, I would assume that the military has taken a few precautions to discourage folks from diverting/hijacking/repurposing their multimillion dollar weapons systems.
Re: Remotely hacked 9/11 (Score:2)
On a lot of missions, military craft use information/receive orders from external sources while in flight.
And those systems are completely sepearted from the actual flight controls and mission computers. Source: worked on military aircraft.
With the most modern aircraft which have the capacity to share targeting data it might be a bit more of an issue in that someone could theoretically feed you invalid data so your weapons hit the wrong target. This is also quite unlikely, but at least plausible. If we ever do find that it's happening we can always turn off that particular capability and go back to doing t
Re: (Score:2)
I agree with both posters above. OTOH, the level of motivation and resource available to those who might wish to attack a military aircraft is probably much higher than civil aircraft. And the Iranians dis manage to hijack a USAF drone in flight a few years ago and apparently even managed to land the thing.
BTW, I' worked with command and control of military weapons systems for a number of decades. But that was a LONG time ago and things have changed a lot.
Re: Remotely hacked 9/11 (Score:2)
There are a lot of outstanding questions about what exactly happened with that drone. Some Iranian sources have claimed that they jammed it's communications links and then fed it spoofed GPS data to get it to land. This is somewhat plausible, but the drones don't rely purely on GPS data so it seems unlikely that this would have worked.
It's definitely an interesting occurrence, but "hijacked" implies they had direct control, which doesn't seem to be the case.
Re: (Score:2)
Forseen... (Score:2)
Re: (Score:2)
Re: (Score:2)
I remember that one, quite funny :D
Re: (Score:3)
Re: (Score:1)
Thousands of unsecured IP cameras world wide belie your claims.
*sigh* The vulnerabilities are not what we think. (Score:5, Interesting)
First, all pilots are trained to fly the airplane manually, with all air surfaces controlled by hydraulics on most aircraft. Electric motors are also connected to these hydraulics to allow the autopilot to fly the airplane, but as a convenience. Pilots are supposed to know how to fly the airplane without the use of the autopilot and by using radio signals received by VORs (radio-directional beacons) in order to navigate using a paper chart (or an iPad with a chart on it).
That Air France Flight 447 went down was not due to "poor training" or because of a lack of ability to detect a cyber-attack, but because the copilot in that airplane panicked and pulled when he should have pushed. (Frankly his mistake was a rookie mistake that student pilots are supposed to unlearn within the first 20 hours of training.)
Now are there attack vectors which can be used to sabotage an airplane? Absolutely--but they're not the "I plugged the laptop into the network and hacked the airplane's firewall" variety, since most aircraft (certainly the 737) run parallel networks--with the avionics physically disconnected from the entertainment and WiFi systems used by the passengers.
Attack vectors would be for a passenger or someone on the ground to jam and spoof GPS signals, and to jam and spoof directional VOR and ILS transmissions, to fool the navigation equipment on the aircraft to think it's somewhere it's not. Another attack vector is jamming and overriding the air traffic voice and text communications by someone spoofing air traffic control.
The problem is exacerbated by NextGen, where aircraft broadcast their GPS location (rather than their location being detected by ground-based radar), so it makes it harder for Air Traffic Control (who watches all commercial aircraft like a hawk, alerting pilots if they deviate from their flight plan) to determine if someone has gone off course. And of course the problem is made worse by inattentive pilots who often sit around the cockpit bored when they are supposed to be monitoring the navigational equipment to make sure it looks correct. (Remember when two pilots flew off course because both of them fell asleep at the wheel? [dailymail.co.uk])
But onboard cyber-attacks? Puh-lease...
The solution to all of this is the solution first taught to student pilots flying their first Cessna 172: fly the damned plane. Left hand on the yoke, right hand on the throttles, both feet on the rudders, and do that stick-and-yoke thing so many of them have forgotten because they think the computer is the best pilot in the cockpit.
If I had my way, the first thing I'd mandate is that all commercial pilots--including those flying the largest A-380 airplanes--spend at least a few hours a month flying the same Cessna 172 they learned in. That way they remain viscerally connected to flying by stick and yoke--and when the computer acts up, as it always seems to do at the worst moment in the cockpit, you can still look out the window, see that piece of cement in the distance, and put the airplane down where it's supposed to go.
Re: (Score:2)
That Air France Flight 447 went down was not due to "poor training" or because of a lack of ability to detect a cyber-attack, but because the copilot in that airplane panicked and pulled when he should have pushed. (Frankly his mistake was a rookie mistake that student pilots are supposed to unlearn within the first 20 hours of training.)
AF447 was a "rookie" problem? No.
From the WTF Wikipedia:
"There were three pilots in the aircrew:[23]
The captain, 58-year-old Marc Dubois (PNF-Pilot Not Flying)[24] had joined Air France (at the time, Air Inter) in February 1988 and had 10,988 flying hours, of which 6,258 were as captain, including 1,700 hours on the Airbus A330; had carried out 16 rotations in the South America sector since he arrived in the A330/A340 division in 2007.
The first offic
Re:*sigh* The vulnerabilities are not what we thin (Score:5, Interesting)
I did not say the pilots were rookies. I said the copilot made a rookie mistake:
I notice you didn't quote the relevant part of the Wikipedia article: [wikipedia.org]
Rookie mistake. (1) You always clearly announce who is in control of the aircraft. Generally this is announced by one pilot saying "my controls", and the other responding "your controls." Two pilots trying to do the opposite action is rookie mistake number 1.
(1) When the aircraft is in a stall, it's because insufficient air is flowing over the wing, and the wing cannot provide lift. This is solved by pushing the nose down, allowing the aircraft to regain airspeed. Bonin, the co-pilot, was pulling the stick back, which can only be read as that he panicked, and forgot training he should have learned while learning how to recover from stalls waaaaaay back when he first started learning to fly and got his basic pilots certificate. The pilot pulling when he should push is rookie mistake number 2.
On top of all of this, your assertion:
Are you asserting flying is too hard for humans? Because that would worry the fuck out of me. Or are you asserting flying commercial jets is hard? Because there I'd completely agree with you; the most complex thing I've flown is a single-prop high-performance retractible out of a Class C airport in IFR, and the idea of flying a jet is intimidating as hell. But then, that's why the guys who fly commercial jets get additional training: to learn how to keep ahead of these highly sophisticated beasties.
Re: (Score:2)
Pulling back when you should put the nose down a bit is a rookie mistake. But that said, what no one, ever, has ever convinvingly sold me on is an explanation as to WHY ON GOD'S GREEN EARTH did this aircrew on AF 447 drive the airplane, nose-high in a a a stall, all the way from cruise (they were above 30,000) to the sea the whole time.
I understand that on the airbus the stall horn shuts up when they had the nose hard up and would sound again if they pushed the nose down, but for fuck's sake, .... I just
Re: (Score:2, Informative)
On an airbus plane in normal law they are trained that the airplane will not allow them to stall and they can pull back all they like. So when the pilot sees indications that the plane is descending he pulls back, expecting the airplane to do whatever it needs to maintain controlled flight and eventually climb.
The problem is that when you lose normal law and go into direct law the airplane doesn't have the stall protections so you have to remember to push forward until you get the airspeed.
The fundamental
Re: (Score:3)
Nope, you misunderstood the explanation for the crews reactions.
Firstly, the aircraft was in a data mismatch situation - it couldn't trust the information it was being given by external sensors, so it hands control back to the crew who have a standard check list for such a situation.
What the crew should have done was ride throttle and stick, increasing throttle with a slightly nose up attitude until the sensors became trustworthy again.
What they did was pull back on the stick and slow the aircraft down, giv
Re: (Score:2)
Actually, it has been explained properly: The co-pilots were both utter fucktards who had gone out to a nightclub, drinking alcohol and smoking weed, so their mental state was not the one required for proper high function in a crisis, as shown by the fact that they didn't even try to circumvent the storm. The captain had sleep issues and had gone to take a nap, and came to the cockpit mid-situation, with the two fucktards at the controls.
Re:*sigh* The vulnerabilities are not what we thin (Score:5, Informative)
The point of my recommendation is to connect the pilot back to all of the stick and rudder skills, including proficiency in handling stalls as well as smooth stick and rudder operations. The corporate landing mandate can be handled by taking over on the final approach, but I want the guy to be able to hand fly the airplane and demonstrate proficiency in stick and rudder skill (including shit you don't want to do with passengers, such as side slips and power-on and power-off stalls).
Remember, the guy who managed to put down the Gimli Glider (Air Canada Flight 143) [wikipedia.org] happened to also be an experienced glider pilot, so by accident he happened to be in the right place at the right time.
I don't like luck.
Re: (Score:2)
The solution to all of this is the solution first taught to student pilots flying their first Cessna 172: fly the damned plane. Left hand on the yoke, right hand on the throttles, both feet on the rudders, and do that stick-and-yoke thing so many of them have forgotten because they think the computer is the best pilot in the cockpit.
If I had my way, the first thing I'd mandate is that all commercial pilots--including those flying the largest A-380 airplanes--spend at least a few hours a month flying the same Cessna 172 they learned in. That way they remain viscerally connected to flying by stick and yoke--and when the computer acts up, as it always seems to do at the worst moment in the cockpit, you can still look out the window, see that piece of cement in the distance, and put the airplane down where it's supposed to go.
Great points, and when in the 172 (or Cherokee) cover up the instruments and let them do some real flying. The problem with all the advanced avionics (or instrumentation in many industries) is we put to much faith in the instruments and have lot that fingerspitzengefuehl that tells us something is not quite right and we need to do something. Information overload can be an issue as well as we bombard pilots or operators with a lot of data they then try to process, as well as how the data is presented. It's n
Re: (Score:2)
All good points as GPS is such a weak signal it does offer lots of opportunity for mischief. There is also the risk of someone with physical access reprogramming the avionics - think cleaning crew. Change one byte on a scaling coefficient on a fuel calculation then 1000 miles from land you are suddenly running on fumes. There are also multiple RF data links to the ground, but most of them are relatively low band width. Of course there is the whole electronic flight bag used to replace maps, th
Re: (Score:2)
Attack vectors would be for a passenger or someone on the ground to jam and spoof GPS signals,
This can be done from a laptop on a plane, too, fwiw.
Re: (Score:3)
That Air France Flight 447 went down was not due to "poor training" or because of a lack of ability to detect a cyber-attack, but because the copilot in that airplane panicked and pulled when he should have pushed. (Frankly his mistake was a rookie mistake that student pilots are supposed to unlearn within the first 20 hours of training.)
This is a gross oversimplification of what happened. A US pilot and airline safety expert wrote a book on the crash and his conclusion was that the junior co-pilot in charge of the plane reacted exactly as he was trained but there were issues with the training. It's a really complex situation regarding the crash. The pilot would almost certainly not have made the mistake that crashed the plane but he got 1 hour of sleep the night before and took his break early due to being tired. Inexplicably he put th
Re:*sigh* The vulnerabilities are not what we thin (Score:5, Informative)
Well, of course it was a gross oversimplification; I summed up a chain of events and circumstances and training and inputs and actions that can trace their roots back minutes, and even hours, back before the actual crash took place, into two pithy sentences.
But at the bottom of the stack, the airplane hit the water in a nose-up stall, having held the nose-up stall for several minutes as the plane descended from 30,000 feet to sea level. The plane hit the water in a nose-up stall because the co-pilot was pulling up on the yoke--countermanding the inputs from the pilot, without indicating who was in charge of the airplane. And the airplane maintained a nose-up stall through several minutes because the co-pilot was putting the wrong inputs on the controls, in almost complete contradiction to all the training he received--since there are no slow-speed aircraft attitudes where recovery is achieved by pulling the nose up. Zero. None. The only time you pull the yoke back to recover the aircraft is either (a) if you have an indication that you are going too fast, or (b) you're panicked and are trying to gain altitude. If you have the yoke up and the altimeter is unwinding, the hardest god damned thing in the world to do is the thing that will save your life, the thing the pilot of that aircraft was trying to do but the thing the co-pilot refused to try, is to push the nose down.
Now how we got to here--that's important. And probably more important than the co-pilot making a rookie mistake--because if we stop with "the co-pilot is an idiot", rather than trying to determine if there is something more we can do to assure greater safety in commercial flight, we've basically thrown up our hands and said "sometimes people die."
And that is unacceptable.
(Frankly, by the way, I wish more organizations or corporations thought like the FAA--which, when faced with pilot error, tries to understand why there was pilot error. They try to figure out if it was information overload or improper inputs or inattentiveness or improper training. They try to figure out how we can make flying safe, even with imperfect pilots and imperfect equipment.)
Now, I had a CFI who once told me that the people he hated the most to give checkrides to were commercial pilots. Because none of these guys have really had to do any real stick-and-rudder work since they first started working for the large commercial airlines. One of the scariest thing he's ever done is to give a particular older pilot--retiring from the airlines and who bought his own little 4 seater prop airplane to continue to tool around in the air--a quick refresher in stalls. Because this guy seemed hell bent on doing exactly the wrong thing when the airplane started to buffet in that prelude to a stall, once nearly putting the aircraft into a fatal spin because he simply didn't know how to use the rudder.
It's why my wish is for all commercial pilots to spend some time each month in a Cessna 172, practicing things like power-on and power-off stalls.
Because I honestly and sincerely think if that co-pilot had recent experience with stalls, rather than (as is typical for a lot of those bus drivers) not having done stall work or rudder work for perhaps a decade or more, the 216 people who died aboard Air France 447 would be alive today.
Re: (Score:2)
they think the computer is the best pilot in the cockpit
Well, the ones who think that are, most likely, correct.
Re: (Score:2)
Re: (Score:2)
Cessna 172? WTF for? Maybe for one year. Have them BFR in a glider. A Cub the next time. Switch out to an RV with nothing but steam gauges, or maybe a Rutan design, and then any of the LSAs. An airline should be able to afford a fleet of small planes that take away all the electronic goodies and force the pilot to be more than a systems control engineer.
Then, put him BACK in the simulator and force him to prove that he can be a systems control engineer.
Re: (Score:2)
Huh? (Score:1)
Obligatory DEFCON Talk (Score:4, Informative)
https://www.defcon.org/images/defcon-22/dc-22-presentations/Polstra/DEFCON-22-Phil-Polstra-Cyber-hijacking-Airplanes-Truth-or-Fiction-Updated.pdf
I thought this was 23 but it was actually 22. Getting old.
Rick-roll them (Score:4, Funny)
Worst /. headline ever (Score:2)
Is it airlines, or airplanes, or both?
EVERYTHING is hackable at the moment (Score:2)
The Galactica (Score:1)
Already happened (Score:2)
see flight 370
Malaysia Airlines Flight 370 ... done (Score:2)
Test complet