Can an airliner really be taken over by a passenger using the plane’s Wi-Fi? One security consultant was questioned by the FBI after claiming he could hack into a plane’s flight systems via the cabin network. The consultant publicly announced that he was able to compromise airplane networks, including accessing the in-flight entertainment system and forcing a plane to briefly change course and fly sideways, an action that highlighted a key vulnerability in aviation cybersecurity.
That’s not the worst of it. There are reports going back to 2008 that hackers compromised Federal Aviation Administration computer systems. And the FAA’s Next Generation Air Transportation System could be open to attacks as well.
These incidents underscore the vulnerability of in-flight networks and computer systems and the need for increased aviation cybersecurity as passengers and aircrew increasingly use smartphones and tablets. While the airline industry is widely admired for its safety record regarding equipment and passengers, aviation cybersecurity lacks the same strict, well-known procedures. Modern airliners are essentially digital machines, a complex web of devices and controls that could be vulnerable to attack. Without the proper precautions, cockpit avionics systems could be accessed from in-flight entertainment systems, for instance.
With the influx of in-flight entertainment and network-enabled maintenance and management functionality, an airliner at 30,000 feet is in constant contact with the ground. That means airline payment systems are vulnerable to the same types of cyberattacks from other passengers on the plane’s Wi-Fi. Passengers using an airline’s in-flight connection are often subject to lax security protocols, often less than the standard procedure for a business network on the ground. Published reports outline the possibilities and realities of attacks on email and other services while in the air.
Any website that passengers visit could provide a vector for a malicious attacker to access onboard information and systems through passengers’ infected machines. But the worst-case aviation cybersecurity scenario is that a plane’s systems are hacked to affect its course, controls and passenger safety.
Industry and Government Respond to Aviation Cybersecurity Threats
Spurred by incidents like the one mentioned above as well as other vulnerabilities, airlines and the Federal Aviation Administration are preparing to do more to secure in-flight networks and computer systems from attack.
In April 2016, Sen. Ed Markey introduced the Cybersecurity Standards for Aircraft to Improve Resilience Act, or Cyber AIR Act, which would require the FAA to develop cybersecurity guidelines for the aviation industry and airlines to report cyberattacks to the government. The industry recognizes the need to define which mission-critical systems must be protected at the highest level, compared to the reasonable security protections required for items such as customer information or airline payment systems, which must meet the same security standards as their ground-based counterparts.
Of course, some of the threats in the air are the same as on the ground — a hacker can grab personal information over an unsecured Wi-Fi network no matter where it’s located. But the aviation sector has some unique concerns, such as the threat of using a compromised computer system to change a plane’s course.
Mobile Devices Challenge Cybersecurity Strategies
One recent wrinkle in aircraft security is the boom in onboard mobile devices that connect to the networks. Early on, flight attendants used them to accept payments. Now passengers can use devices provided by the airline or bring their own smartphones and tablets onboard. Tablets are also widely used as electronic flight bags for pilots, replacing pounds of printed manuals and checklists.
Frontier Airlines is one of the latest airlines to adopt tablets as a mobile point-of-sale system to serve passengers. The Denver-based airline will provide tablets for flight attendants to use for food and beverage operations, secure payment processing and crew-level transaction activity tracking.
Additional Security for Mobile Devices
Legislation is one step toward making airlines more secure, but enterprise users should also evaluate the need for additional security solutions on mobile devices that may be deployed to pilots, flight attendants and ground staff, or provided to passengers. For example, Samsung Knox is an end-to-end mobile security platform built in to many of the latest Samsung smartphones and tablets, protecting devices at every layer, from hardware through software to applications. Additionally, configuration solutions such as Knox Customization allow enterprises to control and configure mobile devices to meet their requirements, such as removing or limiting access to the usual apps that come with the system.
With these additional protections in place, airlines can take advantage of the networked world with a trusted and robust mobile platform. Fortunately, the hack the security consultant used to access the plane’s systems was patched. But as airlines become even more connected, aviation cybersecurity measures will continue to present challenges across the industry.
Samsung Knox provides defense-grade security for mobile devices deployed in the enterprise. Find out here why it received the most “strong” ratings of any mobile platform, according to a Gartner mobile security report.