Last week there were several reports that the cybersecurity experts working with the US Department of Homeland Security (DHS) were able to successful hack into the IT systems of a Boeing 757 aircraft while it was parked on the runway at Atlantic city airport.
Robert Hickey, the aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T), said “We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.”
While details of the hack remain classified, it is understood the hack was accomplished using the aircraft’s radio frequency communications. Hickey affirmed that nobody on the hacking group was permitted to touch or be permitted inside the plane to eliminate the likelihood of insider threats. Moreover, the group just utilised instruments that would be customarily permitted through air terminal security. Utilising these apparatuses, the group effectively invaded the flying machine’s framework.
It should be noted, in the 1983 757 variant used, RF delivery would be ACARS (aircraft communications addressing and reporting system), so it is probable that this was the entry point. The Classics variants are mostly retired, and while the NextGens might have WiFi, they were all added without connecting to the cockpit. So the risk is more of a nuisance factor, but it does start to demonstrate that any poorly implemented design could open the door to a more sinister opportunity.
The Aviation Today report on this story also discusses the impacts of trying to fix software that resides within an aircraft. Unlike traditional software that you might find in your phone or on your PC, the software that goes inside an aircraft needs to be implemented to a stringent standard known as DO-178C.
Hickey states, “Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive. The cost to change one line of code on a piece of avionics equipment is $1 million and it takes a year to implement. For Southwest Airlines [LUV], whose fleet is based on Boeing’s 737 aircraft, it would “bankrupt” them if a cyber vulnerability was specific to systems onboard 737s.” He added, “Other airlines that fly 737s would also see their earnings hurt.”
You can learn more about DO-178C, and the philosophy behind avionics certification here. The site is maintained by one of the leading experts in Avionics Certification, Vance Hilderman.