SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
13 Oct 2015

European aviation body warns of cyber-attack risk against aircraft

The chief of Europe's top airline safety agencies warned that cyber-criminals could hack into critical systems on an airplane from the ground.

Over the past two years, there has been an increasing number of cyber-security incidents reported in the aviation industry.

Patrick Ky, director of the European Aviation Safety Agency, told European aviation journalists at a meeting of the Association des Journalistes Professionnels de l'Aéronautique et de l'Espace (AJPAE) that his organisation had hired a penetration tester to find and exploit vulnerabilities in the ACARS (Aircraft Communications Addressing and Reporting System) used to transmit messages between aircraft and ground stations. Ky said the white-hat hacker, who was also a professional pilot, took five minutes to crack the messaging system. It was another couple of days before the same consultant managed to gain access to aircraft control systems.

“For security reasons, I will not tell you how he did it, but I'll let you judge if the risk is high or low,” Ky told. According to the report, research conducted by the International Civil Aviation Organisation last year said that as aircraft navigation and other control systems are effectively separated from non-critical systems such as entertainment, that the risk of hacking critical systems was low. But experts rejected this and warned that because ACARS uses a proprietary encoding/decoding scheme in use since 1978, this was not designed with cyber-security in mind and therefore vulnerable to attack.

Ky said that the next generation of air traffic management systems such as the Single European Sky ATM Research, or Sesar, will need protecting. Sesar relies a lot on satellite-based communications, navigation and surveillance systems. “With the introduction of SESAR and the possibility for the air traffic control to directly give instructions to the aircraft control system, this risk will be multiplied,” said Ky. “We need to start by putting in place a structure for alerting airlines on cyber-attacks.”

He said in the longer term, the EFSA, which is responsible for making sure aircraft are safe, could also certify airline equipment against being hacked. Mike Westmacott, cyber consultant at Thales UK, told that as the article does not disclose the attack vectors, tools or techniques used, it is impossible to determine the level of risk associated with the claims. “It is, however, possible to present levels of risk for theoretical situations. If the penetration tester (who was also a pilot) was able to obtain access to the ACARS message system from the on-plane public Wi-Fi, or from any facility that the public has access to, then the risk would be substantial – and any aircraft exposing such a vulnerability would likely be immediately grounded,” he said.

“If on the other hand the tester (as a pilot) was able to use a connection that was restricted access (physically – such as in the cockpit or staff areas) then the risk is reduced, potentially significantly.” Westmacott added that airlines must ensure that safety critical systems and control networks are segregated from publicly accessible facilities, and that aircraft designs and their systems are subject to a full and thorough risk assessment and suite of technical assessments. What can hackers actually do with modern aircrafts?

Trey Ford, global security strategist at Rapid7, told that a simple review of message validation and workflows around questionable or suspected manipulated communications would effectively manage this. “The workflows already exist, but not with an expectation of malice as much as failed equipment,” he said. Carl Herberger, who looks after security solutions for Radware, used to be in the US Air Force and was an Electric Warfare Officer on B52 bombers. He told SC that an attack on airplanes was “absolutely possible”.

“It's long been recognised that hackers can get access to the Aircraft Communications Addressing and Reporting System (ACARS). In fact, in 2013 it was proved that the ACARS could be intercepted and hackers could sabotage this communication channel via a purpose-built Android app. It's possible because this system does not have any real authentication features nor prevention of spoofed commands build in,” he said. He added that Boeing warned the US government about it with regards to its Boeing 777 when it was seeking certificates for airworthiness. It said at the time that the way the on-board network is designed doesn't allow for cyber-security, added Herberger.

“Security professionals have long understood the threat that embedded systems create for modern day critical infrastructure – the airline industry is no different. There needs to be collaboration between the industry, security experts, aviation authorities and governments to test and protect these systems but above all drive best practice for detecting and mitigating attacks into the engineering, to ensure public safety is built in well before the plane has left the drawing board,” said Herberger.

Tags:
information leaks
Source:
SC Magazine
1607
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015