Back in 2015, Chris Roberts, a security expert made a joke on Twitter that he could hack the on-board controls of an airplane he was in. The hack that Mr. Roberts executed was possible because of a Wi-Fi flaw he found via of the aircraft’s in-flight entertainment system. This in turn allowed him to access controls to the aircraft’s engines and other critical systems.
It now seems that Mr. Roberts was spot on with his not so funny joke, and his hacking claims have now been confirmed. A team of Department of Homeland Security hackers hacked the controls of a 757 in 2016 using a flaw in the radio frequency communications. During his keynote address, DHS Investigator Robert Hickey revealed his team’s findings of their hack at the 2017 CyberSat Summit in Tysons Corner, Virginia. Mr. Hickey is an Aviation Program Manager inside the Cyber Security Division of the DHS Science and Technology Directorate.
During his speech, Mr. Hickey revealed that he and his team remotely hacked a Boeing 757 parked at the Atlantic City, New Jersey Airport. The ability for hackers to control an airplane is not new as government officials and industry insiders have known for years. It is relatively easy for a hacker with the right tools and knowledge to take over the controls of an aircraft, even from the most experienced pilots and experts in the aviation industry.
Pilots with America’s top legacy airlines were not pleased DHS officials have been holding on to this information. Meeting with pilots, Robert Hickey said, “All seven of them broke their jaw hitting the table when they said, ‘you guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible.”
The hack took place on September 19, 2016, on an aircraft which is owned by DHS, so no passengers were ever in any danger. The specific details of the radio frequency hack are classified causing concern among pilots and others in the aviation industry. Because the details of the hack are classified, others outside DHS don’t possess the knowledge to fix it or how relevant the hack is outside of a controlled environment.
Explaining how the hack was performed, Mr. Hickey said, “We got the airplane on September 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative penetration. Which means I didn’t have anybody touching the airplane. I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.”
Fixing flaws relevant to aircraft control systems is not cheap. In order to change one piece of code on avionics equipment costs $1 million. Further complicating the change is that it takes a year to implement. For small airlines this could mean financial disaster if details of a flaw were made public specific to their aircraft. Add into the mix that maintenance teams are not equipped to deal with cyber hacks, airlines and even the folks at the United States Airforce are constantly looking for ways to make things easier, cheaper, and safer when it comes to plugging the holes of these vulnerabilities, but until DHS declassifies materials relevant to their hacks, commercial airliners are in a difficult position. The only alternative would be to screen and grant classified material access to select airline employees, which may be something needed in order to create a synergistic environment, one where passengers are safe, and airlines are profitable.