Claims by a security researcher that he hacked an aircraft in flight have been questioned across the hacking community and the airline industry.
According to a FBI affidavit, security researcher Chris Roberts claimed to have taken control of an airplane using a laptop connected to the aircraft’s In Flight Entertainment (IFE) system. From there he claims to have caused one engine to power up briefly.
Roberts claims to have hacked into the IFE systems of Airbus and Boeing aircraft around 15 or 20 times between 2011 and 2014, the affidavit states. Roberts said he “overwrote code on the airplane’s Thrust Management Computer,” causing the aircraft to yaw.
Fear of flying is common enough, and the thought that some attacker could take control of the aircraft from economy class adds a new horror to flying. But according to experts in the field the chances of such a hack are vanishingly small.
“IFE systems on commercial airplanes are isolated from flight and navigation systems,” Doug Alder, spokesman for Boeing Commercial told El Reg. “While these systems receive position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions.”
He points out that there are multiple safeguards built into Boeing aircraft systems and pilots are at liberty to cancel any commands that don’t feel right. Under the circumstances Boeing – and also it seems top law enforcement officials – aren’t too worried about the threat.
Then again that’s the response you’d expect to get from the industry. But there are plenty of people around who study aircraft hacking intensively and even they are highly skeptical about Roberts’ claims.
At last year’s DEFCON hackers’ meeting Dr Phil Polstra, professor of digital forensics at Bloomberg University (and a qualified commercial pilot and flight instructor), delivered a lecture on the feasibility of in-flight aircraft hacking. It turns out it’s a lot more difficult than you might think.
Aircraft IT systems are built around non-TCP/IP protocols called ARINC, with different number conventions for different aircraft, or AFDX on Airbus equipment. One of the key differences with this protocol is that it allows unidirectional data and will lock out a non-standard sending signal.
With regards to Roberts’ claims, Dr Polstra said that they were interesting and that he looked forward to discussing them with the researcher at a future DEFCON conference “assuming he is not in jail.” However the method of hacking seems unlikely.
IFE systems do receive some information from the engine-indicating and crew-alerting system (EICAS), chiefly the aircraft’s location and speed for those little progress maps, but this data comes through a unidirectional Network Extension Device (NED).
The EICAS gets its data from a hydromechanical controller which has an electronic interface, known as an EEC, and Roberts appears to be claiming that he overrode the EEC on one engine to produce the change of course.
“In order for this to actually happen he would need to be on a plane where the levels are not directly connected to the EEC, successfully compromise the EICAS, get the EEC to accept input from the EICAS (recall this is really a monitoring system), send a bogus mode change to climb, and somehow prevent the throttle quadrant from immediately sending a correct command,” he told the Register.
“On top of this long list of conditions there are two basic facts that would make his actually flipping a plane on its side unlikely. First, jet engines do have a spool up time so this wouldn’t happen immediately. Second, the second a pilot touches the levers new signals will be sent to the EEC. When you put this all together it seems unlikely that Chris was able to ‘take over’ this plane as he claimed.”
Another problem with Roberts’ story is that he claims to have accomplished all of this using a network connector in the black boxes under passenger seats that run the IFE systems. The affidavit states he was able to loosen the cover of the black box and install a non-standard connector to gain access.
Given the heightened awareness among most aircraft passengers nowadays this seems unlikely. As we’ve seen with the unsuccessful shoe bomber Richard Reid and Umar Farouk Abdulmutallab – a man forever to be known as the pants bomber – passengers are very wary of odd behaviour and aren’t afraid to jump in.
Nevertheless, in-flight hacking is definitely the fear-de-jour, particularly in light of the US Government Accounting Office’s (GAO) report into the matter and FBI warnings. It remains to be seen if Roberts has discovered a genuine hole, or if the authorities are just making sure their backsides are covered. ®