An aircraft security expert has eased the worries of many frequent flyers this week — by reassuring them that aircrafts are not “hackable” in mid flight. Dr Phil Polstra of Bloomsburg University has the credentials – he holds 12 aviation ratings, all current, including aircraft mechanic and avionics technician, thousands of hours of flight time, and has worked on on the development of avionics found in modern airliners.
“Lots of bold claims concerning the feasibility of cyber-hijacking – and bold claims get lots of press. Most people don’t know enough to evaluate these claims. Whether you feel safer or even more scared should be based on facts,” he says.
Polstra’s collaborator, “Captain Polly” is also an academic dealing with avionics.
Santamarta’s presentation focuses on major brands, and widely used systems, and he claims that 100% of systems under test had vulnerabilities. Weak encryption and “backdoors” which could allow hackers control over communication are rife in all systems under test, according to RT. Some attacks can be performed with an SMS, Santamarta claims.
“These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it,” Santamarta says.
“Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities.”
The Black Hat security conference last week was dominated by one terrifying assertion – that avionics systems were vulnerable to hacks which could be set off as simply as by sending an SMS or via Wi-Fi.
Polstra’s presentation debunks the Wi-Fi hack threat, step by step. Strict rules prevent avionics systems from being accessible via wireless – except in Boeing aircrafts, which use a system “harder to hack” he says.
The Register reports, “Firstly, no commercial airliner’s avionics systems can be accessed from from either the entertainment system or in-flight Wi-Fi. Avionics systems are also never wireless, but always wired, and don’t even use standard TCP/IP to communicate.”
FAA rules state: “The applicant must ensure that the design provides isolation from, or airplane electronic system security protection against, access by unauthorized sources internal to the airplane. The design must prevent inadvertent and malicious changes to, and all adverse impacts upon, airplane equipment, systems, networks, or other assets required for safe flight and operations.”
Several companies have already said that the research was flawed: Cobham said wireless hacks were “impossible”, and that a hacker would require physical access to systems.
“In the aviation and maritime markets we serve, there are strict requirements restricting such access to authorized personnel only,” said Caires.
At least one company has already come forward to state that the Wi-Fi hack used would be impossible in a “real world” situation. Other vendors have dismissed the risks as “very small”.
Polstra says, however, that increasing computerization may lead to future problems.“Increasing automation while continuing with unsecured protocols is problematic. Airliners are relatively safe (for now),” he concludes.
Author Rob Waugh, We Live Security