Reports cite Wi-Fi as potential security threat to avionics

A U.S. Government Accountability Office (GAO) report recommending that the Federal Aviation Administration (FAA) develop a more comprehensive approach to address cybersecurity as it transitions to its NextGen air traffic control (ATC) system sparked a flurry of reports about how in-flight Wi-Fi could be used by terrorists or other hackers to take control of an aircraft's avionic systems.

NPR and other media outlets reported that the same Wi-Fi systems passengers use in the sky on planes could allow a hacker to bring down a plane. One of the authors of the GAO's report, Gerald Dillingham, told NPR that newer air traffic control systems will be essentially Internet-based and will be better, but at the same time, there will be more avenues in which the potential for a cyber intrusion could occur, including through the Wi-Fi system on a plane that passengers use, especially on newer aircraft.

"Someone who has a laptop in the cabin or maybe even on the ground, there was the potential that they could breach the avionics of the aircraft," he told NPR. He stressed that it's not an imminent threat but a potential one, and that the FAA is taking precautions, including putting up several firewalls.

But firewalls can be hacked, and that has gotten the attention of lawmakers like Rep. Peter DeFazio, D-Ore., who told NPR that not only are better firewalls needed, but "these systems should be totally segregated."

NextGen is a modernization effort the FAA started in 2004 to transform the nation's ground-based ATC system into a system that uses satellite-based navigation and other advanced technology. The new networking technologies expose the system to new cybersecurity risks, according to the GAO report.

Interestingly, the GAO report does not specifically name Wi-Fi as the culprit. Phil Polstra, a pilot and professor of digital forensics at Bloomberg University, told Forbes that the GAO report contained much erroneous information. He disputed claims that as airplanes are increasingly connected to the Internet, the control systems on them are in danger of being remotely compromised.

The avionics networks, which deal with flight controls and coordination, are not connected to the Internet like Wi-Fi services, he told Forbes via email. Modern aircraft use standardized Internet connections over Ethernet and IP addresses, but there is no real threat to passenger safety from Wi-Fi hackers in the air, as many reports asserted.

"To imply that because IP is used for in-flight WiFi and also on the avionics networks means that you can automatically take over the avionics network makes about as much sense as saying you can take over the jet engines because they breath air like the passengers and there is no air gap between passengers who touch the plane and the engines which are attached to the plane," Polstra told Forbes.

There were reports floating around back in 2008 that said Boeing had at some point decided to not segregate the flight control systems from the seat-back entertainment systems and would, instead, firewall them from each other. Wired reported seven years ago that the Boeing 787 Dreamliner jet's passenger compartment, designed to give passengers in-flight Internet access, was connected to the plane's control, navigation and communication systems.

According to the GAO report, the FAA's legacy systems consist primarily of decades-old, point-to-point, hardwired information systems, such as controller voice-switching systems, that share information only within their limited, wired configuration. "In contrast, FAA plans for NextGen call for the new information systems to be networked together with IP technology into an overarching system of interoperating subsystems," the GAO said.

"FAA officials and cybersecurity and aviation experts we spoke to said that increasingly passengers in the cabin can access the Internet via onboard wireless broadband systems," the report says. "One cybersecurity expert noted that a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines."

The report also said that the presence of personal smartphones and tablets in the cockpit, for example, "increases the risk of a system's being compromised by trusted insiders, both malicious and non-malicious, if these devices have the capability to transmit information to aircraft avionics systems."

Four cybersecurity experts with whom the report's authors spoke discussed firewall vulnerabilities, and all four said that "because firewalls are software components, they could be hacked like any other software and circumvented," according to the report. "The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin. An FAA official said that additional security controls implemented onboard could strengthen the system."

The GAO report concludes that while the FAA is making strides to address risks, it has not developed a holistic threat model that would describe the security risks to its information systems. The GAO report recommends that the Secretary of Transportation should instruct the FAA administrator to develop a plan to fund and implement National Institute of Standards and Technology (NIST) revisions within the Office of Management and Budget's (OMB) time frames.

For more:
- listen to the NPR story
- see the GAO report
- see this Forbes article
- see this Newsweek story

Related articles:
Qualcomm, Gogo continue clash over in-flight spectrum rules
Gogo would be 'happy' to talk with AT&T about leasing spectrum, CEO says
Qualcomm plan for 500 MHz of in-flight broadband spectrum wins initial FCC nod