For some time now security researchers have talked about critical vulnerabilities present in airplanes, but for the last couple of years, there has been an increase in research work aimed at identifying these vulnerabilities to fix them.
Recently, at the 2017 CyberSat Summit on November 8th, Robert Hickey, the program manager at Department of Homeland Security’s Cyber Security Division revealed that their security researchers remotely hacked a Boeing 757 parked at the airport in Atlantic City, New Jersey on Sept. 19, 2016.
According to Avionics Today, Hickey said “We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.”
Although technical details for the hack haven’t been released yet, Hickey said his team was able to breach the system’s security by exploiting flaws in 757’s “radio frequency communications.” The first reaction of his team was “We’ve known that for years,’” and, “It’s not a big deal,” Hickey told Defense Daily.
However, when a group of pilots from Delta and American Airlines was briefed about the vulnerabilities, they were clueless. “All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible,” Hickey said.
Boeing stopped 757’s production in 2004 however, in July 2017, there were 738 Boeing 757 aircraft of all variants in commercial service including American Airlines, DHL Air, Delta Air Lines, FedEx Express, UPS Airlines, Icelandair and United Airlines. Also, according to CBS, President Donald Trump and Vice President Pence often use 757.
What’s more shocking according to Hickey is that 90% of the commercial planes don’t have protections while only new models of 737s and 787 and the Airbus Group A350 have been designed with security in mind.
Boeing was informed about the findings of DHS security researchers. In a comment to CBS, Boeing said that “We firmly believe that the test did not identify any cyber vulnerabilities in the 757 or any other Boeing aircraft.”
Remember, in April 2015, the US Government Accountability Office (GAO) stated in its report that vulnerable in-flight WiFi systems could let hackers remotely takeover modern aircraft. The report came days after World Labs’ IT security expert Chris Roberts identified risks in airplane in-flight entertainment systems.
In 2016, a USA Today reporter Steven Petrow revealed how a fellow passenger hacked his email during American Airline flight from North Carolina to Dallas, Texas while he was working on an article about apple and FBI issue.