Experts Tell GAO On-Board Wi-Fi Could Provide Access Point For Passenger- Or Ground-Based Attack

A Government Accountability Office report says that some aircraft, such as Boeing's Dreamliner and the Airbus A350 and A380, may be vulnerable to cyber attacks because their cockpits are connected to the same Wi-Fi routers accessible by passengers.

The report, posted on the GAO website Tuesday, says that  modern communications technologies, including IP connectivity, are increasingly used in aircraft systems, creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems.

Aircraft information systems consist of avionics systems used for flight and in-flight entertainment. Historically, aircraft in flight and their avionics systems used for flight guidance and control functioned as isolated and self-contained units, which protected their avionics systems from remote attack. However, according to FAA and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them.

Firewalls protect avionics systems located in the cockpit from intrusion by cabin system users, such as passengers who use in-flight entertainment services onboard.

However, four cybersecurity experts interviewed for the report discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented.

The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin.

An FAA official said that additional security controls implemented onboard could strengthen the system.

FAA officials and experts interviewed by the GAO said that modern aircraft are also increasingly connected to the Internet, which also uses IP networking technology and can potentially provide an attacker with remote access to aircraft information systems. According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors.

FAA officials and cybersecurity and aviation experts said that increasingly passengers in the cabin can access the Internet via onboard wireless broadband systems. One cybersecurity expert noted that a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines.

The report says that the FAA’s Office of Safety began developing a larger airworthiness rule covering avionics cybersecurity in 2013 but determined more research was necessary before rulemaking could begin and halted the process. In December 2014, FAA tasked its Aviation Rulemaking Advisory Committee (ARAC) with submitting a report within 14 months of the March 2015 kickoff meeting that provides recommendations on rulemaking and policy, and guidance on best practices for information security protection for aircraft, including both certification of avionics software and hardware, and continued airworthiness.

FAA has also taken steps to better coordinate its cybersecurity efforts, according to the report. FAA runs exercises that simulate cyber attacks and are designed to increase internal collaboration and help clarify roles during such events.

The GAO said that while FAA is working to transform the organization of its cybersecurity efforts, the experts it consulted said that it could improve upon those efforts by including all key stakeholders in its agency-wide approach. All 15 cybersecurity and aviation experts interviewed agreed that organizational clarity regarding roles, responsibilities, and accountability is key to ensuring cybersecurity across the organization. In addition, the five experts who commented on stakeholder inclusion all said that because aircraft avionics systems have the potential to be connected to systems outside the aircraft, aircraft cybersecurity issues should be included in an agency-wide cybersecurity effort.

FMI: Full Report