A Hacker Can Takeover A Car Through Its Computer System — What About An Airplane?

malaysia jetlinerHackers can take over cars by hacking into their on board computer systems. Does it not stand to reason that they could do the same thing to an airplane? Maybe, maybe not, but a recent ruling by the FAA shows this was a concern for Boeing Model 777-200.

May 18, 2015 Update: This post was first published on March 14, 2014. Just over a year later, on May 17, 2015, there are several news reports out about a hacker (i.e., “security researcher”) who claimed to have briefly commandeered a commercial airliner through its in-flight entertainment system. See Feds Say That Banned Researcher Commandeered a Plane

Over the last few years I have written several posts about whether hackers could take over the controls of cars by hacking them (here) and whether doing so would violate the Computer Fraud and Abuse Act. From the time of my first post on this subject in 2011 until now, this discussion has moved from the theoretical, of whether it was possible, to the certain. It is possible and this video shows how hackers do this to cars.

Now, with the search for answers to how the Malaysian Flight 370 jetliner — a huge Boeing 777-200 airplane — just disappeared without a trace, some are starting to question whether that jetliner could have been hacked. That is, whether it may have been taken over by hacking into its computer system, turning off its tracking devices, and diverting it to a secret location. Who knows, right?

I certainly do not profess to have any specialized knowledge about whether this is possible other than basic common sense that tells me if it can happen to a car, it can happen to an airplane.

One security researcher has purportedly demonstrated that it is possible to take control of an airplane’s navigation and cockpit systems with an Android smartphone app (Researcher takes controls of aircraft system with Android phone) but the FAA explained why the researcher’s test would not allow him to actually take over the controls of a real airplane as the researcher was using a simulator ( FAA: ‘No, you CAN’T hijack a plane with an Android app’ ).

Regardless, another very important piece of information has come to light. On November 18, 2013, the Federal Aviation Administration issued a ruling that addressed concerns it had about the Boeing Model 777-200’s computer system being vulnerable to unauthorized internal access: Special Conditions: Boeing Model 777-200, -300, and -300ER Series Airplanes; Aircraft Electronic System Security Protection From Unauthorized Internal Access The FAA’s Ruling contained the following discussion:

The integrated network configurations in the Boeing Model 777-200, -300, and -300ER series airplanes may enable increased connectivity with external network sources and will have more interconnected networks and systems, such as passenger entertainment and information services than previous airplane models. This may enable the exploitation of network security vulnerabilities and increased risks potentially resulting in unsafe conditions for the airplanes and occupants. This potential exploitation of security vulnerabilities may result in intentional or unintentional destruction, disruption, degradation, or exploitation of data and systems critical to the safety and maintenance of the airplane. . . . [T]hese special conditions are being issued to ensure that the security (i.e., confidentiality, integrity, and availability) of airplane systems is not compromised by unauthorized wired or wireless electronic connections between the airplane information services domain, aircraft control domain, and the passenger entertainment services.

Did the FAA’s special conditions issued in the Ruling alleviate this concern and adequately protect against the risk? We may never know. But, what we do know, is that this was a concern …

About the author

Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes across the United States and, through the Mackrell International Law Network, around the world.

You should know this > “What do connected cars and toilets have in common?”

What do connected cars and toilets have in common? That is the title to a recent Blog Post about an upcoming presentation at VMWorld 2013, Barcelona and, when I read it, I just had to quiz my readers to see who remembered …

Come on now, you do know the answer to this question, right? I have blogged about hacking cars several times and, if you heard my presentation to the Privacy, Data Security, and eCommerce Committee of the State Bar of Texas back in August then you certainly should remember. [Presentation / hint: see slides 26 & 27 below] Do you remember now?

That is right, we are starting to see both “wired” cars and toilets that (a) have microprocessors and/or store data, and (b) are connected to the Internet, which means (c) under the Computer Fraud and Abuse Act they are considered to be “protected computers” and, (d) therefore, if wrongfully accessed (through the system, not physically) are covered by the CFAA. There you go – have a great day!

<div style=”margin-bottom:5px”> <strong> <a href=”https://www.slideshare.net/shawnetuma/overview-and-update-on-the-computer-fraud-and-abuse-act-cfaa-for-the-data-security-privacy-committee-of-state-bar-of-texas&#8221; title=”Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security &amp; Privacy Committee of State Bar of Texas” target=”_blank”>Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security &amp; Privacy Committee of State Bar of Texas</a> </strong> from <strong><a href=”http://www.slideshare.net/shawnetuma&#8221; target=”_blank”>Shawn Tuma</a></strong> </div>

Hackers continue to exploit vulnerabilities in car computer systems

Hacking Away

Hacking Away? No, Not That Kind of Hacking!

A couple of years ago I blogged about (what was then) the hypothetical question of whether hacking a car would violate the Computer Fraud and Abuse Act. Since that time we have seen the idea of hacking a car become a reality.  I have written updated blog posts in shared a video showing how hackers are doing this. Here is another article that takes it a step further: AP News: Hackers find weaknesses in car computer systems.

Car Hacking Is Very Real and Can Be Very Deadly — Watch This Video Of How To Do It

It is really quite simple: Modern cars are controlled by computers — everything, from the accelerator to the brakes to the steering to the windows to the locks — take over the computer, you take complete control over the car.

The idea of hacking a car is no longer fantasy. It is real. It can be very deadly.

Way back in 2011, I wrote a couple of posts about whether hacking a car would violate the Computer Fraud and Abuse Act. I really was being a bit silly when I first thought of this as I was just looking for a creative way to make a point. At first I did not really think that hacking a car was possible. I now know that it certainly is. And yes, I believe that hacking a car would violate the CFAA.

see more → Hacking a car? Yes, really…and you thought I was kidding! and Can stealing a CAR violate the Computer Fraud and Abuse Act?

In the August 12, 2013 issue of Forbes, hackers not only explain how to hack a car, but show you what happens in a video. You really need to watch the video in this article: Hackers Reveal Nasty New Car Attacks–With Me Behind The Wheel (Video)