Hackers can take over cars by hacking into their on board computer systems. Does it not stand to reason that they could do the same thing to an airplane? Maybe, maybe not, but a recent ruling by the FAA shows this was a concern for Boeing Model 777-200.
May 18, 2015 Update: This post was first published on March 14, 2014. Just over a year later, on May 17, 2015, there are several news reports out about a hacker (i.e., “security researcher”) who claimed to have briefly commandeered a commercial airliner through its in-flight entertainment system. See Feds Say That Banned Researcher Commandeered a Plane
Over the last few years I have written several posts about whether hackers could take over the controls of cars by hacking them (here) and whether doing so would violate the Computer Fraud and Abuse Act. From the time of my first post on this subject in 2011 until now, this discussion has moved from the theoretical, of whether it was possible, to the certain. It is possible and this video shows how hackers do this to cars.
Now, with the search for answers to how the Malaysian Flight 370 jetliner — a huge Boeing 777-200 airplane — just disappeared without a trace, some are starting to question whether that jetliner could have been hacked. That is, whether it may have been taken over by hacking into its computer system, turning off its tracking devices, and diverting it to a secret location. Who knows, right?
I certainly do not profess to have any specialized knowledge about whether this is possible other than basic common sense that tells me if it can happen to a car, it can happen to an airplane.
One security researcher has purportedly demonstrated that it is possible to take control of an airplane’s navigation and cockpit systems with an Android smartphone app (Researcher takes controls of aircraft system with Android phone) but the FAA explained why the researcher’s test would not allow him to actually take over the controls of a real airplane as the researcher was using a simulator ( FAA: ‘No, you CAN’T hijack a plane with an Android app’ ).
Regardless, another very important piece of information has come to light. On November 18, 2013, the Federal Aviation Administration issued a ruling that addressed concerns it had about the Boeing Model 777-200’s computer system being vulnerable to unauthorized internal access: Special Conditions: Boeing Model 777-200, -300, and -300ER Series Airplanes; Aircraft Electronic System Security Protection From Unauthorized Internal Access The FAA’s Ruling contained the following discussion:
The integrated network configurations in the Boeing Model 777-200, -300, and -300ER series airplanes may enable increased connectivity with external network sources and will have more interconnected networks and systems, such as passenger entertainment and information services than previous airplane models. This may enable the exploitation of network security vulnerabilities and increased risks potentially resulting in unsafe conditions for the airplanes and occupants. This potential exploitation of security vulnerabilities may result in intentional or unintentional destruction, disruption, degradation, or exploitation of data and systems critical to the safety and maintenance of the airplane. . . . [T]hese special conditions are being issued to ensure that the security (i.e., confidentiality, integrity, and availability) of airplane systems is not compromised by unauthorized wired or wireless electronic connections between the airplane information services domain, aircraft control domain, and the passenger entertainment services.
Did the FAA’s special conditions issued in the Ruling alleviate this concern and adequately protect against the risk? We may never know. But, what we do know, is that this was a concern …
About the author
Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes across the United States and, through the Mackrell International Law Network, around the world.