A Hacker Can Takeover A Car Through Its Computer System — What About An Airplane?

malaysia jetlinerHackers can take over cars by hacking into their on board computer systems. Does it not stand to reason that they could do the same thing to an airplane? Maybe, maybe not, but a recent ruling by the FAA shows this was a concern for Boeing Model 777-200.

Over the last few years I have written several posts about whether hackers could take over the controls of cars by hacking them (here) and whether doing so would violate the Computer Fraud and Abuse Act. From the time of my first post on this subject in 2011 until now, this discussion has moved from the theoretical, of whether it was possible, to the certain. It is possible and this video shows how hackers do this to cars.

Now, with the search for answers to how the Malaysian Flight 370 jetliner — a huge Boeing 777-200 airplane — just disappeared without a trace, some are starting to question whether that jetliner could have been hacked. That is, whether it may have been taken over by hacking into its computer system, turning off its tracking devices, and diverting it to a secret location. Who knows, right?

I certainly do not profess to have any specialized knowledge about whether this is possible other than basic common sense that tells me if it can happen to a car, it can happen to an airplane.

One security researcher has purportedly demonstrated that it is possible to take control of an airplane’s navigation and cockpit systems with an Android smartphone app (Researcher takes controls of aircraft system with Android phone) but the FAA explained why the researcher’s test would not allow him to actually take over the controls of a real airplane as the researcher was using a simulator ( FAA: ‘No, you CAN’T hijack a plane with an Android app’ ).

Regardless, another very important piece of information has come to light. On November 18, 2013, the Federal Aviation Administration issued a ruling that addressed concerns it had about the Boeing Model 777-200’s computer system being vulnerable to unauthorized internal access: Special Conditions: Boeing Model 777-200, -300, and -300ER Series Airplanes; Aircraft Electronic System Security Protection From Unauthorized Internal Access The FAA’s Ruling contained the following discussion:

The integrated network configurations in the Boeing Model 777-200, -300, and -300ER series airplanes may enable increased connectivity with external network sources and will have more interconnected networks and systems, such as passenger entertainment and information services than previous airplane models. This may enable the exploitation of network security vulnerabilities and increased risks potentially resulting in unsafe conditions for the airplanes and occupants. This potential exploitation of security vulnerabilities may result in intentional or unintentional destruction, disruption, degradation, or exploitation of data and systems critical to the safety and maintenance of the airplane. . . . [T]hese special conditions are being issued to ensure that the security (i.e., confidentiality, integrity, and availability) of airplane systems is not compromised by unauthorized wired or wireless electronic connections between the airplane information services domain, aircraft control domain, and the passenger entertainment services.

Did the FAA’s special conditions issued in the Ruling alleviate this concern and adequately protect against the risk? We may never know. But, what we do know, is that this was a concern …

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at BrittonTuma, a boutique business law firm with offices near the boarder of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

You should know this > “What do connected cars and toilets have in common?”

What do connected cars and toilets have in common? That is the title to a recent Blog Post about an upcoming presentation at VMWorld 2013, Barcelona and, when I read it, I just had to quiz my readers to see who remembered …

Come on now, you do know the answer to this question, right? I have blogged about hacking cars several times and, if you heard my presentation to the Privacy, Data Security, and eCommerce Committee of the State Bar of Texas back in August then you certainly should remember. [Presentation / hint: see slides 26 & 27 below] Do you remember now?

That is right, we are starting to see both “wired” cars and toilets that (a) have microprocessors and/or store data, and (b) are connected to the Internet, which means (c) under the Computer Fraud and Abuse Act they are considered to be “protected computers” and, (d) therefore, if wrongfully accessed (through the system, not physically) are covered by the CFAA. There you go – have a great day!

<div style=”margin-bottom:5px”> <strong> <a href=”https://www.slideshare.net/shawnetuma/overview-and-update-on-the-computer-fraud-and-abuse-act-cfaa-for-the-data-security-privacy-committee-of-state-bar-of-texas&#8221; title=”Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security &amp; Privacy Committee of State Bar of Texas” target=”_blank”>Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security &amp; Privacy Committee of State Bar of Texas</a> </strong> from <strong><a href=”http://www.slideshare.net/shawnetuma&#8221; target=”_blank”>Shawn Tuma</a></strong> </div>

Hackers continue to exploit vulnerabilities in car computer systems

Hacking Away

Hacking Away? No, Not That Kind of Hacking!

A couple of years ago I blogged about (what was then) the hypothetical question of whether hacking a car would violate the Computer Fraud and Abuse Act. Since that time we have seen the idea of hacking a car become a reality.  I have written updated blog posts in shared a video showing how hackers are doing this. Here is another article that takes it a step further: AP News: Hackers find weaknesses in car computer systems.

Car Hacking Is Very Real and Can Be Very Deadly — Watch This Video Of How To Do It

It is really quite simple: Modern cars are controlled by computers — everything, from the accelerator to the brakes to the steering to the windows to the locks — take over the computer, you take complete control over the car.

The idea of hacking a car is no longer fantasy. It is real. It can be very deadly.

Way back in 2011, I wrote a couple of posts about whether hacking a car would violate the Computer Fraud and Abuse Act. I really was being a bit silly when I first thought of this as I was just looking for a creative way to make a point. At first I did not really think that hacking a car was possible. I now know that it certainly is. And yes, I believe that hacking a car would violate the CFAA.

see more → Hacking a car? Yes, really…and you thought I was kidding! and Can stealing a CAR violate the Computer Fraud and Abuse Act?

In the August 12, 2013 issue of Forbes, hackers not only explain how to hack a car, but show you what happens in a video. You really need to watch the video in this article: Hackers Reveal Nasty New Car Attacks–With Me Behind The Wheel (Video)