A team of government researchers successfully accessed the systems of a Boeing 757 in a non-laboratory environment in 2016, a Department of Homeland Security (DHS) cybersecurity official claimed late last year at the 2017 CyberSat Summit in Tysons Corner, Virginia. However, the result of this test likely do not pose a major risk to airlines at this time due to the expertise required, researchers concluded.
According to Robert Hickey, a program manager within DHS’s Science and Technology (S&T) Directorate’s Cyber Security Division, he and his team of researchers were able to successfully access the internal systems of a legacy 757 using only tools that can pass through a standard airport security checkpoint. They were able to accomplish this without having a person on the aircraft, itself.
The test began on Sept. 19, 2016 at an airport in Atlantic City, New Jersey. Within two days, the team conducting the test established a presence on a legacy 757 purchased by DHS for the experiment. Although Hickey declined to comment on the details of their attack, he reported that they gained access through radio frequency (RF) communications.
Boeing (Stand U09, 023) was reportedly included in the testing process. After the test became public, Boeing said, “We firmly believe that the test did not identify any cyber vulnerabilities in the 757 or any other Boeing aircraft.”
This statement sugggests that the researchers were likely able to access the aircraft’s system using aspects of RF communications that are considered standard, not a glitch. Researchers therefore likely accessed internal systems by sending a carefully crafted malicious communication along standard RF pathways to the aircraft. This message then served as the foothold from which the researchers were able to gain greater access to the rest of the aircraft.
Accessing RF communications pathways like this is relatively simple for a malicious actor, because there is no authentication used along these pathways in older systems. However, authentication is being adopted for these pathways in newer systems, making this attack vector successful only against legacy systems.
This does not greatly reduce the risk of the attack vector discovered by DHS, because many 757s currently used in commercial aviation still rely on the legacy systems.
System 'Presence,' Not Control
The risk of the attack is limited by the cyber actors’ capabilities once they have accessed the aircraft’s systems. In describing the DHS test, Hickey said the researchers were able to establish a “presence” on the aircraft’s systems, but he did not elaborate on what that meant.
Typically, the term "presence" refers to a cyber actor’s ability to remain on the system after accessing it. The concept of presence, or persistence, on a system does not mean that the cyber actors can control the systems. Presence may simply mean that the actors can observe the activities without influencing them.
RF communications are most commonly used for communications and navigation. Therefore, a malicious cyber actor monitoring these systems is certainly a cause for concern, but does not present a significant threat, unless the actors can control or manipulate these systems.
If the researchers were able to control aspects of the aircraft’s system or change data displayed, the results of this test pose a significant risk to civilian aviation. Information released regarding the test thus far does not indicate this.
Even if the researchers were able to gain control over some functionalities, malicious cyber actors are unlikely to be able to gain full control of an aircraft’s systems remotely because of the systems’ complexities. The various interdependencies within avionics makes control very difficult.
Malicious cyber actors could instead change data to manipulate standard aircraft processes. For example, attackers could insert malicious signals that confuse navigation equipment or reroute lines of communications. This type of cyber attack is simpler to conduct, but still requires a high degree of expertise and knowledge of aviation systems.
The team of researchers included people from the Massachusetts Institute of Technology (MIT), a national laboratory, the U.S. Air Force, the University of California San Diego, SRI International, and QED Secure Solutions. The former Air Force officer had prior experience assessing the cyber vulnerabilities of B-52 bombers and Minuteman III intercontinental ballistic missiles.
Their combined expertise put this attack vector outside of the realm of possibility for most attackers, including terrorist organizations. Nation-state hackers may possess the necessary skills, but those with that capability currently are not thought to have the intent to conduct such an attack.
The success of this test is the first confirmed report of a cyber actor successfully remotely accessing the internal systems of an aircraft. In 2015, a security researcher claimed to have gained access to an aircraft’s internal systems through on-board entertainment systems, but these claims were never substantiated or repeated in a laboratory environment.
The validity of DHS’s test are similarly limited by the lack of peer review of their findings. While their claims are considered to be true, the threat of the attack is limited by others’ ability to repeat their findings.