According to DHS and other US government documents obtained by Motherboard, the DHS is continuing to investigate how insecure commercial aircraft are to cyber attacks, with one research lab saying hacking a plane may lead to a “catastrophic disaster.”
US government researchers believe it is only a matter of time before a cybersecurity breach on an airline occurs, according to government documents obtained by Motherboard. The comment was included in a recent presentation talking about efforts to uncover vulnerabilities in widely used commercial aircraft, building on research in which a Department of Homeland Security (DHS) team successfully remotely hacked a Boeing 737.
The documents, which include internal presentations and risk assessments, indicate researchers working on behalf of the DHS may have already conducted another test against an aircraft. They also show what the US government anticipates would happen after an aircraft hack, and how planes still in use have little or no cybersecurity protections in place.
“Potential of catastrophic disaster is inherently greater in an airborne vehicle,” a section of a presentation dated this year from the Pacific Northwest National Laboratory (PNNL), a Department of Energy government research laboratory, reads. Those particular slides are focused on PNNL’s findings around aviation cybersecurity.
“A matter of time before a cyber security breach on an airline occurs,” the document adds.
A separate 2017 document obtained by Motherboard says “early testing indicates that viable attack vectors exist that could impact flight operations.”
Motherboard obtained the documents through a Freedom of Information Act request to the DHS Science & Technology Directorate (S&T).
In 2016, the DHS S&T established a multi-agency group to carry out cybersecurity vulnerability evaluations of airplanes. That same year, the team of government, industry, and academic officials demonstrated how to remotely hack a commercial aircraft in a non-laboratory setting, trade publication Avionics reported last year. Robert Hickey, the DHS S&T’s aviation program manager, said the details of that hack are classified, but added that the team accessed the aircraft’s systems through radio frequency (RF) communications and equipment that could be passed through airport security, according to the original Avionics report.
The documents obtained by Motherboard suggest the DHS-backed team may have already conducted another test against an aircraft. Listed in a 2016 DHS presentation are several planned tests, including “external RF,” seemingly referring to the previously reported test. The document then mentions another test, this time focused on Wi-Fi and in-flight entertainment systems, and designated to the PNNL researchers.
The DHS has withheld large sections of the files under exemptions dealing with, among other things, protecting trade secrets and information intended for law enforcement purposes.
But other sections of the documents obtained by Motherboard indicate some of the issues researchers may have encountered while probing aircraft for vulnerabilities.
“Today’s commercial aviation backbone is built upon a network of trust; most commercial aircraft currently in use have little to no cyber protections in place,” a 2016 DHS presentation says. Boeing estimates a 20 year plus service life for its current aircraft which means “15-20 years of higher cyber vulnerability,” the DHS document adds.