Submission + - GAO warns FAA of hacking threat to airliners (securityledger.com)
chicksdaddy writes: A report from the Government Accountability Office (GAO) warns that the U.S. Federal Aviation Administration may be failing to address cyber security vulnerabilities that could allow remote attacks on avionics systems needed to keep the plane airborne, Security Ledger reports. (https://securityledger.com/2015/04/gao-warns-of-cyber-risks-in-flight/)
In a report issued Tuesday (GAO-15-370) (http://www.gao.gov/assets/670/669628.pdf), the GAO said that the FAA faces “challenges protecting aircraft avionics used to operate and guide aircraft” and that “significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system.” Among those: a lack of clear certification for aircraft airworthy readiness that encompasses cyber security protections. That lapse could allow planes to fly with remotely exploitable vulnerabilities that could affect aircraft controls and guidance systems.
The GAO report did not provide details of any specific vulnerability affecting any specific aircraft. Rather, GAO cited FAA personnel and experts, saying that the possibility exists that “unauthorized individuals might access and compromise aircraft avionics systems,” in part by moving between Internet-connected in-flight entertainment systems and critical avionics systems in the aircraft cabin.
“According to FAA and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them,” GAO said.
Security researchers have long warned that hackers could jump from in-flight entertainment systems in the passenger cabin to cockpit avionics systems if airlines did not take proper precautions, such as so-called "air gapping" the networks. At last year's Black Hat Briefings, researcher Ruben Santamarta of IOActive demonstrated a method of hacking the satellite communications equipment on passenger jets through their WiFi and inflight entertainment systems. (http://www.reuters.com/article/2014/08/04/us-cybersecurity-hackers-airplanes-idUSKBN0G40WQ20140804)
In a report issued Tuesday (GAO-15-370) (http://www.gao.gov/assets/670/669628.pdf), the GAO said that the FAA faces “challenges protecting aircraft avionics used to operate and guide aircraft” and that “significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system.” Among those: a lack of clear certification for aircraft airworthy readiness that encompasses cyber security protections. That lapse could allow planes to fly with remotely exploitable vulnerabilities that could affect aircraft controls and guidance systems.
The GAO report did not provide details of any specific vulnerability affecting any specific aircraft. Rather, GAO cited FAA personnel and experts, saying that the possibility exists that “unauthorized individuals might access and compromise aircraft avionics systems,” in part by moving between Internet-connected in-flight entertainment systems and critical avionics systems in the aircraft cabin.
“According to FAA and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them,” GAO said.
Security researchers have long warned that hackers could jump from in-flight entertainment systems in the passenger cabin to cockpit avionics systems if airlines did not take proper precautions, such as so-called "air gapping" the networks. At last year's Black Hat Briefings, researcher Ruben Santamarta of IOActive demonstrated a method of hacking the satellite communications equipment on passenger jets through their WiFi and inflight entertainment systems. (http://www.reuters.com/article/2014/08/04/us-cybersecurity-hackers-airplanes-idUSKBN0G40WQ20140804)
