Cyber-hijacking an airplane and taking control of its flight capabilities is a recipe for a thrilling and scary action movie. You know what’s scary?
The category for such film is simply an action movie and not a science fiction one. This is because such scenario is certainly possible according to this online security group.
IOActive is a company that specializes in offering cyber security solutions for small to mid businesses.
If you don’t know, IOActive hit the mainstream media when they hacked a Jeep Cherokee’s onboard system vulnerabilities.
The vulnerabilities gave the IOActive’s team access to the transmission, brakes, and steering control.
As a demonstration, they successfully hacked a Jeep Cherokee from 10 miles away, took control of the vehicle and made it veered off the road.
The same vulnerabilities in the Jeep Cherokee are also present in the 470,000 running cars manufactured by Fiat Chrysler.
Recently, IOActive announced that major airlines, like Qatar, Virgin, American Airlines, United, and Emirates are vulnerable to an electronic hijacking.
If the hack is successful, the hacker would gain access to several flight systems. In fact, taking control of the plane is not a far-fetch idea. So how do they hack an airplane then?
Before you can hack something, you need to find security vulnerabilities. The funny part, or the scary part (whichever you want to interpret it), the vulnerabilities are not located within the cockpit. It’s actually the in-flight entertainment.
Panasonic Avionics in-flight entertainment system is the standard for many of the major airlines.
For now, it’s being used by 13 major airlines. For a hacker that knows what he/she is doing, this widespread in-flight entertainment system provides a gateway for absolutely terrifying hacks.
At the very basic level, a successful hack allows the hacker to spoof altitude levels and speed statistics.
The hacker also allows controlling of the cabin lighting as well as stealing credit information.
Ruben Santamarta is the man behind IOActive’s airline vulnerabilities announcement. According to him, the hacks mentioned above are the base minimum of what a hacker can do.
As a cyber security analyst, he is confident that these vulnerabilities can be exploited to a larger degree.
He added that from a technical standpoint, taking control of the plane is feasible. It all depends on the skills and determination of the hacker.
According to Santamarta, he started hacking plane systems back in 2014 out from his fear of flying.
Santamarta uncovered hundreds of software updates for many major airlines. The disturbing part is that these updates are publicly available, and anyone can download it from the web.
Each update alone does not pose a big threat. However, if someone studies a lot of the updates, it’s possible to find the vulnerabilities.
That’s how Santamarta uncovered the in-flight vulnerabilities. Aside from the critical issues mentioned above, the vulnerabilities also open the door to a personal finance-related problem.
Most major airlines have integrated automatic payment systems. It’s what allows the passenger to purchase any item offered by the in-flight store conveniently.
This means that the in-flight system contains credit card information of the airline’s customers.
A hacker can then access this personal credit card information via the in-flight entertainment vulnerabilities. From there, a hacker can create a wide variety of mayhem to the everyday customer, from identity theft to unauthorized purchases. However, everything is not a doom and gloom story.
The vulnerabilities discovered by IOActive were made known to the concerned companies last March 2015.
The researchers waited for more than a year to announce the security problem. By the time these vulnerabilities were announced, Panasonic already produced and deployed multiple patches to secure the system.
According to IOActive, it’s not completely secure yet (no system is completely secure), but at least the major vulnerabilities are now patched.
From the 13 of the reported airlines to carry such vulnerability, Emirates is the most vocal when it comes to patching the vulnerabilities.
According to Emirates, they are intimately working with Panasonic to solve the vulnerabilities, and regular update to make it more secure is still going.
While hacking-related movies tend to focus catastrophic problems like hacking a nation’s nuclear arsenals or causing an economic meltdown, the notion of taking control of a plane may be inconsequential.
And yet, it’s more horrifying as it’s possible in the real world and anyone can do it with the proper tools and skills.
Fortunately, it’s not a cause for too much worry as the vulnerability is now heavily patched, making our skies a bit safer for everyone.