GAO Warns of Cyber Risks In-Flight

The GAO warned in a report of cyber threats to airplane avionics systems.
The GAO warned in a report of cyber threats to airplane avionics systems.

In-brief: A report from the Government Accountability Office (GAO) warns that the U.S. Federal Aviation Administration may be failing to address cyber security vulnerabilities that could allow remote attacks on avionics systems needed to keep the plane airborne. 

The Government Accountability Office (GAO) warned the U.S. Federal Aviation Administration that late model aircraft may be vulnerable to cyber attacks that could affect the operation of avionics systems needed to keep the plane airborne.

In a report issued Tuesday (GAO-15-370), the GAO said that the FAA faces “challenges protecting aircraft avionics used to operate and guide aircraft” and that “significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system.” Among those: a lack of clear certification for aircraft airworthy readiness that encompasses cyber security protections. That lapse could allow planes to fly with remotely exploitable vulnerabilities that could affect aircraft controls and guidance systems.

The GAO report did not provide details of any specific vulnerability affecting any specific aircraft. Rather, GAO cited FAA personnel and experts, saying that the possibility exists that “unauthorized individuals might access and compromise aircraft avionics systems,” in part by moving between Internet-connected in-flight entertainment systems and critical avionics systems in the aircraft cabin.

“According to FAA and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them,” GAO said.

The report is the most direct evidence to date that modern aircraft are providing so-called “air gapped” separation of avionics systems and in-flight systems used by passengers, and that remote cyber attacks against airborne planes—or attacks launched from within the passenger cabin – are possible.

According to the GAO report, software based firewalls that separate avionics and in-flight entertainment systems can be “hacked like any other software and circumvented.”

The report focuses on a number of aspects of the FAA’s approach to cyber security, noting that the agency lacks a coherent strategy to address cyber security weaknesses in both flight control and avionics systems. The agency spreads responsibility for cyber security across a number of departments and offices.

Notably: the FAA’s Office of Safety (AVS) hasn’t developed assurances that cybersecurity is addressed as part of its certification, and is falling behind the rapid pace of technology development by airlines. Specifically: the FAA uses so-called Special Conditions rules, of limited scope, to address new technologies that rely on IP technology and that could pose cyber security risks. The Special Conditions rules give the manufacturers the ability to move ahead with the design of the aircraft with the additional features. As an example, the FAA issued Special Conditions to address the increased connectivity among aircraft cockpit and cabin systems for the Boeing 787 and Airbus A350, the GAO noted. Those rules provided “systems cybersecurity and computer network protection from unauthorized external and internal access,”

Those rules could provide the foundation for new, uniform cyber security regulations, but the FAA has yet to issue such regulations.

Security researchers have long warned that hackers could jump from in-flight entertainment systems in the passenger cabin to cockpit avionics systems if airlines did not take proper precautions, such as so-called “air gapping” the networks. At last year’s Black Hat Briefings, researcher Ruben Santamarta of IOActive demonstrated a method of hacking the satellite communications equipment on passenger jets through their WiFi and inflight entertainment systems.