WASHINGTON – At a time when cybersecurity is at the forefront of many Americans’ minds, that manufacturing companies are producing commercial planes that experts say are more likely to be hacked than previous versions.
Recently a cybersecurity expert was pulled off a United Airlines flight after tweeting that he had the ability to access the plane’s systems, such as control of the oxygen masks on board.
The expert, Chris Roberts, was then taken into FBI custody and questioned for hours.
While Roberts says he was not attempting to harm anyone on board, the event drew attention worldwide to possible gaps in security onboard commercial flights with in-flight Wi-Fi.
According to a recent report by the Government Accountability Office, there is more connectivity in the Boeing 787 and Airbus A350 between cockpit and cabin Wi-Fi systems than in previous models.
Aaron Rinehart, CEO of cybersecurity company Testbed Inc. and a former security expert for the U.S. Transportation Security Administration, says that this is a step backward in terms of security and safety.
Rinehart says cockpit systems should be air gapped, meaning that the system is physically isolated from all unsecured computer networks, including the in-flight entertainment system onboard. This disconnects the cockpit from outside systems to prevent hackers from accessing it.
“It doesn’t seem to me either logical or rational to combine in-flight Wi-Fi with the avionics systems,” Rinehart said.
Why anyone would combine these systems and take the extra risk isn’t clear.
“My guess would be they want to combine the signal and maybe just either save money or save the amount of power because all those antennas require power,” he said.
“If there’s multiple antennas [putting off] separate signals, it may require more power for that… which to me represents a considerable threat.”
In its report, the GAO found that firewalls are currently protecting avionics systems on planes from hacks, but, like any software, firewalls don’t always prevent attacks on networked systems.
Rinehart says the systems should remain completely separate to avoid problems, including downed airliners.
What do the airlines say about this, especially United, since they’re the ones that pulled Roberts off the plane?
Although the argument can be made that it is difficult to hack into a plane’s avionics system and launch such an attack, experts say the threat of malicious activities grows along with increased connectivity.
For example, Macworld recently reported that American Airlines’ fleet of Boeing 737 aircrafts experienced a glitch in an iPad app used by pilots in their cockpits. This caused all of the fleet’s iPads to go dead at once and leaving passengers delayed for hours at airports across the country.
According to Rinehart, if it were decided that all systems needed to be air gapped, planes can be retrofitted with these systems, but it is easier to design with air gapping in mind in the beginning while factoring in the cost.
“We’ve already had enough [problems] in the past two years,” he said. “Our regulatory authorities don’t need to contribute to that.”