During a speech at the CyberSat Summit, Pam Dixon, the Director of DC3, revealed that while it was possible for other malicious hackers to remotely hijack connected electronic devices on commercial aeroplanes.
First Published 17th November 2017
Hack your own equipment.
3 min read | Reflare Research Team
The US Department of Homeland Security (DHS) revealed during a speech at the 2017 CyberSat Summit earlier this week that it was able to remotely hack into one of its own Boeing 757 aeroplanes. In this briefing, we will take a look at the implications of this hack, differences from previous concerns about aeroplane security and potential fixes.
What happened?
A team of hackers within the DHS used unspecified equipment and techniques to exploit an unspecified vulnerability in the “RF Equipment” of a Boeing 757 aeroplane. RF (Radio Frequency) Equipment can refer to any wireless transmission system for data or sound. While common parlance among information security researchers it usually does not include Wifi it must be stated that on a technical level, Wifi is merely a specialized subset of the broader field of RF transmissions.
The reason Wifi and RF are often treated as separate topics within the research community is that Wifi is such a wide and important field of research that it has developed its own terminology and specializations.
Whether the DHS’s reports follow this informal verbal distinction, or if the attack might have been against the plane’s Wifi systems is unclear at this point.
What is different?
The biggest difference lies in this report coming from a governmental source. Previous reports regarding the information security state of aeroplanes have come from individual researchers and were thus easy to dismiss as speculation. Since no one has crashed a plane even after rudimentary access rights were gained, the attacks themselves remain somewhat theoretic and deniable.
An official statement by a US government agency, on the other hand, carries significantly more weight and is more likely to lead to consequences.
How high is the risk?
Since no detailed information is available, we can only try to infer the risk from the reaction of Airplane Manufacturers and Government Agencies. So far, no aeroplanes have been recalled, indicating that a risk calculation taking into account the complexity and impact of the attack did not lead to immediate steps being taken.
The DHS is treating actual vulnerability information as classified, meaning that we are unlikely to learn more about the attack in the near future. According to the report, the attack took the DHS team 2 days to perform. Whether the majority of this time was required to find the vulnerability or to perform the attack is unclear. In the latter case, the risk is reduced significantly, as it is very hard for attackers to be in physical proximity of a running aeroplane for 48 hours under real-world conditions.
Fixing code used for aeroplane controls is very expensive as all changes must be re-certified and re-approved in rigorous testing procedures followed by bureaucratic proceedings. We thus expect affected aeroplanes to be either slowly phased out - if the vulnerability is less critical - or updated during their regular maintenance cycles.