Skip to content
Naked Security Naked Security

DHS says it remotely hacked a Boeing 757 sitting on a runway

“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative penetration.”

Remember how, back in 2015, security expert Chris Roberts jokingly tweeted about how he could hack the onboard systems of the airplane he was sitting in?

As in, say, get all the oxygen masks to drop in front of everybody’s faces? …thanks to a Wi-Fi flaw Roberts said he found in the in-flight entertainment system, and which he said even let him tinker with engine controls?

Well, somebody over at the Department of Homeland Security must have said Actually, we can hack our own damn planes. And so they did, with a team of aviation hackers exploiting a flaw via “radio frequency communications” that’s evidently been known about for years.

The news came out of a keynote at the 2017 CyberSat Summit in Tysons Corner, Virginia. The keynote was presented by Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.

According to Hickey, his DHS-led team managed to remotely hack a Boeing 757 airplane parked at an airport in Atlantic City, New Jersey. Avionics reports that aviation experts have for years known about the flaw Hickey and his DHS team exploited, but seven experienced pilots from American Airlines and Delta Air Lines were blindsided when briefed at a technical exchange meeting in March 2017.

Avionics quotes Hickey:

All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible.’

Hickey said he and his team got the airplane, which is owned by DHS, on 19 September, 2016.

Two days later, I was successful in accomplishing a remote, non-cooperative penetration.

The details of the RF flaw are classified, Hickey said, which means we don’t know the what, how, or where of the hack. Without these details from DHS, we don’t know how to fix it, and we don’t know how applicable the flaw is outside of a controlled experiment such as this one.

Why hasn’t anybody patched the avionics subsystems that are afflicted with this flaw? Hickey, for his part, said that it costs too much to fix.

According to Hickey, Southwest Airlines, for one, would be “bankrupt” if it had to fix its entire fleet of Boeing 737s, while other airlines that fly 737s would also see their earnings take a hit.

Avionics:

The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement.

… Hickey said newer models of 737s and other aircraft, like Boeing’s 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don’t have these protections.

Commenters on Avionics’ story warned of a high noise to signal ratio with this story.

From “CommonSense”:

The only RF delivered on the 1983 757 would be ACARS, so that would be the entry point.

Now if it was modified by someone else to have WiFi or other communications on it, then you are talking about a poorly implemented modification.

As far as the SWA 737 goes, the Classics are mostly retired, the NextGens may have WiFi but they were added after the factory without connecting to the cockpit. The Max’s are hopefully secure by design right from the factory. If Boeing isn’t doing the right thing in their design, then they ought to be liable, not SWA.

And from “Bardi”:

Yeah, let us start with an aircraft that first came out in 1983. $ 1 million for each aircraft or for a fleet? Changing “one line of code” is relatively inexpensive as each vulnerable piece of avionics is cycled through on regular mx.

Hickey explained that a fix would be a nightmare because there just aren’t maintenance crews that can deal with sniffing out cyberthreats aboard an aircraft:

They don’t exist in the maintenance world.

Hickey, who commanded a logistics group when he was in the Air Force and who was an airline pilot for more than 20 years, said that CIOs of airlines don’t know how to do this either:

[Airline CIOs] don’t know how to chase a cyber spark through an airplane either. Why? Because they have been dealing with, and they’re programmed to, and they do a great job of, protecting the terrestrial-based networks. Airplanes are absolutely different – crazy different.

Back when Roberts’ tweet got him blocked from flying, Naked Security’s Paul Ducklin took a look at whether a hacker could really bring down a plane from a mobile phone in seat 12C, and he found the possibility remote, but still worthy of worry, given that the only thing between the cockpit and the passengers’ wireless access was a router:

I don’t know about you, but a single blue box labelled “ethernet router” between seat 12C and the pointy end of the plane certainly gives me pause for thought.

When the GAO next produces a Cybersecurity in the NextGen Project report, I’d be a lot happier to see two separate red lines providing network service inside the plane.

Mind you, Hickey’s DHS team – which included Massachusetts Institute of Technology, the Energy Department’s Pacific Northwest National Laboratory, SRI International and QED Secure Solutions (which is led by Johnathan Butts, a former Air Force officer who’s done cybervulnerability assessments of Minuteman III intercontinental ballistic missiles and B-52 bombers) – used an RF flaw, not Wi-Fi.

At any rate, readers, if you’re in the industry, we’d love your take. If you’ve got avionics cybersecurity smarts, please do give us your own thoughts about how much we have to worry about when it comes to hackers remotely taking over aircrafts’ onboard systems. Is the flaw well-known? Would you call it a $1 million, one-line-of-source-code fix, or is it a bit more reasonable? Would it really cost an arm and a leg to remediate?

And most important of all: how easy is this RF flaw to hack?


14 Comments

“Would you call it a $1 million, one-line-of-source-code fix, or is it a bit more reasonable?”

There’s a lot of hyperbole here. Which is unfortunate, because had some PR wonk decided to be honest instead of snarky people would have a much more solid idea of what’s going on.

As anyone in the software development world can tell you, the code change is cheap. It’s the testing that’s expensive. And I bet the FAA’s testing requirements for any change to how an airplane works make the FDA’s requirements for drug testing seem downright lax in comparison. Between testing whether or not that one line change has changed anything else, testing the effects on normal operation (assume nothing!), and any impact on any of a wide number of edge cases that can occur in flight, that one line change gets time consuming.

Now that said, I also bet that SWA is also doing that accounting trick where they pretend that the cost of people doing the job that they’re going to be paid to do anyway is something extra that’s unique to this situation.

Of course, all that is really difficult to put into a Tweet

Reply

The “$1M, 1 line of code, 1 year” figure may not be entirely far off, at least from my outsiders perspective. It may be a technically trivial bug to find & patch, but then you’ve got the bureaucratic morass of paperwork & certifications such a change would inevitably require from the FAA & similar governing bodies worldwide. Though that doesn’t necessarily mean that it would cost $1M & take 1 year per aircraft, but more that such an update would require a project that would be surprisingly expensive & take a surprisingly long time to complete.

Reply

every craft has routine maintenance… updating the item with the flaw, whether it be software or hardware, could be done at that time… before that, though, yes, the fix must be tested… whether that costs $1Million is another question but knowing how corporations act, yeah, i can easily see them driving the cost up and up and up…

Reply

I understand there’s a cost… but the situation is simply that someone (airlines, DHS, FAA, etc.) is making a cost / risk decision… what’s the likelihood that this will happen versus how much to fix it… likelihood is typically underestimated and cost is usually overestimated in my opinion. If I were in the decision chain, the question I’d be asking myself is “what will happen if someone takes over a plane and decides to run it into the ground, or fly at 200 feet through a major city until it hits something”? After that event, then the questions everyone will be asking will change to “why wasn’t this fixed?”, “who decided it cost too much to fix?”, “how could someone say that the passengers lives weren’t worth X million dollars to fix?” Outrage after the fact is something we’re all best at…

Reply

“Mind you, Hickey’s DHS team – [snip) – used an RF flaw, not Wi-Fi.” WiFI _is_ RF: a Radio Frequency signal that is sent by a radio transmitter and received by a radio receiver. I have no idea what sort of communications capability is included in the DHS airplane, or if it had WiFi added after manufacture, but RF is a generic term for radio signals and includes WiFI signals.

Reply

The part that scares me about hacks like this one is that if they bring down a plane, they very likely can (at the same time) hack the logs to remove evidence of the hack. If that piece succeeds, nobody (except the hackers) would ever know that they did it, or even that it was hacked.
In addition to fixing this, steps should be taken to isolate the paths to the “black boxes”, so that they can receive only hard-wired data from specific IPs inside the plane. Wi-Fi should never be used to (or from?) the black boxes.

Reply

message: “Sorry, cannot connect to server. Make sure your account name and password are correct”
P.A: “This is the pilot, unfortunately ACME Airlines we are having some technical issues with the aeroplane, so I must ask all passengers to stick their arms out of the window like Wiley Coyote and flap like mad while the co-co-co-pilot sticks a sign out of the cockpit window with the word ‘YIPE’ written on it.”

Seriously, WiFi to the avionics?

Reply

Might be over simplifying the answer, but if it’s a specific frequency, find out what runs across that band, and if feasible, disable or block just that band.

Reply

That might work, but wouldn’t it be simpler to just run wires? I can’t think of a good reason to have wireless in use for the airplane’s electronics. Yes, maybe for passengers, but that shouldn’t be connected to the planes infrastructure at all.
It’s the same with automobiles: why wireless? With the exception of moving parts, everything can be wired, and the moving parts issue (for tire pressure, etc.) can be firewalled from the rest of the system.
Wireless is only used because it’s easier to use. Time = money, I guess.

Reply

There was a talk at defcon 22 related to some of this… Phil Polstra Cyber Hijacking Airplance Truth or Fiction. [link removed] Most pilots are aware of errant messages through ACARS (ground to air, unencrypted) and validate any ‘oddness’ with out of band calls to dispatch.

Reply

I came back to this article because of two recent Boeing crashes.

Shouldn’t this be 757s?

“According to Hickey, Southwest Airlines, for one, would be “bankrupt” if it had to fix its entire fleet of Boeing 737s, while other airlines that fly 737s would also see their earnings take a hit.”

Reply

Vaguely recall an article stating that after 9/11 all Boeing aircraft were fitted, by 2004, with remote control capability to thwart future hijacking. Obvious question: Can any Boeing be taken over by an outside agency en route, eg, via satellite comms?

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!