GAO report on cybersecurity in Air Traffic Control is outright scary

The fact that the modern aircraft can be controlled from the ground is not widely publicized but known. There was though a lot of controversy, including among specialists, about how much of control could be intercepted by unauthorized 3rd parties. Well, now the extent of the problem is confirmed officially.

The U.S. Government Accountability Office (GAO), which is also called “watchdog of Congress”, usually oversees the federal government for the expenditure of public funds. However, the 56-page report “Air Traffic Control: FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen» (copy) published on April 14  tells a very interesting but scary story. For a document that is not classified as “secret”, in any case.

Apparently, the computers on board of contemporary aircraft could be susceptible for break-in and take over by using the on-board WiFi network or even from the ground. The computer systems that control the airplane communicate with each other and the systems on the ground using IP networking technologies and connecting through the same networks that are used on board for entertainment. This opens the aircraft control networks to a wide range of security threats.

FAA officials and experts we interviewed said that modern aircraft are also increasingly connected to the Internet, which also uses IP-networking technology and can potentially provide an attacker with remote access to aircraft information systems.

The “solution” entertained by FAA includes setting up a firewall to separate the operations network from that of “visitors”. And we all know it’s not going to help, we are past that point long ago. General purpose IP firewalling does not really correspond to the level of threat sophistication of today. The GAO report tells as much: “Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented.” Which means that the access to the cabin could be obtained from the same network being used by the passengers or even from a remote location outside the aircraft.

These networked systems are present in all modern airplanes, including Boeing 787, Airbus А350 и Airbus А380. Currently, the FAA certification of the aircraft does not include any cybersecurity assessment, so the security of the airplane systems is left to the discretion of the manufacturer. Until now, other security measures generally prevented the malicious actors from doing any harm to the airplane but the new threats that arise from networking and software-driven operation are not taken into account.

According to the CNN, the government investigators that wrote the report concluded that it would be possible for someone equipped with only a laptop to:

• Commandeer the aircraft
• Put a virus into flight control computers
• Jeopardize the safety of the flight by taking control of computers
• Take over the warning systems or even navigation systems

Basically, it is as bad as it gets. The flight systems are not protected as they are all legacy from the previous non-networked age and developed by the same people that developed the previous generations of systems. The only protection is the firewall that separates the cockpit from the rest of the world but that is a slight consolation.

They should put a sign at the airport: “Fly at your own risk”.

It is also really strange that this information is published at all. The Federal Aviation Administration is a governmental body of USA. United States of America, at least officially, are in a state of so-called “war on terror”. At such a time, when an investigative authority finds out some possibility for terrorists to execute attacks, such information is, I assume, immediately classified and the problem is solved between the government and the company quietly.

But at the moment this looks as if the US government strongly suggests to the terrorists: “why do you expose yourself to unnecessary risks trying to smuggle explosives on board, while there is a proven method to achieve the same results by connecting to the airplane control system with a laptop?”

Typically, in such cases, even the noble task of warning the public about the dangers of the situation is not taken into account. What should the audience do with it, anyway? Panic and do the ticket office run trying to cancel all reserved flights? Stage a mutiny on board, requiring immediate emergency landing? Or just remember that from this point on the use of air transport is at your own risk?

Unfortunately, it feels more like if US has planned to stage a series of new terrorist attacks against international air traffic that must be attributed to whomever finds this information useful.

Anyway, the illusion of safety of international air traffic is now officially dispelled. Fly at your own risk. Oh, and you are still not allowed to carry that bottle of mineral water on board.