DHS Hacks one of its Airplanes
The US Department of Homeland Security (DHS) revealed during a speech at the 2017 CyberSat Summit earlier this week that it was able to remotely hack into one of its own Boing 757 airplanes. In this briefing we will take a look at the implications of this hack, differences from previous concerns about airplane security and potential fixes.
A team of hackers within the DHS used unspecified equipment and techniques to exploit an unspecified vulnerability in the “RF Equipment” of a Boing 757 airplane. RF (Radio Frequency) Equipment can refer to any wireless transmission system for data or sound. While in common parlance among information security researchers it usually does not include Wifi it must be stated that on a technical level, Wifi is merely a specialized subset of the broader field of RF transmissions.
The reason Wifi and RF are often treated as separate topics within the research community is that Wifi is such a wide and important field of research that it has developed its own terminology and specializations.
Wether the DHS’s reports follow this informal verbal distinction, or if the attack might have been against the plane’s Wifi systems is unclear at this point.
What is different?
The biggest difference lies in this report coming from a governmental source. Previous reports regarding the information security state of airplanes have come from individual researchers and were thus easy to dismiss as speculation. Since no-one has crashed a plane even after rudimentary access rights were gained, the attacks themselves remain somewhat theoretic and deniable.
An official statement by a US government agency on the other hand, carries significantly more weight and is more likely to lead to consequences.
How high is the risk?
Since no detailed information is available, we can only try to infer the risk from the reaction of Airplane Manufacturers and Government Agencies. So far, no airplanes have been recalled, indicating that a risk calculation taking into account the complexity and impact of the attack did not lead to immediate steps being taken.
The DHS is treating actual vulnerability information as classified, meaning that we are unlikely to learn more about the attack in the near future. According to the report, the attack took the DHS team 2 days to perform. Wether the majority of this time was required to find the vulnerability or to perform the attack is unclear. In the latter case, the risk is reduced significantly, as it is very hard for attackers to be in physical proximity of a running airplane for 48 hours under real world conditions.
Fixing code used for airplane controls is very expensive as all changes must be re-certified and re-approved in rigorous testing procedures followed by bureaucratic proceedings. We thus expect affected airplanes to be either slowly phased out - if the vulnerability is less critical - or updated during their regular maintenance cycles.