Aviation security is taking off—and taking after car security

LAS VEGAS—In 1990’s Die Hard 2, rogue former U.S. military officers and soldiers hack into the Washington Dulles International Airport’s air traffic control system, kill the runway lights, and block plane-to-ground communication. (Don’t worry about why.) There’s no way for flights to land until Bruce Willis’ John McClane steps in to save the day.

Twenty-nine years later, such a Hollywood storyline remains a fantasy, security researchers say. The hackers, security researchers, government organizations, and private airlines involved in the aviation-hacking exhibition of the world’s largest hacking confab, held here in August, all say the chances of your next commercial flight getting hacked are extremely small. But the scenario is also the inspiration for DefCon’s “Aviation Village”: They want to keep it that way.

David Holmes, director of engineering at the United States Digital Service, which co-organized the Aviation Village, argues that while planes are currently safe from hackers, aviation security stakeholders—including government agencies, independent security researchers, airlines, and airports—need to start working together to ensure that as more aviation technology connects with the Internet, it remains secure.



READ MORE FROM DEFCON 27

Biohackers chase Johnny Mnemonic with ‘Pegleg’ implanted hard drive
A hacker’s fall fashion line features faux license plates. Here’s why
Trump’s tariffs just about killed DefCon #badgelife
More coverage from Black Hat and DefCon


“‘Hack’ and ‘Pentagon,’ five years ago, would never be in the same sentence,” Holmes says, referring to the Hack the Pentagon vulnerability disclosure program introduced in 2016. The program presented the first-ever opportunity for hackers to legally submit vulnerabilities they discovered to the government without fear of prosecution under the Computer Fraud and Abuse Act. Today, Holmes says, he and colleagues are wondering, “can we do Hack the FAA?”

At the Aviation Village, which is largely modeled on DefCon’s Car Hacking Village, hackers explored avionics systems while chatting with systems manufacturers, and government and airline representatives. But unlike cars, which have long been subject to consumer tinkering, customizing, and hacking, airplanes and avionics systems are relatively uncharted hacking territory.

Among the notable reports of aviation hacking is a 2015 incident in which hacker Chris Robertson found himself in hot water over tweets that appeared to indicate that he had hacked the infotainment system and gained access to plane controls of a United flight. Separately, in 2016, a Department of Homeland Security security researcher led a team to a successful remote hack of a commercial Boeing airliner in a non-laboratory setting. On July 30 of this year, Homeland Security issued a security alert that small planes are vulnerable to hackers who have physical access to them. And at Black Hat in August, a security researcher claimed that he found multiple, exploitable security vulnerabilities in leaked Boeing software.

“There’s a lot the airline industry can learn from other industries.”—Gérard Duerrmeyer, chief information security officer, Norwegian Air Shuttle

Longtime antivirus vendor F-Secure, meanwhile, has begun offering avionics security services and systems.

Ken Munro, a consultant at the security research company Pen Test Partners, describes plane security as “pretty robust.”

“Planes are heaps safer than cars. One of the challenges for hackers is that you can’t just walk up and hack a plane. Avionics have a lot of barriers,” he says. “Based on our knowledge of planes now, they’re very hard to hack.”

Nevertheless, Munro notes that planes can remain in active use for decades. “Could you imagine if every IT system was working on 12-year-old components?” A dozen years ago, he says, available technology was significantly more rudimentary. And manufacturers and software vendors “didn’t even have the same threat model as we do today.”

One source of potential risk to small airplanes is a lack of security applied to a CAN (Controller Area Network) bus, which some planes use to reduce the number of wires needed to run onboard electronics systems. Just as an unprotected CAN bus in a car is highly vulnerable to hackers, so too might an unprotected CAN bus in a plane, says Patrick Kiley, who authored a July report on the subject.

“The CAN bus is not in a lot of aviation today, but needs to be secured,” he says. “We want to bring to light issues before they become issues.” It isn’t clear, he says, whether affected vendors (whom he declines to identify, as he gives them time to address the vulnerabilities) have yet taken steps to address vulnerabilities his research highlighted.

“Planes are heaps safer than cars. One of the challenges for hackers is that you can’t just walk up and hack a plane. Avionics have a lot of barriers.”—Ken Munro, security consultant, Pen Test Partners

The only representative of a commercial airline to appear at the Aviation Village, Gérard Duerrmeyer, chief information security officer at Norwegian Air Shuttle, says he looks to the automotive industry for lessons on how to better secure Norwegian’s fleet while maintaining the public’s trust.

“There will be a future where these systems are all online, and that will open the attack surface and the chance for exploitation,” he says. “What gives me hope and reassurance [is] that there are so many lessons learned from the automotive industry…There’s a lot the airline industry can learn from other industries.”

Holmes of the USDS says taking a preemptive approach to aviation cybersecurity means encouraging the numerous and often-conflicting parties involved to agree on testing and implementing better systems protections.

“Our goal is to scale the success of our bug bounty programs within the Department of Defense across the federal government. Government agencies shouldn’t fear running coordinated, responsible disclosure programs with vetted, ethical hackers. Nobody can be blamed for finding vulnerabilities,” he says, “but taking a posture that fails to remediate them is the only harmful posture to adopt.”