The U.S. Government Accountability Office (GAO) recently published a report [PDF] warning that the Federal Aviation Administration (FAA) currently faces at least three key cyber security challenges: protecting its air traffic control systems, clarifying cyber security roles and responsibilities between FAA offices, and securing aircraft avionics used to operate and guide aircraft.
Notably, those challenges include a threat from in-flight Wi-Fi.
"According to FAA and experts we interviewed, modern communciations technologies, including IP connectivity, are increasingly used in aircraft systems, creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems," the report states.
And when those in-flight entertainment services include Internet access, the potential security risks grow. "According to cyber security experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors. ... One cyber security expert noted that a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines," the report states.
"Firewalls protect avionics systems located in the cockpit from intrusion by cabin-system users, such as passengers who use in-flight entertainment services onboard," the report adds. "Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented."
Jovi Umawing, malware intelligence analyst at Malwarebytes Labs, told eSecurity Planet by email that while firewalls could potentially be bypassed, it's important to remember that aircraft systems are designed with a focus on safety. "These systems, which we deem life- or safety-critical, have redundancies in place to lessen the chances of tragic outcomes should they be compromised," she said. "As the GAO report does not clearly elaborate if this new threat via cabin Wi-Fi takes into account such systems, we can't know for sure if an attack like this would be successful."
Still, Umawing said, that doesn't mean these concerns shouldn't be taken seriously. "Travelers must still adhere to safe computing practices and treat the plane Wi-Fi in the same way they would free public Wi-Fi in a coffee shop," she said. "That means avoiding logging into websites that contain lots of sensitive information like online banking or social media accounts."
"Airplane Wi-Fi may be password-protected, but that doesn’t mean there isn’t someone logged onto the network sniffing around for packets and looking to take advantage of travelers’ trust in the system," Umawing added.
In January of this year, the GAO published a separate report warning of "significant security weaknesses" in the FAA's air traffic control system, including "weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring controls on FAA's systems."
And last June, the FAA warned that the architecture and network configuration of newer Boeing 737s "may allow the exploitation of network security vulnerabilities resulting in intentional or unintentional destruction, disruption, degradation, or exploitation of data, systems, and networks critical to the safety and maintenance of the airplane."