The director of one of Europe’s top aviation agencies warned on Thursday that hackers could infiltrate critical systems in an airplane on the ground.
Patrick Ky director of the European Aviation Safety Agency, said a consultant hired by the agency—one who is a commercial pilot as well—exploited vulnerabilities in the ACARS (Aircraft Communications Addressing and Reporting System) used to transmit text messages between planes and ground stations.
Ky said at a press conference that it took the expert five minutes to crack ACARS and a couple of days to access the aircraft control system on the ground.
“For security reasons, I will not tell you how he did it, but I let you judge if the risk is high or low,” Ky was quoted in an article published by France’s Les Echos.
Some of these issues were exposed by security researcher Huge Teso during a 2013 presentation at Hack in the Box. Teso targeted ACARS specifically and disclosed a number of on-board system vulnerabilities. Teso said he found relatively little security protecting communication between the aircraft the ground.
“The system’s weak point is that it doesn’t verify communication packages on the way from the ground to the plane,” said Andrey Nikishin, head of future technologies projects development at Kaspersky Lab. “Because of that, it is possible to spoof the system by inserting a new package along the way.”
Nikishin said that an attacker could send the pilots false messages that could affect their decision making in the air.
“Theoretically, a malicious user can influence a pilot’s decision to change the route, if, through the spoofing flow, he sends the plane a fake message about an upcoming storm,” Nikishin said. “The same malicious scheme could be applied to spoof GPS, making the system believe that it is located in a different place from where it actually is.”
The Les Echos article cites research done by the International Civil Aviation Organization that determined because aircraft navigation and other control systems are supposed to be air gapped from non-critical systems such as entertainment, that the risk of hacking critical systems was low.
“ACARS uses a proprietary encoding/decoding scheme that has been in use since 1978 – when aircraft equipment was not designed with cybersecurity in mind, Nikishin said. “This makes it outdated, and we believe that aircraft manufacturers should have already started to develop a new system, with a new approach.”
Ky’s revelation comes a day ahead of the introduction of a new European air traffic control system called Sesar.
“Tomorrow, with the introduction of Sesar and the possibility for the air traffic control to directly ive instructions to the aircraft control system, this risk will be multiplied,” Ky said. “We need to start by putting in place a structure for alerting airlines to cyber attacks.”
This isn’t the first time the security of aircrafts has been questioned this year. In May, researcher Chris Roberts was pulled off a United Airlines flight after tweeting about hacking the flight he was on. Roberts was detained and questioned by the FBI, which reported that Roberts said he had burrowed through the aircraft’s onboard entertainment center to reach critical systems and issue commands for the plane to climb or bank.
Roberts’ claims were questioned by aircraft manufacturers; Boeing, for example, told CNN its entertainment and navigation systems were not connected and that Roberts’ claims were impossible.