Can a plane be hacked?

Flight systems on small planes are vulnerable to hacking if an intruder gains physical access to the aircraft, the US Department of Homeland Security warned this week.

Plane owners are being advised to restrict unauthorised access to their planes until a safeguard is developed by the industry.

So how can a small plane be hacked?

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Rapid7, a cybersecurity company based in Boston, “found that an attacker could potentially disrupt electronic messages transmitted across a small plane’s network, for example by attaching a small device to its wiring, that would affect aircraft systems”, reports the Associated Press (AP).

Engine readings, compass data, altitude and other readings “could all be manipulated to provide false measurements to the pilot”, according to the newly issued Homeland Security alert.

The department is urging manufacturers to review how they implement open electronics systems know as the Controller Area Network, or CAN bus.

Danish developer CSS Electronics describes the CAN bus as “the nervous system, enabling communication between all parts of the body”. Originally developed by Robert Bosch in 1986, it allows parts of a machine to “communicate with each other without complex dedicated wiring in between”, and “this allows for several features to be added via software alone”, says the CSS website.

As such, a hacker could hijack the CAN bus to take over the aircraft, says AP.

The US Federal Aviation Administration (FAA) has issued a statement saying that a scenario where someone has unrestricted physical access to a plane is unlikely, but that the report was “an important reminder to remain vigilant” about physical and cybersecurity aircraft procedures.

What about larger planes?

“The Rapid7 report focused only on small aircraft, because their systems are easier for researchers to acquire. Large aircraft frequently use more complex systems and must meet additional security requirements,” explains AP.

Most airports have security to restrict unauthorised access and no evidence has been found as yet to suggest that the vulnerability has been exploited.

Nevertheless, Robert Hickey, a US Department of Homeland Security official, was able to hack into the systems of a Boeing 757 at an airport in Atlantic City in September 2016. The worrying feat took him just two days, without any insider help or being onboard, using “typical stuff that could get through security”, he said.

The Financial Times reports that Hickey waited a year to “drop his bombshell”, at a conference in Virginia, and “gave scant detail about what had been accessed and how - for obvious security reasons”.

Despite the lack of information about his methods, “his revelation has raised serious questions about aviation’s exposure to cyberattack as aircraft, airports and air traffic control systems become increasingly reliant on digital systems”, the newspaper notes.