A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a U.S. Department of Homeland Security (DHS) official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia.

“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate

[Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.” Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft’s systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, “you can come to grips pretty quickly where we went” on the aircraft.


Comment: So now we must ask ourselves, how many of the debated/mysterious airplane crashes of recent years were caused by someone remotely taking control of the aircraft and bringing it down? One incident that immediately comes to mind is the Germanwings crash in March 2015.

Germanwings crash: Not the full story?

The aircraft that DHS is using for its tests is a legacy Boeing 757 commercial plane purchased by the S&T branch. After his speech at the CyberSat Summit, Hickey told Avionics sister publication Defense Daily that the testing is with the aircraft on the ground at the airport in Atlantic City, New Jersey. The initial response from experts was, “We’ve known that for years,'” and, “It’s not a big deal,” Hickey said.


Comment: Indeed, this tech has been around for a long time, before the 9/11 attacks in fact. Makes us wonder, yet again, about how those alleged ‘jihadi’ pilots, with little aircraft training, were able to fly large commercial airliners so expertly into their targets at the WTC.

One day after 9/11, an article appeared in a top science and technology news service stating “hijackings could be halted in progress with existing technologies, say aviation researchers”. The article quoted a transportation expert as saying:

“Most modern aircraft have some form of autopilot that could be re-programmed to ignore commands from a hijacker and instead take direction from the ground . . . .”

But in March 2017, at a technical exchange meeting, he said seven airline pilot captains from American Airlines and Delta Air Lines in the room had no clue.

“All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible,'” Hickey said.

Hickey, who is a staff officer in the Office of the Director of National Intelligence on assignment to DHS S&T, said that while aviation is a subsector of the transportation component of the National Infrastructure Protection Plan, the focus is squarely on traditional terrestrial-based systems. The reservation and scheduling systems of airline aren’t part of Hickey’s research, he said.

“I want to suggest to you that there’s a different type of critical infrastructure, and that’s critical infrastructure that’s in motion, of which aviation is one of the third of that,” Hickey said. The others are surface and maritime transportation, he said.

“And I look at all of those and say, ‘If we’re not looking at those from a different perspective, we’re going to miss the boat,’ no pun intended,” Hickey said. He said he doesn’t know the answers yet for aircraft cyber infrastructure, adding that it’s not a policy issue yet because more research needs to be done on these systems to understand what the issues are. Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said.

The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them if a cyber vulnerability was specific to systems on board 737s, he said, adding that other airlines that fly 737s would also see their earnings hurt. Hickey said newer models of 737s and other aircraft, like Boeing’s 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don’t have these protections.