A new report from the U.S. Government Accountability Office (GAO) warns that airplanes are increasingly more vulnerable to cyber attacks, and urges the Federal Aviation Administration (FAA) to prepare. The investigation and resulting report were prompted by the FAA’s efforts to transition from a ground-based air traffic control system to modern satellite-based navigation and advanced technology which will use an IP network to communicate. The project, called NextGen, began in 2004 and is due to be completed by 2025. The GAO says that as planes become more connected on IP networks, they become open to malicious attacks that could cause system failures or security breaches.
Hackers could use in-flight Wi-Fi networks to attack passengers’ personal electronic devices or even to gain remote access to the airplane’s avionics. In the past, avionics systems were isolated and self-contained, but modern airplanes are connected to IP networks. “Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors,” according to the report. Although firewalls are in place to protect avionics systems, firewalls are essentially just software that can be hacked as easily as anything else. If cockpit avionics systems and cabin Wi-Fi share the same physical wiring or router and use the same IP, a passenger could bypass firewalls and access the cockpit avionics system from the cabin.
The report further speculated that attackers could install malware on passengers’ personal devices without their knowledge, which could later “provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines.”
The GAO summarized cybersecurity challenges in the following areas: protecting air-traffic control systems, protecting aircraft avionics used to operate and guide aircraft, and clarifying cybersecurity roles and responsibilities among multiple FAA offices. So far, the FAA has taken several steps to address these challenges, but the GAO recommends restructuring cybersecurity teams and putting even more focus on preventing malicious attacks in the future.