Monday, April 20, 2015

GAO report on hacking airplanes: incompetent and irresponsible?

The US government released a report yesterday warning of security threats facing modern aircraft, leading to stories from major publications claiming in-flght Wi-Fi could be hacked to take control of a passenger plane. But according to Dr Phil Polstra, a qualified pilot and professor of digital forensics at Bloomsburg University, the report contained much erroneous information.

Polstra believes the US Government Accountability Office (GAO) report was put together by people who didn’t understand how modern aircraft actually work. He took umbrage with the claims that as airplanes are increasingly connected to the internet, the control systems on planes are in danger of being remotely compromised. He told FORBES over email that the avionics networks, which deal with flight controls and coordination, were simply not connected to the internet like Wi-Fi services. “To imply this is irresponsible.”
This story broke while I was on vacation and ignoring the 'net, and so I didn't comment then.  Now the plot thickens.  The Government Accounting Office has a history of misinterpreting cyber risk:
GAO staffers have demonstrated repeatedly that they do not understand how attacks and networks and operating systems work - at the deep technical level. That means their reports have been forcing government agencies to spend money in precisely the wrong ways - so much so that a close analysis will show that GAO is culpable in enabling the deep and pervasive cyber penetration that has occurred across many elements of the federal government. GAO staffers blame OMB's regulations for their errors when they are called to account. Isn't it time for GAO leadership to take a hard look at the damage caused by its findings and the people they have making those findings?
I hadn't considered inter-Agency budget rivalry as a driver for Press Release driven bogus security news, but that's something that will play a part in my analysis from now on.

UPDATE 22 APRIL 2015 11:28: More here.  I'm not a fan of having critical systems and passenger/entertainment systems on the same network, and so will try to avoid the Airbus 350 and 380, and the Boeing 787.  But there is good analysis at this link.


lelnet said...'s not _completely_ bullshit. But frankly, if you want to crash an airplane, there are way easier ways to do it than hacking the avionics through the connection between the navigational GPS and the moving-map display on the chair-back entertainment system.

burt said...

Simply put, if the avionics network isn't air-gapped from the entertainment network, then there is a common connection point... and with enough information and the right tools, that interconnection can be hacked and become a command injection point.

Security is no longer even a second-thought or an afterthought. It's not thought of at all.

Tony Tsquared said...

The cockpit systems made by Rockwell Collins are Windows and MAC based systems depending on the generation. The entertainment system is a Linux based system also developed by Rockwell Collins. The systems are totally independent. The WiFi is also an independent system that sometimes is linked by on/off controls with the entertainment system.

Just to let you know the "better" programmers worked on the avionics and it goes through extensive regression testing. Anybody that has been on a long flight has had the experience with the entertainment system - the quick fix is always to reboot the Linux system hosing everybody. Those of us who have worked with Linux know better. Speculation has been the team that worked on the entertainment systems had a lot of interns and Rockwell is not know for "random" UA's once you pass the interview UA.

The entertainment system is bad enough that Rockwell had a policy that employees were not to travel wearing any branded clothing.