Can an Airplane Get Hacked? (Probably.)

Enterprising thieves are forcing us to rethink security. Even in the air.

Last year, IOActive security-consultant Ruben Santamarta voiced concerns over Panasonic Avionics’s IFE firmware, used by at least 13 airlines. The latter is the foundation of numerous airlines’ in-flight entertainment systems. (Sidebar: You may remember IOActive as the company that, last year, remotely commandeered a Jeep.)

Santamarta had privately disclosed his concern to Panasonic, but went public with it in a December 2016 blogpost.

He claims that, by accessing an IFE system, hackers can disrupt flight-path information. They can also steal credit-card data and other personal information, if passengers swipe their cards for payment, use Internet access, or charge devices. In the worst-case scenario, thieves could actually tamper with an airplane’s navigation system.

Panasonic maintains that such attacks are possible.

Should planes ditch the system? Not necessarily. In the electronic company’s defense, most of Santamarta’s argument is theoretical. He also suggests that the devil may simply be in deployment.

Graphic courtesy of Der Spiegel. Click image for link to their story, "Could Hackers Bring Down a Plane?"

“Physical control systems should be located in the Aircraft Control domain…physically isolated from the passenger domains,” he writes. “Some aircrafts use optical data diodes, while others rely upon electronic gateway modules. This means that as long as there is a physical path that connects both domains, we can’t disregard the potential for attack.”

His insights came from hacking a plane’s satellite-communications systems. Meanwhile, another security expert infamously bragged about hacking into a plane’s thrust management system, making the plane climb at his whim. This sparked an FBI investigation.

Meanwhile, Air France assured the public that its flight control doesn’t link to its entertainment system. Emirates has pledged to regularly update its Panasonic system.

Santamarta does emphasize the need for security patches. Still, patches are reactive fixes that frequently need updating. As hackers are getting more resourceful, we can expect (or at least hope) that airlines turn to more enduring, formidable solutions, such as analytics.

From an enterprise perspective, there is common-sense virtue in vigilantly envisioning bleak scenarios and proactively addressing even seemingly small gaps. Because if there’s one constant, it’s that thieves will always find a way in.