How safe is flying? ERAU panel takes on topic of hackers who could control passenger jets

PRESCOTT – From 2011 through 2014, a computer expert named Chris Roberts said he used the in-flight entertainment system in the cabin of several commercial jet airliners to hack into their flight control systems.

Roberts claimed he had changed the thrust levels of an engine, causing a jet to move slightly off-course, an FBI search warrant application said, along with several other less-obvious hacks.

He was warned to stop, but on April 15, 2015, the FBI said Roberts hacked into the cockpit of a United Airlines jet as he flew from Denver to Chicago. He tweeted about it and the FBI met him at the gate when the flight landed.

Roberts denied actually doing anything and the FBI agents confiscated his electronics.

Aircraft manufacturer Boeing denied that such hacking was possible.

The possibility of something like this happening was the subject of an aviation industry teleconference, hosted by Embry-Riddle Aeronautical University on Tuesday, April 12.

Carl W. Herberger, vice president of security systems for Radware, a cybersecurity company, said that the problem is that the electronic systems aboard aircraft are no longer proprietary.

“Now they are frequently ‘off the shelf’ … (and they) run on known operating systems. That’s a very big difference,” he said.

“We are going to be seeing more and more computer control” of aircraft, said Jon Haass, associate professor of cyber intelligence and security at Embry-Riddle in Prescott. He said that could lead to an increase in hacking activity.

“United (Airlines) noticed that they did have (an) issue where they inadvertently connected the avionics network with the in-cabin network…and they were sharing the same components,” Haass said. The solution, he added, is simple: “Separate the networks,” creating what designers call an “air-gap.”

Asked what role the federal government might play in preventing future hacks, Remzi Seker, professor of computer science at Embry-Riddle’s Daytona Beach campus, said, “You can’t legislate security. I’m really not sure what the federal government can to do ensure cybersecurity.”

“Complacency is the worst thing we can have,” said Gary Kessler, professor of cybersecurity and chair of the Embry-Riddle Security Studies and International Affairs department in Daytona Beach. He added manufacturers need to stop limiting their designs to holding up to “natural” failure and start building them to withstand intentional failure.

“Closed, proprietary software won’t remain closed in the age of the internet,” Kessler said. “You still need to eradicate the vulnerability.”

Herberger agreed. “The security (reviews) on today’s aircraft systems is largely static … more like quality checking.”

Other dangers include intrusion into the air traffic control system as it becomes more networked in the next few years and the hijacking of unmanned aerial vehicles, known as drones.

Hijacking of drones in flight, “depending on the size of the thing, could be a very serious public safety issue.

Haass said, “I think we’ll see big changes in the next five years and hopefully before the systems see some big catastrophe.”