The GAO is worried that wireless entertainment systems and cockpit communications which use the internet could make airplanes vulnerable to cyber attacks via in-flight WiFi, however other experts have spoken out on the subject, disagreeing with the report and calling it “deceiving.” According to cloud security company Batblue, the report claims that there are two sources of the threat.
In-flight WiFi presents risk of cyber attack, or does it?
First of all, passengers could hack into avionics system using the in-flight WiFi, which is made easier by the fact that the vast majority of people now carry a WiFi-enabled tablet or smartphone. “Experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin,” reads the report.
Remote hackers provide a secondary threat. If a hacker could install malware on a passenger’s device without their knowledge, they could then infiltrate the plane’s systems through it using the in-fight WiFi. “One cybersecurity expert noted that a virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines,” the report continues.
Report criticized by other experts
The subject has divided experts, with others disagreeing with these conclusions. Dr. Phil Polstra, a pilot and professor of digital forensics at Bloomberg University, was scathing in his assessment. “To imply that because IP is used for in-flight WiFi and also on the avionics networks means that you can automatically take over the avionics network makes about as much sense as saying you can take over the jet engines because they breath air like the passengers and there is no air gap between passengers who touch the plane and the engines which are attached to the plane,” he ranted.
In-flight entertainment systems use a Network Extension Device (NED), not a router, so any attempt to communicate with avionics systems would fail. To date there have been no reported instances of airplanes being hacked using in-flight WiFi, although cybersecurity consultant Hugo Teso did carry out a virtual demonstration.