Hacking Airplanes

Cybersecurity is even more important when you’re up in the air.

We know very little about how airlines protect their in-flight networks and computer systems from interference or attack.


This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. On Wednesday, May 11, Future Tense will host an event in Washington, D.C., on the future of aviation technology. Fore more information and to RSVP, visit the New America website.

Some airplane security measures we are all too aware of—miniature bottles of shampoo and X-ray scanners, for instance—while others we know almost nothing about, including how airlines protect their in-flight networks and computer systems from interference or attack. In April, Sen. Ed Markey introduced the Cybersecurity Standards for Aircraft to Improve Resilience Act, or Cyber AIR Act, to address precisely this component of aircraft security by requiring the Federal Aviation Administration to develop cybersecurity guidelines for the aviation industry and also requiring airlines to report cyberattacks to the government.

Aircraft cybersecurity may garner less public attention and ridicule than the Transportation Security Administration screening process, but what little we do know about how airplane networks are protected does not inspire great confidence. Last year, security researcher Chris Roberts was detained by FBI agents after tweeting about how easily he could hack a flight’s in-flight entertainment system. The incident seemed to many like the FBI and United Airlines were wildly overreacting to an ill-advised joke, but it did ultimately draw some attention to just how vulnerable aircraft computer systems actually are. In order to investigate Roberts, the FBI filed an application for a search warrant detailing his attempts to compromise airplane networks, including an incident when he apparently managed to use his access to the in-flight entertainment system to force a plane to briefly change course and fly sideways.

There are other (often less dramatic) examples of how poor cybersecurity can impact planes and passengers. Earlier this year, journalist Steven Petrow says that he was using the American Airlines Gogo in-flight internet connection on a flight from Dallas to Raleigh, North Carolina, when a passenger sitting behind him compromised his email. Meanwhile, concerns about how easy it is to infiltrate air-traffic control systems have been circulating for years, dating back to reports of hackers compromising FAA computers and credentials in 2008.

There’s a certain irony in the Cyber AIR Act provisions requiring clearer cybersecurity standards and more effective reporting mechanisms for airlines, because, for years, many in cybersecurity have used transportation safety as a model for how the computer security field should operate. Take, for instance, the ongoing problem of trying to define which security mechanisms and controls should be required for computer systems, or what companies must do to put in place “reasonable” security protections for their customers. If only we knew as much about the best ways to protect people online as we do about the best ways to protect them while driving, cybersecurity advocates regularly lament. Markey himself, announcing a similar bill that would mandate cybersecurity standards for cars last year, said, “We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century.”

Meanwhile, the incident reporting and investigation strategies used in the transportation sector have also been a source of envy and attempted emulation among cybersecurity practitioners. The National Transportation Safety Board, in particular, is often cited as an example of what we need for cybersecurity. The NTSB, established in 1967, is a government agency that investigates aircraft, ship, and train accidents, to figure out what went wrong; it then issues recommendations related to its findings. That process inspires envy among people interested in cybersecurity incidents for several reasons: It is more focused on figuring out what went wrong than in laying blame or assigning liability, it brings together a number of different people and organizations involved in the incident to piece together their different perspectives on what happened and how, and transportation companies are required by law to report any accidents so the NTSB findings reflect not just a small portion of the accidents that happen but a large swath of them.

For all these reasons—and many others—people have been recommending that the United States establish a “cyber NTSB” for years. At the 2014 RSA Conference an entire panel was dedicated to the topic. In short, it’s a model drawn from the transportation sector that seems fairly effective and promising to many in the cybersecurity world. Getting such an initiative off the ground, however, turns out to be a challenge. After about a decade of these same discussions and recommendations, there’s still no indication that an NTSB-model reporting structure for cybersecurity incidents is imminent.

The safety and security standards and processes governing cars, trains, and airplanes are not perfect, but it would be hard to overstate how influential they have been in shaping ideas about what the security standards and processes governing computers and networks can and should look like. People working in cybersecurity are so used to casting things like seat belts and the NTSB as exemplars that it can be easy to feel like the people who work in transportation safety have everything figured out. And as the connectivity of cars and airplanes becomes more sophisticated, it can be a little disconcerting to realize that those transportation industries we have been holding up as models are encountering the same mess of security vulnerabilities and vague standards and ill-defined reporting mechanisms that we have been hoping to fix using their methods.

Some of the threats that airlines are dealing with are familiar—it’s just as easy for someone to use an unsecured Wi-Fi network to read your email in a coffee shop as it is on a plane—but others are legitimately new and unique to aviation, including using compromised computer systems to change a plane’s course. We’ve long accepted that security standards are significantly more stringent on airplanes than in most other places, and it makes sense that that same philosophy would apply to computer security. Many of us have also come to accept the idea that because the risks are so great—and the technology so complex—this is also an area where the government has gotten pretty good at learning from failures and constantly improving its guidelines and recommendations.

If the transportation sector really is the leader in safety and security standards, then perhaps this convergence of cybersecurity and transportation will be a good thing. Perhaps transportation companies and government agencies (including the NTSB!) will help straighten out the standards and reporting processes for computer security by applying their expertise and experience. Or perhaps cybersecurity incidents will instead undermine the existing safety mechanisms and regimes in transportation, throwing into disarray several decades’ worth of accumulated lessons—and forcing us to go find a new role model for cybersecurity.

Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.