Hollywood would have us believe that an airplane can be hacked by a tech-savvy passenger. But can they really? Ethical hacker Ken Munro decided to dig into airplane security and answer some common movie questions, like ‘what can a hacker do from seat 23A?’
Ken Munro’s company, Pen Test Partners, does cybersecurity consulting and testing for a variety of industries and organizations – everything from banking apps to railway infrastructure. The team of ethical hackers saw an opportunity to pen(etration) test some decommissioned airplanes while passing by a plane graveyard.
Michael “Roo” Fey, Head of User Lifecycle & Growth at 1Password, spoke with Munro on the Random But Memorable podcast to separate the movie myths from the real airplane threats. Read on for the interview highlights or listen to the full podcast episode.
Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.
Michael Fey: What comes to mind when you think about airplane security?
Ken Munro: A lot of airplanes are retired super early. Several years earlier than expected. We thought we would have a little investigation and see if we could learn some new things.
Back in the day, we would spend a lot of time looking at the Internet of Things (IoT). The great thing about IoT is that it’s really easy to research. You simply buy the device or appliance from Amazon or eBay. It’s easy. It’s accessible. The price points are low. The problem with airplanes is that you don’t find them on eBay very often!
“The problem with pen testing airplanes is that you don’t find them on eBay very often!"
For independent researchers, this makes the barrier to entry so big that it’s essentially insurmountable. But COVID changed that. I remember driving past an airplane boneyard that was full of planes. One of my colleagues said, “I wonder what’s going to happen to those?”
We bravely picked up the phone and asked the yard, “What happens next with those airplanes?” They said, “Well, we’re backed up. We might take apart 10 or 12 airplanes each year and we’ve got 50 sitting here. So it’s going to take a while. But these planes flew in yesterday so they still work.”
We said: “If we gave you some money for the fuel and got some ground power into them, could we come and learn how to hack them?” And to our surprise, they said yes!
“It was like a sandbox for us to learn and play in safely."
A big challenge for researchers is that you should never tamper with an airplane that’s going to fly again. And that was the great thing about these airplanes: they were going to be taken apart. It was like a sandbox for us to learn and play in safely. We found all sorts of interesting things.
MF: What mischief did you manage to get into in this very safe environment?
KM: One big question is: Can a passenger hack the airplane from their seat? They can’t.
Most airplane manufacturers, unsurprisingly, are on it. They understand the threat from hackers. The airplane networks are very carefully segregated. You have a bit in the cabin that’s called the Passenger Information Entertainment Services Domain. That’s completely isolated from what we call the Aircraft Control Domain, or ACD. That’s the bit the pilots work on.
That’s not to say you can’t hack some stuff on planes. Over a number of visits to different airplanes, we did find ways to compromise the in-flight entertainment systems. But one of the limitations of our research is that the airplanes that are being retired – they’re the old ones. One of the systems we were working on was 27 years old. It was running Windows NT 4.0.
“That’s not to say you can’t hack some stuff on planes."
The first challenge was trying to remember how the heck to compromise it, given that so many of the tools we use today have dependencies that simply aren’t present on NT. It was a trip down memory lane.
We had some fun exercises compromising the in-flight entertainment system. We were taking control and flashing up silly messages. But did it really matter? What’s the worst that could happen? Bad press coverage?
“We had some fun exercises compromising the in-flight entertainment system. We were taking control and flashing up silly messages."
Here’s a riskier situation. Do you remember back in the day when you would see the captain and the crew carrying great big black cases in the airport?
Those contained the maps or charts. When you made an approach in certain conditions you needed to make sure you had the exact approach, or map if you like, showing how the instrument landing system worked. You had to have those. And you had to have them locally. You carried them around and they had to be updated every 30 days. It cost a fortune. And the cases were really heavy.
To improve everything and make airlines more efficient, the concept of an electronic flight bag was brought in. So, pilots didn’t have to carry paper charts around and they were easy to update. That is where we found some interesting issues.
MF: With the electronic flight bags?
KM: Yes. Here’s an example. It might surprise you to know that airplanes don’t often use full power. This is because aviation fuel is expensive, and we need to be super conscious of the environment. We don’t want to burn more fuel than we need to. We also don’t want to wear down those incredibly expensive jet engines. It’s actually quite rare for an airplane to use full power when it’s taking off. Pilots do a calculation for how much power is needed to take off safely, and use their electronic flight bag to do that.
One of the most important things is probably the weight of the airplane. Another is which way the wind is blowing. There’s also what we call the “pressure altitude” or the air pressure outside and the altitude of the runway. There’s lots of other things that go into that calculation too. All of those calculations are done on a tablet. Can you see where I’m going here?
“It’s actually quite rare for an airplane to use full power when it’s taking off."
We started talking to pilots and airlines to understand how those tablets – and the apps on them – were secured. What we found was quite scary. For instance, if you’ve got a smartphone and it’s connected to your business systems, you would expect it to be pretty locked down. It’s going to be protected by a good pin, a good password, or biometrics so that if you lose your phone, someone can’t compromise your corporate systems.
We were expecting these electronic flight bags, these tablets, to be locked down in a similar way. We were a bit surprised to find that security was operator-dependent and varied between airlines. Some of them had a really simple pin – something as simple as four zeros. Some of them had the pilot’s birthdate as the pin, which obviously you can get from open sources.
Some of them had no pin at all. We often found them not updated with critical security updates. We also discovered vulnerabilities in some of the apps, which meant if someone had compromised one of these tablets, they could mess around with the calculations. Remember, those calculations tell the pilot how much power they need!
“Some electronic flight bags had no pin at all."
We realized you could convince the pilots to use the wrong amount of power for their departure. The most likely consequence of that is what’s called the “tail strike”. That’s where the pilot tries to rotate, but they haven’t got enough power. Instead of going up, the tail goes down and they drag the plane’s tail along the runway, causing damage.
One thing I want to mention that I love about the aviation industry compared to the cyber industry is that incidents and accidents are reported and shared without blame attributed. That way everyone can learn. As a result, the safety of flying has gone through the roof over the last 50 years.
“Incidents and accidents are reported and shared without blame attributed. That way everyone can learn."
That also means independent security researchers can download all the incident reports and find the cases where things have gone wrong and why they’ve gone wrong. We’ve discussed before about how it can be really challenging to get IoT vendors to wake up and take responsibility for their actions. Aviation is a whole different ball game!
MF: It’s instilled in the culture, isn’t it? It’s expected.
KM: So you would think. It’s been an interesting journey. We’ve looked at seven different electronic flight bag systems and found reportable vulnerabilities in all of them.
What’s really interesting is how some manufacturers have been really good, and others have been really difficult to deal with. You hope that if someone came to you saying, “We found a security bug in one of your systems that we think could lead to a safety incident,” they’d be all over you like a rash trying to find out everything we found and getting it fixed. It’s not always the case.
I really want to give Boeing a big hat tip. Because with the first vulnerability we found, Boeing came back to us within 24 hours and said, “We agree with you. Only problem is, it’s going to take us about 18 months to fix.” We were blown away thinking ‘how can a vulnerability take 18 months to fix?’ Boeing said, “We actually can fix it in a week but we have to certify the software is safe. Every time we change some code in our apps, we have to re-certify to make sure it’s safe in every single possible case.” We didn’t know that, so we learned something.
In the end, Boeing did it in about 14 months and rolled it out to the fleet.
MF: I’m having a hard time wrapping my head around the ownership and the responsibility on the side of the manufacturer. And the potential catastrophe if something was ever exploited in a way that led to loss of life. There’s very stark business things to look at from that point of view.
KM: I found it extremely frustrating that not everyone in the industry was taking things as seriously as perhaps they could. But the good thing is that planes are safe. And as a result of the way the industry discloses incidents, they’re getting safer all the time.
But as airplanes become more connected, both for efficiency reasons and for the convenience of the passengers, that’s when things start to get interesting. For example, real-time air traffic control communications.
“As airplanes become more connected, both for efficiency reasons and for the convenience of the passengers, that’s when things start to get interesting."
Problems happen when we use our voice. When someone says something, it can be quite easy to mishear it, write it down incorrectly, or misremember something. And when the frequencies are busy, it can be quite difficult to get a word in to get your clearance to approach to land, for example.
To increase efficiency, we’re moving towards a system where clearances and other messages are sent digitally to the cockpit. That’s a huge step forward. But some of those systems which are in use are unencrypted. Some of them are plaintext, so there’s potential to start tampering with some of the information that goes to pilots.
“Some of those systems which are in use are unencrypted. So there’s potential to start tampering with some of the information that goes to pilots."
Obviously, pilots will know if something doesn’t make sense. But there have been some documented cases where the wrong flight plan was sent to an airplane. The pilots realized it only when they were flying over the wrong bit of the sea. They thought, “I’m sure we were going east and this plane’s definitely going west.” They then queried everything and realized, “We’ve got the wrong flight plan.”
MF: But overall, this is a much more hopeful discussion than we had last time about IoT.
KM: Safety’s baked into aviation. If something goes wrong, we talk about it. That’s a really, really positive message that we could all learn from. What if every cyber breach had a public report that we shared with everyone? Then everyone else could be like, “Okay. I’ll make sure that doesn’t happen to me. I’ll learn what to look for.”
Wouldn’t it be great if we could share a bit more about breaches without fear of being chased by lawyers? Without fear of being sued? Wouldn’t it be great if we could share our experience with other organizations, so they don’t make the same mistakes? Surely cybersecurity would improve?
MF: Where can people go to hear more from you?
KM: There’s a lot of information and data on our blog on pentestpartners.com. We’ve got some videos too, showing what the effects on systems are when you start tampering with data.