Airliners could be hacked mid-flight through passengers using the plane’s wireless entertainment system to access its flight controls, a US agency says.
The threat was identified in a new report from the US Government Accountability Office (GAO) highlighting emerging cybersecurity challenges faced by the Federal Aviation Administration (FAA), which also included protecting air traffic control systems from cyber-attacks and clarifying the cybersecurity responsibilities of multiple FAA offices.
GAO investigators spoke to cyber-security experts who said on-board firewalls intended to protect avionics from hackers could be breached if flight control and entertainment systems use the same wiring and routers.
"Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors," the report said.
FAA Administrator Michael Huerta concurred with the GAO's findings and said the aviation regulator has begun working with government security experts including the National Security Agency to identify the necessary changes.
"This threat will continue to evolve and it is something that needs to be at the forefront of our thinking," he told a Senate oversight panel.
One cybersecurity expert told the GAO investigators that "a virus or malware" planted on websites visited by passengers could provide an opportunity for a malicious attack.
"This report exposed a real and serious threat – cyberattacks on an aircraft in flight," said US Representative Peter DeFazio, ranking Democrat on the House Transportation and Infrastructure Committee.
"FAA must focus on aircraft certification standards that would prevent a terrorist with a laptop in the cabin or on the ground from taking control of an airplane through the passenger Wi-Fi system."
The report also said that despite the FAA taking steps to protect air traffic control systems from cyber-attacks, significant weaknesses remain.
While the report conceded that the regulator had agreed to address the weaknesses, the authors say its failure to develop a cyber-security threat model to identify potential vulnerabilities in its information systems means it may not be properly allocating its cyber-defence resources.