Hackers could exploit inflight entertainment systems to fatally sabotage the cockpit electronics of a new generation of airliners connected to the Internet, a US government report warns.
It comes weeks after a co-pilot crashed his Germanwings A320 into the French Alps killing all 150 on board, prompting talk of airliners one day being 100 percent automated.
Inflight cybersecurity is “an increasingly important issue” that the Federal Aviation Administration (FAA) is just starting to address in earnest, said the audit and investigative arm of the US Congress.
“Modern communications technologies, including IP connectivity, are increasingly used in aircraft systems, creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems,” the Government Accountability Office (GAO) report said.
In the past, the electronics used to control and navigate aircraft — known as avionics — have functioned autonomously, said the GAO.
“However, according to FAA and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them,” the GAO said.
In theory, firewalls ought to protect avionics “from intrusion by cabin-system users, such as passengers who use inflight entertainment systems.”
But four cybersecurity experts told the GAO that firewalls, being software components, can be hacked and circumvented “like any other software.”
The FAA, the aviation authority of the United States, has yet to develop regulations to make “cybersecurity assurance” for avionics part of its process for certifying new aircraft.
FAA officials told the GAO however that cybersecurity is an increasingly important concern and that it is shifting its certification focus to address it.
– ‘No evidence this has occurred’ –
Gerald Dillingham, a co-author of the GAO report, said the issue particularly affects a new generation of Internet-connected aircraft that includes the Boeing 787 Dreamliner and Airbus A350.
To date, he told AFP, there is no sign that any “bad actors” have successfully planted a virus or malware into an avionics system.
“We don’t have any evidence that this has occurred and we are hoping that raising this question will make it less likely to occur,” he said.
Last month’s Germanwings crash, in which the captain was reportedly locked out of the cockpit by his co-pilot, raised the specter of robots one day taking the place of humans at the controls to prevent a deadly repeat.
Responding to the GAO report, Airbus said it was “constantly assessing and revisiting the system architecture of our products with an eye to establishing and maintaining the highest standards of safety and security.”
“Beyond that, we don’t discuss design details or safeguards publicly, as such discussion might be counterproductive to security,” its Washington spokesman Clay McConnell told AFP by email.
In a statement to US media, Boeing said its aircraft are delivered with more than one navigational system available to pilots.
“No changes to the flight plans loaded into the airplane systems can take place without pilot review and approval,” it said.
“In addition, other systems, multiple security measures, and flight deck operating procedures help ensure safe and secure airplane operations.”