“The system’s weak point is that it doesn’t verify communication packages on the way from the ground to the plane,” said Andrey Nikishin, head of future technologies projects development at Kaspersky Lab. “Because of that, it is possible to spoof the system by inserting a new package along the way.”
Nikishin said that an attacker could send the pilots false messages that could affect their decision making in the air.
“Theoretically, a malicious user can influence a pilot’s decision to change the route, if, through the spoofing flow, he sends the plane a fake message about an upcoming storm,” Nikishin said. “The same malicious scheme could be applied to spoof GPS, making the system believe that it is located in a different place from where it actually is.”
The Les Echos article cites research done by the International Civil Aviation Organization that determined because aircraft navigation and other control systems are supposed to be air gapped from non-critical systems such as entertainment, that the risk of hacking critical systems was low.
“ACARS uses a proprietary encoding/decoding scheme that has been in use since 1978 – when aircraft equipment was not designed with cybersecurity in mind, Nikishin said. “This makes it outdated, and we believe that aircraft manufacturers should have already started to develop a new system, with a new approach.”
Ky’s revelation comes a day ahead of the introduction of a new European air traffic control system called Sesar.
“Tomorrow, with the introduction of Sesar and the possibility for the air traffic control to directly ive instructions to the aircraft control system, this risk will be multiplied,” Ky said. “We need to start by putting in place a structure for alerting airlines to cyber attacks.”
This isn’t the first time the security of aircrafts has been questioned this year. In May, researcher Chris Roberts was pulled off a United Airlines flight after tweeting about hacking the flight he was on. Roberts was detained and questioned by the FBI, which reported that Roberts said he had burrowed through the aircraft’s onboard entertainment center to reach critical systems and issue commands for the plane to climb or bank.
Roberts’ claims were questioned by aircraft manufacturers; Boeing, for example, told CNN its entertainment and navigation systems were not connected and that Roberts’ claims were impossible.