A team of cybersecurity experts working with the US Department of Homeland Security (DHS) had reportedly hacked a Boeing 757 aircraft on the runway at Atlantic City airport, New Jersey in a controlled experiment carried out as a part of the test in September 2016. The team comprising of academicians and industry experts were able to remotely crack the IT systems of the 757 and take control of the aircraft, with the pilots unaware of the experiment taking place.
During a keynote speech at the CyberSat Summit 2017 in Virginia last week, Robert Hickey, the aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate, revealed the chilling details of the hack.
“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Hickey. “[Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.”
Hickey said the details of the hack were classified but the researchers exploited the plane’s own radio frequency communications to penetrate its internal network. The classified test was reportedly carried out by the DHS “artificial environment and risk reduction measures were already in place”. Also, a Boeing official was present during the hacking of the aircraft
Following testing, Hickey said that experts advised that “it was no big deal”.
Apparently, Aviation and IT security experts were aware of the security flaws discovered by DHS. But it was only in March 2017 that seven airline pilot captains from American Airlines and Delta Air Lines were informed that their aircrafts could be hacked.
A Boeing spokesperson said: “The Boeing Company has worked closely for many years with DHS, the FAA, other government agencies, our suppliers and customers to ensure the cybersecurity of our aircraft and will continue to do so.
“Boeing observed the test referenced in the Aviation Today article, and we were briefed on the results. We firmly believe that the test did not identify any cyber vulnerabilities in the 757, or any other Boeing aircraft.”
Back in 2015, a security researcher, Chris Roberts claimed to have gained access to an aircraft engine during a flight through its entertainment system; however, those claims were never verified.