In what may be the last thing you want to hear about today, a security researcher claims that he was able to hack into Wi-Fi networks and satellite communications (satcom) on in-flight airplanes from a position safely on the ground. Four years ago the same researcher discovered critical flaws in satcom systems that allowed attackers to invade and disrupt communications links to airplanes, ships and military operations, among other networks.
Ruben Santamarta is principal security consultant with IOActive, and he told Dark Reading that he had concluded from prior research that access to the systems of a plane in flight was possible, although he had never proved it. Until now.
The gateway to the plane’s systems will come as no surprise: flaws in Internet of Things (IoT) devices that leave all manner of entry open to someone who has access to satellite services. Santamarta said, “We can leverage satcom devices to perform cyber-physical attacks.” A cyber-physical attack is one in which an attack on software produces a physical effect.
Santamarta also says that while satcom security problems are serious, “it’s not yet an apocalypse.” He also noted that these are not theoretical models: “We are using [vulnerabilities] in satcom devices to turn those devices into weapons.”
There have been two prior instances of hacking attacks directed at airplanes. In a 2015 incident, a passenger hacked into the plane’s Wi-Fi network from his seat on the plane. Last year, a U.S. Homeland Security team succeeded in hacking into a parked Boeing 757 using RF communications. Santamarta is the first to invade an airplane’s communications systems from the ground.
Santamarta plans to demonstrate how he gained access to the aircraft and its communications gear to attendees at the August Black Hat Conference in Las Vegas. He also told Dark Reading that he’ll demonstrate how satcom gear can be “weaponized as a radio frequency (RF) tool [that could] pose security risks” to the aircraft. Until his conference presentation, Santamarta has chosen not to disclose details about what he did and how he did it.