It is "only a matter of time" until a commercial aircraft is hacked, the Department of Homeland Security and other US government agencies have warned. Most planes lack cybersecurity protections to prevent such a hack.
Motherboard obtained internal DHS documents through a Freedom of Information Act request which detail vulnerabilities with commercial aircraft and risk assessments. A number of the documents are still being "withheld pursuant to exemption" of the FOIA.
The release includes a January presentation from Pacific Northwest National Laboratory (PNNL), part of the Department of Energy, outlining the group's efforts to hack an aircraft via its wifi service as a security test.
The hacking test was to be carried out without any insider help, from a position of public access (for example, a passenger seat or the airport terminal), and without using hardware that would trigger airport security. According to the presentation, the hack allowed the researchers to "establish actionable and unauthorized presence on one or more onboard systems."
Another document, from 2017, says testing indicates "viable attack vectors exist that could impact flight operations." A DHS presentation included in the documents says"most commercial aircraft currently in use have little to no cyber protections in place." It points to the fact that even a perceived successful cyber attack could have an "enormous impact on the global aviation industry."
The DHS Science and Technology Directorate documents warn that current policies and practices are not adequate to deal with the "immediacy and devastating consequences that could result from a catastrophic cyber attack on an airborne commercial aircraft."
The threat of airline hacks is something that has been known for some time. In 2015, the FBI warned staff to watch out for unusual behavior after computer security expert Chris Roberts said he accessed aircraft control systems to connect to the in-flight entertainment console as many as 20 times.