As Airlines Digitize, They Are Confronted With Increased Cybersecurity Risks
And while none of the outages have been linked to deliberate sabotage, it’s likely that hackers do probe aviation systems looking for potential vulnerabilities, whether in ticketing systems, air traffic control networks, or computer systems onboard planes, experts say.
“We don’t have a lot [of hacker attempts] in the airline systems yet where they’ve been successful,” says Mickey Roach, a partner at PricewaterhouseCoopers who works with cybersecurity issues. “We know that they’re trying.”
Last year, United reportedly banned security researcher Chris Roberts after he implied he could take control of the plane’s digital systems by connecting to a computer accessible from his seat. And while the airline has said the technique wouldn’t actually work, a report issued last year by the Government Accountability Office issued a general warning that increasingly connected systems on planes could boost the possibility of cyberattacks or malware entering through computers brought on board by airline staff.
“For example, the presence of personal smartphones and tablets in the cockpit increases the risk of a system being compromised by trusted insiders, both malicious and non-malicious, if these devices have the capability to transmit information to aircraft avionics systems,” according to the report.
Similarly, the GAO warned that plans by the Federal Aviation Administration for more interconnected air traffic control systems would likely require greater attention to cybersecurity—not as necessary in existing systems with limited connectivity. In essence, as aviation technology modernizes and more closely resembles other computer networks, it’s vulnerable to the same threats seen in other industries and to a wider range of attackers with the knowledge necessary to inflict damage, says Tim Erlin, senior director of IT security and risk strategist at the security firm Tripwire.
“These traditional systems require physical presence or physical access. They require specialized equipment to access them,” he says. “There’s a tendency to make an assumption of security through obscurity.”
Airlines are making progress, he says, by being more mindful of potential threats and how to prevent them. They’re also increasingly sharing information on potential digital threats through organizations like the Aviation Information Sharing and Analysis Center.
“The mitigation strategies are sharing information between all parties and collaboration,” wrote Pascal Buchner, CIO of the industry trade group International Air Transport Association, via email.
Even if hackers don’t gain access to in-flight systems, they can still potentially cause disruptions, tampering with ticketing systems, maintenance tracking systems, or even the computers that track where flight crews are spending the night, according to Roach. If airlines can’t figure out who has a valid boarding pass, whether a plane’s had all of its necessary maintenance, or if the flight crew has had enough time off to fly legally, they will be forced to cancel flights.
In other cases, airlines can lose money and face angry customers because of online fraudsters gaining access to frequent-flyer accounts. A Florida man was arrested this spring on charges that he stole more than $260,000 worth of American Airlines miles, and a man said to have knowledge of Air India’s frequent flyer systems was arrested in July after he allegedly used a combination of illicitly obtained login credentials and forged paperwork to steal miles and sell airline tickets to travel agents.
“It’s a big problem, because what happens is, it’s not the major hacking groups that are doing this—usually it’s this one-off kind of stuff,” Roach says. “People’s individual accounts get hacked, they transfer the points out, and then people complain, and [airlines] have to replace the points.”
To help curb attacks on consumer-facing systems, last year United became the first major airline and one of the first large non-tech companies to launch a bug bounty program, rewarding hackers who report security flaws in the company’s systems.
“We did it because our overriding concern in everything we do is to ensure our customers’ information is well secured and that their private data is in good hands with us,” says Arlan McMillan, the airline’s chief information security officer.
Participants who report bugs are rewarded with frequent flyer points‚ not cash, like some other bug bounty programs, and they aren’t allowed to experiment with in-flight systems. So far, McMillan says, the program has delivered valuable results, though he declined to go into detail about the number or nature of detected bugs, or the number of miles paid out. While the company already had standard security measures like penetration testing in place across its servers, bug bounty hunters have still found additional flaws, says McMillan. Participants can earn up to 1 million miles for a severe bug that allows hackers to execute code on United’s servers.
“We’ve found some interesting business logic situations that the moon has to be aligned perfectly for this vulnerability to actually present itself, so very unique cases like that,” he says. “My team loves puzzles, and you can think of these types of researchers in very much the same way: They look for puzzles.”
Generally, airlines have been quick to adopt new technologies, saving money and giving customers more options in how to do business with them, Tripwire’s Erlin says. But many of those technologies also increase the number of ways the airlines’ growingly complex processes can go awry, whether due to out-and-out sabotage or simply unexpected technical flaws.
“In adopting that technology, they’ve adopted not just the security risks but the operational risks that come with that technology,” he says. “The tricky part with IT is there are always new and interesting ways for things for fail.”