DHS experts warn it's a "matter of time" before hackers hit commercial airliners
WASHINGTON -- Cybersecurity experts working for the Department of Homeland Security (DHS) issued a sobering warning about the vulnerability of commercial airliners to hackers. The same group of experts hacked a Boeing 757, and now CBS News is learning more about the government's ongoing efforts to learn about the vulnerabilities.
In a presentation in January, researchers from the Pacific Northwest National Laboratory warned it is "a matter of time before a cybersecurity breach on an airline occurs," according to 119 pages of heavily redacted documents provided by DHS to CBS News. That assessment came after a DHS decision to launch "nose to tail" tests of a Boeing 757 for hacking weak spots.
The documents, which were first reported by the website Motherboard, show DHS planned to begin developing mitigation efforts to protect against cyberattacks in 2017.
Those tests came after a DHS team led by Dr. Robert Hickey took just two days to hack remotely into the plane while it was parked at a Federal Aviation Administration (FAA) facility at the Atlantic City Airport in September of 2016.
The DHS team gained access through the plane's radio frequency communications using "typical stuff" that could be brought through airport security. In response, DHS officials scheduled further hacking attempts on the plane, including efforts to access flight management, life support, autopilot, the plane's electrical and fuel systems as well as its engines.
"I think we've come to realize that cyberthreat is everywhere," said Ron Hosko, former assistant director of the FBI. "My fear is that our nation acts most directly when they're on the backside of a crisis. The crisis has occurred we lose a lot of lives and now we're prepared to put money into infrastructure."
The 757-200 aircraft being tested is old, having "reached end of life and is equipped with some older technologies no longer widely in service," researchers wrote in one document.
While the 757 hasn't been built since 2004, it is an aging workhorse for American, Delta and United airlines. President Trump's personal plane is a 757, as is the aircraft often used by Vice President Mike Pence, sometimes referred to Air Force Two.
The documents show experts wanted to see if the plane's inflight entertainment system, Wi-Fi or even USB charging ports could be used as a way to hack in.
But in a statement, Boeing says:
The Boeing Company has worked closely for many years with DHS, the FAA, other government agencies, our suppliers and customers to ensure the cybersecurity of our aircraft and will continue to do so.
Boeing observed the test referenced in the DHS documents, and we were briefed on the results. We firmly believe that the test did not identify any cyber vulnerabilities in the 757, or any other Boeing aircraft.
Boeing is confident in the cyber-security measures of its airplanes. Multiple layers of protection, including software, hardware, network architecture features, and governance are designed to ensure the security of all critical flight systems from intrusion.
Boeing's cyber-security measures have been subjected to rigorous testing, including through the FAA's certification process, and our airplanes meet or exceed all applicable regulatory standards.