So far theories of how to hack into an airplane have been “debunked,” but given the way hackers openly share information and the status that that would come with a cyber plane hack it’s only a matter of time before it is done, an official with Air Canada said this week.

Over time elite hackers have moved from simply defacing web sites and taking over traffic lights to hacking automated teller machines all for fun and to “prove a point that they could do it,” Paul Assaad, manager for IT Security and Compliance at Air Canada, said on Tuesday at the International Air Transport Association’s AVSEC World conference in Washington, D.C. Elite hackers aren’t terrorists and are out only to demonstrate that they can do something.

Airbus A350 passenger plane flying at the Farnborough Air Show this year. Pascal Andrei, head of Aircraft Security at Airbus, said at AVSEC World he hired 15 hackers find cyber vulnerabilities on the aircraft. Photo: Airbus Group
Airbus A350 passenger plane flying at the Farnborough Air Show this year. Pascal Andrei, head of Aircraft Security at Airbus, said at AVSEC World that he hired 15 hackers to find cyber vulnerabilities on the aircraft. Photo: Airbus Group

Assaad said as part of an aviation industry panel discussion on cyber security that he’s only been in the industry two years but that “right off the bat” he began to see a lot of discussion among elite hackers about hacking planes. He pointed to two recent instances where individuals claimed they could hack into planes, including one person who said he could do it from an Android device and the other who said he could break into a plane’s communication system via its onboard Wi-Fi or in-flight entertainment system.

Both of those theories were “debunked” given the laboratory set ups they used, but they also “exposed a lot of vulnerabilities” in individual systems, Assaad said.

Both individuals published their respective research on their information about their theories and it can easily be found online, Assaad said.

“Eventually they will get it right, the way they share information,” Assaad said, and “they’ll figure out it out and be able to exploit a plane.”

One potential vector into a plane’s flight control system could be a portable electronic device that physically connects to the aircraft. Mike Garrett, director of Aviation Security for Boeing’s [BA] Commercial Aircraft division, said during the panel discussion that these Class 2 Electronic Flight Bags could be at risk depending on how careful or not an aircraft pilot may be.

Garrett, who was in the audience but was asked for this thoughts at one point during the discussion, said that a pilot in his hotel room could download a control system virus that is intended to go “after the plane.” He said these Class 2 devices are preferable to electronic flight bags that are embedded in an aircraft because they are less costly and more flexible in terms of getting software updates.

But even though the portable devices are one-way communications devices, that feature could possibly be compromised, opening a path to the flight control system, Garrett said. He added that currently this is “not a huge concern of mine” but eventually it could become a “bigger issue.”

Garrett said the industry needs to do a better job of regulating itself on these matters or government regulators will eventually get into the back offices of industry entities once they know that there is a safety issue.

To counter this potential threat, there needs to be better communication throughout the industry, not just at upper levels where frameworks and strategies are agreed on but also at the “practical and operational” levels, Assaad said. He added that there are a lot of good things happening within the industry in terms of having technology to detect cyber attacks.

However, eventually there will be a cyber breach and the industry needs to do more to work on the “respond and recover” parts of the cyber attack mitigation chain, he said.

Steve Jackson, group head of Security, Facilitation and Business Resilience at Australia’s Qantas Airways Ltd, said the industry understands the need for a cyber resilience strategy, but “I’m not too sure that collectively across the industry we’re doing enough about strengthening our resilience.” That said, Jackson said that from what he had seen at the conference and on the panel he moderated, that there is “more willingness” of people in the industry to share their “insights and perspectives” on cyber security challenges.

Jackson also said that cyber security needs to be one of the top three to five priorities on the boards of any company in the aviation industry.