DHS says it remotely hacked a Boeing 757 sitting on a runway

Remember how, back in 2015, security expert Chris Roberts jokingly tweeted about how he could hack the onboard systems of the airplane he was sitting in?

As in, say, get all the oxygen masks to drop in front of everybody’s faces? …thanks to a Wi-Fi flaw Roberts said he found in the in-flight entertainment system, and which he said even let him tinker with engine controls?

Well, somebody over at the Department of Homeland Security must have said Actually, we can hack our own damn planes. And so they did, with a team of aviation hackers exploiting a flaw via “radio frequency communications” that’s evidently been known about for years.

The news came out of a keynote at the 2017 CyberSat Summit in Tysons Corner, Virginia. The keynote was presented by Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.

According to Hickey, his DHS-led team managed to remotely hack a Boeing 757 airplane parked at an airport in Atlantic City, New Jersey. Avionics reports that aviation experts have for years known about the flaw Hickey and his DHS team exploited, but seven experienced pilots from American Airlines and Delta Air Lines were blindsided when briefed at a technical exchange meeting in March 2017.

Avionics quotes Hickey:

All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible.’

Hickey said he and his team got the airplane, which is owned by DHS, on 19 September, 2016.

Two days later, I was successful in accomplishing a remote, non-cooperative penetration.

The details of the RF flaw are classified, Hickey said, which means we don’t know the what, how, or where of the hack. Without these details from DHS, we don’t know how to fix it, and we don’t know how applicable the flaw is outside of a controlled experiment such as this one.

Why hasn’t anybody patched the avionics subsystems that are afflicted with this flaw? Hickey, for his part, said that it costs too much to fix.

According to Hickey, Southwest Airlines, for one, would be “bankrupt” if it had to fix its entire fleet of Boeing 737s, while other airlines that fly 737s would also see their earnings take a hit.


The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement.

… Hickey said newer models of 737s and other aircraft, like Boeing’s 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don’t have these protections.

Commenters on Avionics’ story warned of a high noise to signal ratio with this story.

From “CommonSense”:

The only RF delivered on the 1983 757 would be ACARS, so that would be the entry point.

Now if it was modified by someone else to have WiFi or other communications on it, then you are talking about a poorly implemented modification.

As far as the SWA 737 goes, the Classics are mostly retired, the NextGens may have WiFi but they were added after the factory without connecting to the cockpit. The Max’s are hopefully secure by design right from the factory. If Boeing isn’t doing the right thing in their design, then they ought to be liable, not SWA.

And from “Bardi”:

Yeah, let us start with an aircraft that first came out in 1983. $ 1 million for each aircraft or for a fleet? Changing “one line of code” is relatively inexpensive as each vulnerable piece of avionics is cycled through on regular mx.

Hickey explained that a fix would be a nightmare because there just aren’t maintenance crews that can deal with sniffing out cyberthreats aboard an aircraft:

They don’t exist in the maintenance world.

Hickey, who commanded a logistics group when he was in the Air Force and who was an airline pilot for more than 20 years, said that CIOs of airlines don’t know how to do this either:

[Airline CIOs] don’t know how to chase a cyber spark through an airplane either. Why? Because they have been dealing with, and they’re programmed to, and they do a great job of, protecting the terrestrial-based networks. Airplanes are absolutely different – crazy different.

Back when Roberts’ tweet got him blocked from flying, Naked Security’s Paul Ducklin took a look at whether a hacker could really bring down a plane from a mobile phone in seat 12C, and he found the possibility remote, but still worthy of worry, given that the only thing between the cockpit and the passengers’ wireless access was a router:

I don’t know about you, but a single blue box labelled “ethernet router” between seat 12C and the pointy end of the plane certainly gives me pause for thought.

When the GAO next produces a Cybersecurity in the NextGen Project report, I’d be a lot happier to see two separate red lines providing network service inside the plane.

Mind you, Hickey’s DHS team – which included Massachusetts Institute of Technology, the Energy Department’s Pacific Northwest National Laboratory, SRI International and QED Secure Solutions (which is led by Johnathan Butts, a former Air Force officer who’s done cybervulnerability assessments of Minuteman III intercontinental ballistic missiles and B-52 bombers) – used an RF flaw, not Wi-Fi.

At any rate, readers, if you’re in the industry, we’d love your take. If you’ve got avionics cybersecurity smarts, please do give us your own thoughts about how much we have to worry about when it comes to hackers remotely taking over aircrafts’ onboard systems. Is the flaw well-known? Would you call it a $1 million, one-line-of-source-code fix, or is it a bit more reasonable? Would it really cost an arm and a leg to remediate?

And most important of all: how easy is this RF flaw to hack?