Noah Brier | November 29, 2023
Airplane Hacking Edition
On software, flying, and building a culture of security
Noah here. An ongoing theme in action movies and thrillers is someone hacking a plane. Sometimes, it comes from the seatback entertainment and sometimes elsewhere, but it’s a reasonably regular theme across the genre.
The question, of course, is whether any of it is possible. Security specialist/hacker Ken Munro set out to answer that question. The challenge was how to get his hands on a plane, specifically one that would never fly again lest he put lives in danger. Surprisingly, he discovered that an airplane boneyard—where retired planes go to be taken apart—was willing to accept a bit of cash in exchange for his tinkering with the innards of the plane’s computing systems.
What Ken discovered, and outlined in an interview with 1Password, was that it’s thankfully not possible to hack into a plane’s control systems via the seatback entertainment. “Most airplane manufacturers, unsurprisingly, are on it,” he explained. “They understand the threat from hackers. The airplane networks are very carefully segregated. You have a bit in the cabin that’s called the Passenger Information Entertainment Services Domain. That’s completely isolated from what we call the Aircraft Control Domain, or ACD. That’s the bit the pilots work on.”
While he wasn’t able to hack the in-flight systems, he did discover a significant weakness in his research: electronic flight bags. Pilots carry these tablets in place of many paper maps and other materials that they use to calculate things like the power needed for takeoff and landing. Unfortunately, it turns out these things aren’t particularly secure: some had no pins, others just used zeroes, and many weren’t locked down and allowed the loading of random apps. These are all serious hazards when you’re talking about a system that is used to make major decisions.
Why is this interesting?
While he was able to find these vulnerabilities, he also found that the security apparatus around flying was far better than what exists in the software industry. “One thing I want to mention that I love about the aviation industry compared to the cyber industry,” Munro explains, “is that incidents and accidents are reported and shared without blame attributed. That way, everyone can learn. As a result, the safety of flying has gone through the roof over the last 50 years.”
It doesn’t mean it’s simple to fix or that ever manufacturer was happy to hear about their vulnerabilities. But because there’s an industry-wide mandate for documentation and transparency (to a degree), they can build on past failures (and successes). Juxtapose that with what’s happened in the software industry over the last few years, with one major breach after another, which is quickly swept under the rug by the hacked company. Given how widespread and insecure a lot of software is and how hard it is to get people to upgrade to the latest and safest version, it’s scary to think where much of this stuff will be in 50 years. I guess the one saving grace is that phones get replaced a lot faster than planes do.
—
Thanks for reading,
Noah (NRB) & Colin (CJN)
—
Why is this interesting? is a daily email from Noah Brier & Colin Nagy (and friends!) about interesting things. If you’ve enjoyed this edition, please consider forwarding it to a friend. If you’re reading it for the first time, consider subscribing.