On Tuesday, March 24, Germanwings Flight 9525 crashed into the French Alps. All 150 people onboard were killed. After studying one of the aircraft’s black boxes recovered in the crash, investigators determined that Andreas Lubitz, the co-pilot of Flight 9525, deliberately locked the pilot out of the cockpit and altered the aircraft’s trajectory to crash into a mountain range in the French Alps. Lubitz spent years suffering from a depressive disorder and had at one time been treated for suicidal tendencies, a history of mental illness which might explain his decision to kill himself and the other 149 passengers and crewmembers onboard. This tragedy has helped spark a larger conversation on how similar incidents can be avoided in the future. Among the numerous ideas proposed in these discussions, news has emerged of a solution that could make all airliners “hijack-proof.” First conceived back in 2006, the technology would allow pilots, ground control personnel and/or security agencies, including the Central Intelligence Agency (CIA), to remotely re-program an aircraft’s navigation systems with a new flight path that could not be altered by any persons onboard the plane. The solution could also activate if excessive force were applied to the cockpit door, such as when terrorists try to storm a cockpit or when the pilot of Flight 9525 attempted to re-assume control of his plane. This system could, therefore, at least theoretically prevent terrorist hijackings, not to mention disasters similar to the Germanwings crash. Several years ago, Boeing believed that planes all over the world could be fitted with the anti-hijacking equipment by 2010. However, security concerns have prevented industry leaders from standardizing this technology. One of the key issues is the fear that rogue actors could hack the equipment and use it to assume control of a plane. This concern has persisted over the years largely because of the fact that most communication systems on a plane remain unencrypted. “While computer-assisted flight is not a new concept, the ability to take control of a civilian aircraft from the ground is,” explains Travis Smith, Security and Compliance Analyst at Tripwire.
“Communications with pilots and their onboard equipment is largely unencrypted by design to avoid issues when seconds can mean life or death. In fact, this unencrypted communication has been exploited in the past by security researchers.”
Lamar Bailey, Director of Security Research and Development at Tripwire, believes this lack of secure communication channels has held back any and all forms of remote aircraft control technology from being implemented. “The technology is nearly there, but it still has a ways to go to be secure,” Bailey observes. “Remote control of the plane is very much like remote control of a computer using RDP or SSH since a plane is just a big network of computers, only with lots of metal and passengers strapped to it. To protect the lives of everyone onboard, security needs to be a top concern when implementing remote control technology.” Fortunately, there are steps that can be taken to help secure this equipment. First, all communications should be protected by robust forms of encryption and authentication, as Smith points out: “I would hope that complete remote control of a civilian aircraft would implement some form of encryption. At the very least, the system would need to include both server-side and client-side certificate authentication to ensure only trusted sources are controlling the plane.” Bailey is of the same opinion: “The system will need to use top shelf data encryption, and the login procedure should be a lot stronger than the normal 10-character password.” Smart fail-safes that are built into the technology’s commands could also help bolster the technology’s security, Bailey notes. Such precautions could ensure that planes are only diverted to safe locations, such as airports, and are not able to ascend or descend above predetermined altitudes depending on the flight path. These measures notwithstanding, malicious actors could still find ways to exploit weaknesses in the technology, as well as other vulnerabilities found on airplanes more generally. As observed by Bailey, “What if the malicious actor was on the ground in the authorized remote control operations center? The core of the issue here is insider threat and the ability for a single actor to perform malicious acts.” Ken Westin, Senior Security Analyst at Tripwire, is also concerned about insider threats with respect to remote control:
“You may protect yourself from someone attacking from inside the plane, but you open the system to potential compromise from the outside world. There are a number of places that such a system could be compromised, and it could put all planes at risk.”
As one might expect, the danger of insider threats extends well beyond remote control technology. For instance, David Stupples, professor for electronic and radio systems at City University London, explained in a recent article published on Deutsche Welle that malicious insiders can already hack an airplane either by creating an external data-line and using it to upload a virus into the aircraft’s computer systems during a software update, or by physically inserting malware into an airplane’s electronics bay via use of a USB stick. Given these persistent threats, the International Air Transport Association (IATA and a number of other bodies have signed an agreement to coordinate their efforts towards protecting aircraft against computer attacks. As their work gets underway, perhaps these organizations will decide to revisit the remote control technology that was first proposed nearly 10 years ago. Either way, it is our hope at Tripwire that the IATA and its partners will this use collaborative agreement as an opportunity to discuss security measures that will prevent tragedies like the Germanwings crash from ever happening again.
