Cyberjacking Airplanes - Terrorism in the Air?

By Thea McDonald

Photo: American Airlines B757-223, License: Public Domain

Imagine the devastation, an international bad actor hacks into an American airplane in flight and autopilots the plane remotely. In a post-9/11 world, this is a frightening possibility. Thankfully, according to the Department of Homeland Security (DHS), we are not at that point. 

We are, however, at the point of government officials being able to successfully test hack a Boeing 757, as a DHS official explained at last month's CyberStat Summit.

According to Avionics, the test hack occurred in September 2016, but DHS official Robert Hickey didn't announce the successful attempt publicly until last month. Hickey told CyberStat Summit attendees that the details of the 757 hack are classified, but that the joint government, industry and academic team that executed the test “establish[ed] a presence” on the aircraft via the plane’s radio frequency while the plane was parked at Atlantic City airport. To highlight the potential risks, the hack team only used items that a typical flier could bring through the TSA security checkpoint.

While the hack was executed remotely – meaning that no one was physically touching or on the aircraft – the “hackers” couldn't actually reach the plane’s controls that alter the flight path. This probably reads as comforting news to most frequent fliers, but the potential for a commercial aircraft to be vulnerable to remote manipulation seems to be generations ahead of a passenger’s cell phone signal interfering with ground systems.

And even though production of Boeing 757s was discontinued in 2004, many commercial airlines still have 757s in their employ, and the president and vice president still travel on the 757 model.

We live in a world where cyber-attacks are daily news and international cyber-criminals hold American businesses’ information hostage. If a terrorist ever managed to take down a single commercial U.S. airliner – or infinitely worse, many airliners in a coordinated attack – the information hacks we see so frequently would pale in comparison to the devastation this kind of coordinated aviation cyber-attack would bring. Now, the U.S. government’s national security teams must not only worry about cyber-attacks that could cause massive booking problems, strand passengers, and create massive delays, but must assess and mitigate the possibility of cyber-attacks that could take lives at the click of a button or the maneuver of a virtual joystick.

An ability to breach the cockpit could take us into a world where a 9/11-style attack could be executed without the hijackers anywhere physically near the aircraft. The international legal complications of such an attack may give cyber-smart international terrorists a get out of jail free card.

The legal quandary could get even messier based on which country a hacked plane took off from and where it was headed. The type of agreement, or lack thereof, that the U.S. has with the country of the flight’s origin, plus the location of any mid-flight accident, could affect possible jurisdictions for the government and passengers’ survivors to bring suit.

Thankfully, there are several steps and missing pieces any potential bad actor would have to put in place to get from a successful government on-the-ground, stationary hack test that couldn’t reach the plane’s control system to a successful hack of a mobile airborne target that completely takes over control of the craft. 

In the wake of the DHS test hack news, cybersecurity analyst and former State Department adviser Morgan Wright joined FOX News to discuss the test’s implications. Citing our aircrafts’ aging infrastructure and the successful hack, Wright expressed his concern: “If you take down one plane, I have to act as though every plane is vulnerable, and now I have to defend every single plane.”