Commercial aircraft are vulnerable to hacking from in-flight WiFi, watchdog report warns

Commercial airliners are vulnerable to hacking by terrorists using the in-flight Wi-Fi and entertainment services, a US watchdog has warned.

The Government Accountability Office (GAO) has published a report outlining how passengers could gain access to an aircraft's IT system and install viruses and malware. The Federal Aviation Administration (FAA) is criticised by the report for not "allocating resources properly to guard against the most significant cybersecurity threats".

Concerns over the aircraft security comes as the industry transitions to the Next Generation Air Transportation System, a new air traffic control system to be implemented in the US between now and 2025, and an increase in passengers using internet-connected devices like laptops, tablets and smartphones.

The next-generation system will see every aspect of flight, from the aircraft and traffic control, to navigation systems, incident detection, and response systems connected under one cloud. If one entry point to this cloud is compromised, hackers could have wide ranging access to the control and navigation of commercial aircraft.

The report, published on 14 April, said: "Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors." The GAO says the FAA has not developed a cybersecurity threat model.

'A user could subvert the firewall and access cockpit avionics'

It is claimed aircraft could be open to remote attack by planting viruses in websites visited by passengers using the in-flight Wi-Fi. Essentially, if any IT system accessible by passengers shares the same cabling and routers as systems used by the aircraft to communication with air traffic control, then the GAO believes there is a problem.

Citing multiple cybersecurity experts consulted to produce the report, it said: "If the cabin systems connect to the cockpit avionics systems and use the same networking platform, in this case IP [address], a user could subvert the firewall and access the cockpit avionics system from the cabin."

Commenting on the report to the AFP news agency, Peter DeFazio of the US Committee on Transportation and Infrastructure, said: "The report exposed a real and serious threat - cyberattacks on an aircraft in flight. FAA must focus on aircraft certification standards that would prevent a terrorist with a laptop in the cabin or on the ground from taking control of an airplane through the passenger Wi-Fi system."