25 March 2014

Missing Airplanes and the Cyber Threat


Malaysian Airlines Flight 370 (MH370) took off from the Kuala Lumpur International Airport on March 8, 2014 and was scheduled to land at the Beijing International Airport approximately six hours later. However, the Boeing 777 planewith 12 crew members and 227 passengers of 15 nationalities on board, just disappeared off all communication systems less than an hour into its flight and is yet to be traced. Conspiracy theories behind this sudden and shocking disappearance continue to range from the plausible to insane and include a possible terrorist attack along with a crazy movement of the Bermuda Triangle to the Gulf of Thailand.

Though cyber-attackis not being considered as a possible cause of the disappearance of the aircraft, the possibility of such attacks in future on systems dependent oninternet-connected devices cannot be ruled. This should serve as a reminder of the vulnerabilities of such systems, lest they prove fatal in the near future. The World Wide Web celebrated its 25th anniversary on March 12, 2014 and while this Tim Berners-Lee creation has changed how information is shared throughout the world, it has also raised questions over the security and safety of national and international assets.

The Automatic Identification System (AIS) is an automatic tracking system that is used on vessels across the world and is mandatory for all commercial ships over 300 metric tons and all passenger ships, regardless of size and weight. The AIS is used for identifying and locating vessels by electronically exchanging data with nearby ships, AIS base stations and satellites. A private security firm, Trend Micro last year demonstrated how unsecure the AIS is when it exposed serious flaws in the system that could allow hackers to alter the paths of ships, fake their position and make them disappear. Researchers from the firm were able to spell the word “PWNED” off the coast of Northern Italy by altering paths of ships by feeding them incorrect GPS coordinates[i].

The way AIS works in a ship or a vessel, the Flight Management System (FMS) of the plane automates a wide variety of in-flight functions. It uses the Global Positioning System (GPS) amongst other electronic sensors for radio-navigation to determine the aircraft’s position. However, the GPS has not proved to be fail-safe and is the weakest point of the navigation systems as wasdemonstrated by Iran in December 2011. A team of scientists hacked into a GPS navigator of the American RQ-170 Sentinel stealth drone and forced it to land inside the country as they made the drone believe it was landing in Afghanistan by spoofing the GPS signals[ii].

Automating most of the in-flight systems to reduce pressure on the pilots has inadvertently made the airplane asoft target for cyber threats. A German security consultant, Hugo Teso, demonstrated in April 2013 an android application that he claimed could allow him to hijack an airplane remotely. Also a commercial pilot, Teso unveiled at a conference in Amsterdam his app named SIMON and using a flight simulator, he claimed that he could alter the speed, direction and altitude of an airplane by sending radio signals to its FMS and making them appear as if they are originating from an authentic and legitimate source. The American Federal Aviation Administration (FAA)has however denied Teso’s claims on the basis that this app cannot be used to hijack actual aircrafts and only works in virtual environments. But such sophistication in technology begs us to ask the question of aviation safety from cyber threats[iii].

Airplanes have in the past been targeted for their low levels of security with the hijacked Indian Airlines flight IC-814 in 1999 and the attacks on the World Trade Centre and the Pentagon on September 11, 2011 springing up as the notable examples. Such events involved taking physical control of the flight but technology has since come leaps and bounds and it is possible to now navigate and divert an aircraft to a desired location from the comforts of one’s home.Similar to the AIS, flights are tracked and identified using the Automatic Dependent Surveillance-Broadcast (ADS-B), which uses the Global Navigation Satellite System (GNSS) to determine the position of an aircraft and periodically broadcasts this via a radio frequency. The ADS-B is scheduled to replace the radar as the primary surveillance method with the United States requiring majority of aircrafts in its airspace to be equipped with some form of the technology by 2010 while the European Union wants this to be done by 2017.The signals received by the FMS can be made to look authentic despite coming from a compromised source and better checks need to be put in place to ensure over-reliance on such systems does not cost human life.

Though the internet has brought the world to every doorstep, it has also emerged as a new threat to national and international assets. We should not let the MH370 be remembered as anairplane that took weeks to be found, rather as a milestone in technology development that forced us to question our existing safety standards and move towards a more secure future.

The author is an intern at CLAWS. Views expressed are personal.

[ii]“Iran hacked GPS, hunted US drone”, at http://www.press tv.com/detail/216428.html

[iii] “Hacker says phone app could hijack plane”, CNN, April 12, 2013, http://edition.cnn.com/2013/04/11/tech/mobile/phone-hijac k-plane/

No comments: