Blog: Aviation Cyber Security
Causing incidents with in-flight entertainment systems
Some odd things have happened on airplanes recently. The voice on the PA system on an American Airlines flight was one of these. Before the airline put out a response, we were asked to speculate about how it might have happened. American then discovered that there was an issue with one of the PA amplifiers that led to the odd sounds, but the incident got us thinking.
This is a useful exercise, as it helps everyone think about the ‘what ifs’ and ensuring that future airplane systems are suitably cyber secure.
The PA system was hard wired, indicating that it would be really quite challenging to compromise, so how could a system like this be hacked?
- Some planes have a medical communications system in the cabin, for allowing easy communication between a medic on the ground and someone assisting a sick passenger in the air. These are just microphone and headphone jacks that connect into the cabin interphone system (the same that allows crew to make announcements, but also private calls between cabin and flight deck) which can be patched into a radio by the flight crew. These medical intercoms are increasingly rare.
- Service interphone connections are available in the wheel wells and other maintenance locations like the avionics bay, for ground crew to connect a headset to. Barring something very unusual these are just for pilot to ground communications and wouldn’t be broadcast into the cabin.
Interphone connection
- The interphone and crew call buttons are a surprisingly complex system as it has to handle cabin lights, chimes, and also pause any inflight videos. It can be linked to the in flight entertainment system also.
- Another potential route would have been to tamper with the pre-recorded announcements. These are often stored on the Flight Attendant’s Panel (FAP) in removable storage media. Here’s an old FAP from an A320 we were working on with a removable data cartridge, though more recent FAPs can be loaded from USB sticks. It wouldn’t be easy to replace the media without being spotted, though FAP passwords are often very… straightforward.
Content for some systems can be refreshed when there is ‘weight on wheels’ i.e when the plane is on the ground. This feature is present in some in-flight entertainment systems and is starting to be used for other content. We found a vulnerability in an IFE updating system that allowed us to change content on ground servers which was then synced to the plane in this way.
Online updates can make operations much for efficient: updating the cabin safety video for example is very time consuming if done manually on each airplane. Far better for the plane to check for an update over Wi-Fi when it lands. This can open up potential for tampering in future though.
Now, the ‘voice’ incident didn’t end up as a safety issue. Cabin system issues are unlikely to, as the aircraft control domain (ACD) is totally separate from the passenger domain (PIESD) and aircraft information services domain (AISD).
Could a cabin cyber issue result in a safety incident affecting the plane?
We’ve said many times that press stories about hacking an airplane from the IFE system are usually misleading. The only connection that is sometimes present is one-way from the flight management system (FMS) to the moving map to show you where you are. No, it’s not something you can use to send traffic back up the other way!
That’s not to say that IFE can’t be hacked. We’ve found bugs ourselves, as have others. We were working on retired planes with permission, so please don’t go pen testing on your next flight. It’s likely to be illegal and may end up with a flight ban at the least. Besides, most of the issues have been fixed since.
Anyway, so you’ve found a vulnerability and maybe you can stream arbitrary content to the IFE screens on board.
So what?
During a number of chats with other airplane cyber experts over a few years, we discussed a few ideas, one of which was pretty alarming.
So let’s say you can stream arbitrary content to all IFE screens concurrently through one of the methods we have proven. Maybe you do this by replacing a cabin safety video. What could you replace it with?
How about a video that tells the passengers that the plane has been hijacked and that they need to break into the cockpit to free the pilots?
Passengers can be jumpy at the best of times, but even then a calming announcement from the pilot would probably prevent an in-flight incident.
Probably the worst result would be some negative press coverage and some dodgy videos on social media.
But what about weight and balance…
Weight and balance are really important in airplanes, particularly so when at slower speeds when taking off or landing. There are numerous incident reports available online where planes were misloaded and had issues. A few, sometimes when cargo had shifted, resulted in an out of balance condition so bad that the plane became uncontrollable and crashed
Could you create an announcement that caused an out of balance condition?
A video alert on all IFE screens that indicated that there was a ‘security incident’ at the front of the plane and that all passengers should quickly move to the back for their own safety?
Would you argue the point, or would you do as you were asked?
So the passengers rush to the back, on a plane with say 180 passengers, that’s a movement of >10 tonnes of weight. The effect on balance would be even more as the plane is balanced around the centre of pressure.
In normal operation, owing to fuel burn etc, the Centre of Gravity would only move by 3-4%. In this case, it’s going to be moving by a great deal more. This has the potential to exceed the envelope of safe operation. That said, there are significant safety margins built in.
The out of balance situation may be mitigated by higher airspeed increasing airflow over the elevators, some types also have the ability to move fuel forward or aft between tanks to balance the plane.
But, create an incident on approach to land when there isn’t much fuel in the tanks and airspeed is lower, then an unrecoverable stall is a possibility.
Sound far-fetched? This incident appears to have involved an escaped crocodile on a commuter plane. The passengers rushed aft to escape it, creating an out of balance condition, stall and crash. Reports about the cause do vary though.
A calm voice from the cockpit
The scenarios discussed here could of course be dealt with by timely, well natured, and repeated announcements from the cockpit and cabin crew. However, I would like to see scenarios such as this built in to pilot and cabin crew training. More weird things are going to happen on airplanes as they become increasingly connected. Let’s get ahead of these and ensure our crews are prepared.
Taking Action
In the event of power loss, standard action for pilots would be to shed electrical load which would include pulling the circuit breaker for the IFE in the cockpit. However, I don’t believe there is a procedure for doing so in the event of the IFE ‘going rogue’. Similar problems may be present for cabin crew – training is unlikely to include actions for shutting down the IFE in such a scenario.
There is generally a method to power down the IFE at the flight attendants panel or cabin management terminal, but an emergency shutdown switch could be a wise addition.
Conclusion
I don’t think an attack like this is likely. Moving sufficient weight around an airplane in flight would be a significant challenge, mitigated by good process, robust standard operating procedures and security controls.
It does however remind us of the importance of cyber security on non-flight safety systems.
