Why hackers don’t fly coach

Physical security is relied on too heavily for cabin-based systems on the Airline Information Services Domain (AISD). Whilst the Aircraft Control Domain (ACD) is separated, there are still plenty of interesting information, data and systems that are accessible from the cabin, for those who are prepared to ask.

I’ve learned plenty about these systems from simply asking and looking. Don’t go touching though – you won’t need to if you ask crew to show you around the systems!

However, premium passengers are given a much greater rein to explore systems: ‘nothing is too much trouble’ is a common mantra. I don’t get to travel as a premium passenger often, but the occasional upgrade from the airline is very much appreciated. It opens the door to the social engineer on board

Being up front matters

Even if you’re a the back of the plane in coach, chatting to bored cabin crew in the galley on a long haul flight, showing genuine interest in their job role and the systems they use is often revealing.

But being ‘up front’ makes things much easier: the interesting systems tend to be in the premium cabins. Hence, being in coach doesn’t help so much

I have been left, sat at an unlocked Cabin Management Terminal (CMT) for at least 10 minutes unsupervised. Before being left alone, I was given a full tour of the system and was fascinated.

I asked permission and took photos. I still didn’t touch the system, but it was an interesting place to watch and learn from. The CMT is the device my colleague Phil wrote about, and manages not only the IFE but also plenty more.

It’s good to ask

On another occasion, I had a full explainer of an in flight messaging system used by the cabin crew for communications with the airline’s ground systems. Now, I already knew much of the technical detail, but understanding how it’s actually used in the real world makes all the difference. It didn’t take much to figure out how one could cause issues, if one was so minded.

Asking open questions of the crew about the Flight Attendants Panel (FAP) has also been revealing. Also, whilst looking for a friend on a flight, the crew let me flick through their iPad containing the electronic Passenger Information List or ‘ePIL’. I quickly found their seat on the list & headed there for a chat and a drink.

That data set is sensitive though – whilst my reasons were legitimate, I shouldn’t have been given access to them. I doubt I would have been given access if I hadn’t been talking to the most senior crew member on board, who was of course looking after premium customers.

I’ve heard stories of others asking for crew to charge their phone, as the USB charging point in their seat not working. I suppose that’s one way to get a rogue device plugged in to a system on the AISD.

Physical security controls for cockpit access are also interesting. I was ‘up front’ with my family on a short haul flight a couple of years back, using a lot of frequent flyer points accumulated through too much business travel. As a result of a short delay with departure, the captain kindly invited my kids and I to the cockpit. My children were fascinated and asked all of the right questions. In the meantime, I was asking about and got a quick tour of the EFB and other systems. Hands off, of course!

Learnings

Cabin crew are the first line of defence for physical systems on board. Personally, I don’t think that the responsibility for security should sit with them. Systems should be designed to be secure from the outset and facilitate easy authentication and system locking.

That said, we have to accept that airplane systems take a long time to update, so we have to deal with legacy systems. In this case, we have no option but to train the crew about threats from the social engineer. Just because a passenger has paid for a premium seat doesn’t mean that they can be trusted.

RJ45 ports, USB ports with data lines connected, even floppy disc drives and CD-ROMs are sometimes found. These systems need to be physically secured. It’s not enough to put that burden on to the cabin crew, given that they will be away from the FAP / CMT etc during busy times such as meal service.

Premium and loyal customers are good revenue generators for airlines. We shouldn’t let this cloud the need to keep airborne systems safe and secure.

If you see something untoward on board, perhaps someone interfering with a system that they probably shouldn’t be, I think as responsible passengers, we should be raising this politely with the cabin crew.

Airline Crew SEP Training

Every year cabin crew re-do their SEP (Safety Equipment & Procedures) training. This often covers hijacking, in particular the methods hijackers use to gain information/detail on cabin crew positions and timings etc.

The training covers awareness of shady characters asking odd questions or looking into areas they shouldn’t, but the emphasis on all of this is hijacking.

It wouldn’t take much to include cyber security in this training, as it’s similar techniques being used to obtain related information.