Modern commercial airliners using the Next Generation (NextGen) Air Transportation System are vulnerable to attacks during flight by anyone who remotely takes over the plane’s Wi-Fi system, according to a report released Tuesday by the U.S. Government Accountability Office (GAO). The NextGen system is a modernization effort started in 2004 by the Federal Aviation Administration (FAA) to shift air traffic control from ground-based technology to satellites.  

“Modern aircraft are increasingly connected to the Internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems,” the government agency said in its report. “Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors.”

According to the report, even planting a virus or malware in websites visited by the passengers could provide an opportunity to access the plane’s onboard information system through the infected machines. This risk is further compounded by the presence of smartphones and tablets in the cockpit, if these devices have the capability to transmit information to the aircraft avionics systems.

“If the cabin systems connect to the cockpit avionics systems and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin,” the report warned, citing cybersecurity experts.  

In contrast to the FAA’s decades-old legacy communications infrastructure, which relies on point-to-point, hardwired information systems, the plans for NextGen call for an overarching system of interconnected systems.

aircraft hacking Legacy National Airspace System (NAS) ATC Systems Compared to NAS IP Networks. Photo: GAO

“The older systems are difficult to access remotely because few of them connect from FAA to external entities such as through the Internet. They also have limited lines of direct connection within FAA,” the report said. However, the NextGen programs are designed to increase interconnectivity with other systems and use IP networking to communicate within FAA. “According to experts, if one system connected to an IP network is compromised, damage can potentially spread to other systems on the network, continually expanding the parts of the system at risk,” the report added.

So, in theory, it is possible for someone with just a laptop or a smartphone to not only infect the plane’s computers with a virus, but also commandeer the aircraft and take control of its navigation systems.

In order to overhaul these cybersecurity weaknesses, the GAO recommended an “organization-wide threat modeling,” which includes, among other things, certification of avionics software and hardware, and ongoing monitoring of security controls following the deployment of the new system.