Evidence:
There is an application for a search warrant documented in court by FBI that a US hacker named Chris Roberts hacked into the electronic entertainment systems of airplanes [1] and that he had taken control of an airplane’s engines mid-flight using his laptop and an Ethernet cable [2]. Chris Roberts had also earlier claimed that he had changed the temperature of the International Space Station in 2012 [3]. Source: 1, 2 and 3.
He stated that he then overwrote code on the airplane’s Thrust Management Computer while aboard a flight. He stated that he successfully commanded the system he had accessed to issue the climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. He also stated that he used Vortex software after compromising/exploiting or "hacking" the airplane’s networks. He used the software to monitor traffic from the cockpit system Source:1, 2.
However, the plane manufacturing company had denied the allegations.
One of the plane manufacturers has cast doubt on the hacking claims. Boeing said its entertainment systems are "isolated from flight and navigation systems." The company further said that it does not discuss its planes' design features for security reasons, but said, "It is worth noting that Boeing airplanes have more than one navigational system available to pilots. No changes to the flight plans loaded into the airplane systems can take place without pilot review and approval. In addition, other systems, multiple security measures, and flight deck operating procedures help ensure safe and secure airplane operations. Source: CNN
Pilots also note that one cannot access flight management systems by hacking the IFE system.
J. Mac McClellan, a pilot and former editor of Flying magazine, told Mashable via email, "The claim that engine control was hacked through the cabin entertainment system is preposterous. Engine control computers are called FADEC for Full Authority Digital Engine Control. The actual FADEC box... is independent of any other aircraft system. The bottom line is that aircraft electronics are very isolated and redundant not so much to avoid hackers, but to prevent any single failures [or] software bugs from endangering the airplane." Source: Mashable
Experts note that Roberts did not alter the thrust of the aircraft engine or the avionics system access and even if the data was transmitted from the inflight system back to the avionics system, the avionics system would not accept it since programmed inbuilt rules of the avionics system would stop it from accepting the In-Flight Entertainment Systems command data.
All of this appears to add up to the conclusion that there’s no way Roberts could have hacked the thrust controls of a plane and manipulated the aircraft, either through the IEF, the SATCOM or anything else. He says he asked Roberts pointblank if he had ever taken control of a plane inflight. “[H]e said no. He said things that would lead me to believe that he did it in simulation, not in a real aircraft,” Exner says. As for what he did during an actual flight, Exner says, “I doubt very seriously that he ever got beyond the IFE.” Source: Wired
Experts also believe Roberts also could not have accessed the satellite navigation system to change the aircraft's direction.
As the data bus for the IFE is not also used for communications or flight systems, at best Mr Roberts may have seen interference between the two systems, says David Stupples, professor of electronics and radio systems at City University in London. Data packets travelling on copper wires (common in older aircraft) may allow some messages to be seen, but probably only the meta-data, such as the origin and destination of the message, rather than the content itself, which is encrypted. The fibre optic architecture of modern aircraft will not suffer similarly. And anyway, to change an aircraft's direction Mr Roberts would have had to persuade it that he was the satellite navigation system. That entails spoofing the signals from up to 16 satellites at a time; a tall order suggests Mr Stupples. Source: Economist
A January 2015 study document by GAO found that there was weakness in FAA's cyber security that could be taken advantage by cyber criminals.
Firewalls protect avionics systems located in the cockpit from intrusion by cabin system users, such as passengers who use in-flight entertainment
services onboard. Four cybersecurity experts with whom we spoke
discussed firewall vulnerabilities, and all four said that because firewalls
are software components, they could be hacked like any other software and circumvented. The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin. An FAA official said that additional security controls implemented onboard could strengthen the system. Source: GAO
European Aviation Safety Agency is also concerned that air traffic control systems (ACARS) used for the exchange of messages between traffic control towers and airplanes might be hacked by cyber criminals.
Hugo Teso also hacked the ACARS [1] and was able to disclose many on-board system vulnerabilities in a 2013 conference [2]. The experts highlighted that the airplane hacking was relatively easy because almost no security was protecting the communications between the aircraft and the ground. “The system’s weak point is that it doesn’t verify communication packages on the way from the ground to the plane,”, “Because of that, it is possible to spoof the system by inserting a new package along the way.” is the opinion expressed by Andrey Nikishin, head of future technologies projects development at Kaspersky Lab. Nikishin believes that an attacker can send bogus messages to the pilots affect their decision when flying: “Theoretically, a malicious user can influence a pilot’s decision to change the route, if, through the spoofing flow, he sends the plane a fake message about an upcoming storm,” , “The same malicious scheme could be applied to spoof GPS, making the system believe that it is located in a different place from where it actually is. Source: 1, 2
An attack forced LOT Polish Airlines to cancel and delay its regular flights in 2015 which is documented here.
A DDoS attack on the over-ground terrestrial telecommunication network caused the flight plan systems to go offline and forced the airline to cancel 10 flights and delay 12 others on its European routes, temporarily grounding 1,400 passengers at Warsaw Chopin Airport. Source: NYA International .
There is no evidence of hacking attacks providing access to flight management systems through connection port vulnerabilities.
Digital Security, a Russian security firm, studied 500 flights of 30 different airlines during five years and found out that there are security vulnerabilities on planes, and hackers have tried to exploit them in order to discover the potential of such hacks. If briefly summarized, there are certain entry points in the aircraft’s IT systems which are of interest for culprits: Flight Management System, Router of another networking appliance which facilitates communication between systems, for instance, SATCOM, a satellite communication server, Multimedia server, Terminal multimedia devices. The main thing: some aircrafts feature RJ-45 ports marked as “Private use only.” It’s possible that once connected through this port, a hacker would be able to access critical system elements. There is no evidence of such attack offering access to flight management systems, though. Source: Kapserky blog.
Meaning:
It is true that there is a significant cybersecurity threat in aircrafts if a single network bug is present which might be exploited by hackers to gain control of networks accessing critical components within the plane.
It's also possible that Roberts' security worries are overstated. As Patrick Smith, an active airline pilot and author, recently wrote in The New York Times, "The notion of the automatic airplane that 'flies itself' is perhaps the most stubborn myth in all of aviation. The idea that jetliners today are super-automated machines whose pilots serve merely as backup in case of an emergency" simply isn't true Source: ZDnet .
However, pilots still completely control planes during takeoffs and a significant high amount of landings contrary to the public's imagination of autopiloting and commandeering. Source: New York Times.
Before takeoff, the pilot will enter the route into the computer, giving it a start and end position and exactly how to get there. Throughout that route there are a series of points that the computer will note, each having its own speed and altitude. The autopilot does not steer the airplane on the ground or taxi the plane at the gate. Generally, the pilot will handle takeoff and then initiate the autopilot to take over for most of the flight. In some newer aircraft models, autopilot systems will even land the plane. "Automation is great but if there is a misunderstanding between the crew and the automation system, it can be dangerous," Robinson said. In that way, autopilot is similar to a car's cruise control. It can take over when you need it to, but you still have to be aware of what the car is doing and where it is going Source: CNBC.
Aircraft control systems have several backup systems or procedures to cope with emergencies.
Curtis says, "Because many aircraft systems have backup systems or backup procedures, it usually takes multiple failures to occur before those failures are considered catastrophic or potentially catastrophic." Ison of Embry-Riddle notes that aircraft today are so reliable that technical failures are highly unlikely in regular operations. In 75 percent to 80 percent of such cases, he notes, the error is human — either by the pilot or by air traffic controllers. Source: NPR
Airline organizations all over the world are aware and familiar about the threats to cyber security and are trying to reduce or eliminate such risks which are growing larger over time.
You will be familiar with the IATA Aviation Cybersecurity Toolkit which was updated in July this year. It is an invaluable resource for any business planning its cybersecurity countermeasures. But a toolkit or the efforts of any single entity will not be sufficient defense. Recognizing that, last December IATA, ICAO, ACI, the Civil Air Navigation Services Organization (CANSO) and the International Coordinating Committee of Aerospace Industries Associations (ICCAIA) agreed to cooperate on this issue. Our first task is the development of a Civil Aviation Cybersecurity Action Plan. It’s a start, but the threat is evolving every day. And we will only stay ahead by combining forces. There is much more still to come on the cybersecurity issue. It has tremendous potential to add even more value to our business. But every process that we automate, integrate or assist with technology invites a new vulnerability. So we must work together to ensure that progress is secure. Source:IATA
TL;DR: As of 2016, there is no documented instance of a hacker commandeering a plane but there have been claims of hackers accessing exploits in networks such as in-flight entertainment systems.
In the past, we have seen many security experts present possible attack scenarios, but never has an attacker made them reality. Source: Infosec institute
