Experts working with Homeland Security remotely hacked into a Boeing 757 parked at a New Jersey airport — stunning a group of pilots who had no idea their planes are vulnerable, according to a report.
Homeland Security cyber-sleuth Robert Hickey told Aviation Today that his team hacked into the controls of the commercial jetliner, which the department bought on Sept. 19, 2016, and parked in Atlantic City.
“Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Hickey, a manager in the Cyber Security Division of the DHS Science and Technology Directorate.
“I didn’t have anybody touching the airplane, I didn’t have an insider threat,” he said. “I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.”
Noting that details of their hack and their research are classified, Hickey told attendees at the CyberSat Summit in Tysons Corner, Va., last week that they accessed the plane’s systems through radio frequency communications.
Experts initially reacted by saying, “We’ve known that for years’” and “It’s not a big deal,” Hickey said.
But during a technical exchange meeting in March, he said seven captains from American Airlines and Delta Air Lines had no clue.
“All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible,’” Hickey said.
President Trump’s personal jet is a 757, as is the plane Vice President Pence often uses, including on his recent trip to Texas, according to CBS News.
Mark Rosenker, former chairman of the National Transportation Safety Board, told CBS that “the 757 hasn’t been in production since 2004, but the aging workhorse is still flown by major airlines like United, Delta and American.”
The cost to change one line of code on a single avionics component is $1 million — and it takes a year to implement, according to Aviation Today.
Hickey noted that newer models of 737s and other state-of-the-art planes, like Boeing’s 787 and the Airbus A350, have been designed with security in mind.
He added that there are no military and commercial maintenance crews that can deal with ferreting out cyber threats aboard planes.
“They don’t exist in the maintenance world,” said Hickey, who was an airline pilot for more than 20 years.
Boeing, which observed the testing and was briefed on the results, said in a statement: “We firmly believe that the test did not identify any cyber vulnerabilities in the 757, or any other Boeing aircraft,” according to CBS News.
An official briefed on the test does not believe it revealed an “extreme vulnerability” to jetliners because it required a very specific approach on an older aircraft with an older system.
The official added that it was good to know about the hack, “but I’m not afraid to fly.”