Ministry of Civil Aviation should explain security of proposed WiFi on airplanes scheme

Yesterday, the Ministry of Civil Aviation made a public announcement that in about 10 days, passengers in Indian air space may be allowed to connect to Internet through a WiFi connectivity on the airplane.

It must have appeared exciting to hear a seemingly technological advance and several people who heard the official clapped at the announcement.

Unfortunately, it rang alarm bells in my mind as to the new kinds of risks that the ministry is hoisting on the air travel and a doubt if the known risks have been hedged.

It is time for an immediate RTI to be filed to enquire if a proper Information Security Audit has been conducted by the appropriate authorities before this service has been contemplated. (I request any of my friends in Delhi to immediately file an RTI with the Ministry of Civil Aviation and DGCA)

It is expected that the WiFi system could be similar to what is being used in USA and involve either

a) connectivity through mobile towers on ground which connect to a WiFi router on board

b) connectivity through a satellite link that connects to the WiFi router on board.

In either case, the service will be priced (could be prohibitive) and therefore there will be a log in to a specific website from which the access will be authorized to the router.

At present it is expected that the bandwidth will be low and will be shared by all the persons on board.

(More details of the technical aspects would be known once the service is announced)

While it is clear that in long haul flights, it may have value to have connectivity to send and receive e-mails or messages or even browsing some websites for urgent work, it is necessary for us to consider the risks that this proposed system would bring in to the Indian fliers.

The risks are of two types.

  1. Risk that one user of the WiFi network may be vulnerable to another user hacking into his computer. This could result in data leak as well as ransom ware attacks. In case of corporate customers carrying sensitive files in their computer and e-mails, this is a huge risk and necessary of being addressed in the Information Security policy of the organization. (To say… “Use of on-board WiFi not allowed”).
  2. Risk that a hacker on board or otherwise hacking into the communication systems of the plane and causing a terror attack which may crash the plane.

Some of these risks can perhaps be mitigated by securing the WiFi router adequately and segregating the communication network of the plane from the WiFi network. However, this is more a theoretical exercise and in practice, it is not possible to fully secure the system against hacking.

The admission of Mr Chris Roberts who hacked into a plane’s engine through its entertainment system and made it to execute a “Climb” unauthorizedly should open the eyes of anyone who thinks that security will be adequately managed by the airline staff.

The truth is that if we provide a single strand of entry to a hacker anywhere near the critical system, he will find a way to get in completely. The WiFi router could be one such entry point through which the hacker can enter and cause damages both to other passengers and to the air craft itself.

It is therefore not prudent for the Indian Civil Aviation authorities to introduce the WiFi on board.

I therefore call upon the Ministry to withdraw the pronouncement or clarify through a public statement what security measures have been initiated in this regard and who is accountable in case of a breach of security.

Naavi

Related Articles:

How does airplane Wi-Fi work? And will it ever get any better?

How Does In-Flight Wi-Fi Really Work?

 A look at the security of Wi-Fi on a plane: 

Midair Hack Shows the Dangers of In-Flight Wi-Fi:

Wi-Fi security – can inflight internet REALLY hack planes?

FBI: Hacker claimed to have taken over flight’s engine controls: 

Aviation experts dispute hacker’s claim he seized control of airliner mid-flight

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.