Boeing hit with safety alert over possible flaw in plane landing app
BOEING has been hit with a worldwide safety alert after British security experts say they discovered a possible flaw in its software used by pilots in take-offs and landings.
A global “safety alert for operators” was issued by the US Federal Aviation Administration earlier this month after researchers found an issue with Boeing’s Onboard Performance Tool (OPT), a mobile app that pilots can use to make safety calculations before take-off and landing.
The tool uses data on metrics such as weather and weight to help make calculations for planes leaving and returning to the tarmac. The possible flaw meant hackers could tamper with critical data and trick pilots into using the wrong settings, potentially causing a crash.
Pen Test Partners, based in Buckinghamshire, discovered the potential issue and reported it to Boeing. Ken Munro, boss of Pen Test Partners, said its findings showed that the mobile app could have been “calculating and putting out the wrong data” to pilots.
A Boeing spokesman said: “We are committed to evaluating original research that is conducted and shared in a responsible manner and thank Pen Test Partners for their professionalism and collaboration.
“While we are not aware of any aeroplane affected by this issue, our team released a software update and service bulletin to our customers last year to further enhance security and minimise the already-low risk of interference.”
The disclosure comes as the US aviation giant seeks to recover from issues with its 737 Max aircraft, which were grounded in 2019 in the wake of two fatal crashes that killed 346 people.
Pen Test Partners’ research found that a vital database in OPT was not locked down to prevent unauthorised changes. The database records the length of runways at airports. Hackers could have silently modified it to increase the risk of pilots crashing while trying to take off or land.
Flaws in safety-critical airline software have come under scrutiny in recent years. One blunder came to light after an Air Accidents Investigation Branch report last year revealed how the airline Tui was using software that recorded travellers who used the title Miss as children instead of adults.
The programming flaw caused weight calculations to be wrong, in turn making pilots use the wrong settings because they mistakenly thought their aeroplanes were lighter than they truly were. Tui said it had upgraded its systems after the problem was reported to it.
Penetration testing, the type of security research carried out by Pen Test Partners, is where engineers examine a piece of software for flaws that could be abused by hackers and recommend ways to fix them. British expertise in “pentesting” makes up a significant part of the £10bn UK cyber security industry.
Traditionally a cautious industry, aviation has been slow to embrace the tech industry’s ways of working on cyber security. Pen Test Partners said it took two years to fix the flaws because of the number of regulatory approvals required to change the OPT tool.
Many security researchers have tried to show that airliners are vulnerable to being hacked over the past decade. A company called Ioactive claimed in 2019 that the Boeing 787 was hackable, though Boeing called it “irresponsible and misleading” because Ioactive had used a partial copy of the airliner’s software that it found online.
Despite the large number of computerised systems on modern airliners, experts say it is all but impossible for hackers to take control of them as pilots can simply shut off affected computers and fly the aircraft manually.