Malaysia Airlines Flight 370 may be the world’s first cyber-hijacking, according to a former scientific adviser in Britain’s Home Office.
Dr. Sally Leivesley, who trains businesses and governments to counter terrorist attacks, suggests that one explanation for the mysterious disappearance of the airliner is that someone used a remote device to turn off or overwhelm certain parts of the plane’s flight management system. She claims that it is possible for a hacker to access the main computer through the on-board entertainment system.
Investigators have concluded that the plane almost certainly veered off-course before disappearing as a result of instructions programmed into its computer. When and how the computer was reprogrammed remains a matter of speculation. Researchers have shown, however, that aircraft are potentially vulnerable to hackers.
Last year at the Hack in a Box conference in Amsterdam, security consultant and pilot Hugo Teso demonstrated how an airplane can be hijacked with an Android smartphone. Tapping into the system used for communication between aircraft and ground stations, he showed that it was possible to exploit vulnerabilities in flight management systems. Teso claims it is possible to alter a pilot’s display, or to change a plane’s speed, direction or altitude.
While Flight 370 apparently was diverted in mid-flight, security experts warn that aircraft are most at risk of an intrusion when they are entering or leaving an airport because of the number of computerized systems sharing information.
According to security professionals, more can be done to ward off potential attacks. The International Air Transport Association has warned that “Cyber terrorism poses especially serious challenges for airlines that will be taking delivery of the new generation of aircraft. In some cases, it may even require airlines to rethink the structure of their security and IT divisions.”
Apparently, traditional aviation insurance coverages will respond to the Flight 370 loss, regardless of whether a hacker or someone or something else was responsible for the plane’s disappearance. Allianz, the lead insurer, already has begun paying on the claim, even though the fate of the airliner still is uncertain.
More broadly, however, the intersection of the digital and physical worlds is still unsettled territory for insurers. A Lloyd’s of London report on cyber terrorism notes that the “the insurance market [has] yet to plug the gap between cyber and physical terrorism risk.”