There is no path INTENTIONALLY provided for the aircraft’s vital systems to get info from the internet. Someone may have exploited a flaw in the system and provided that necessary link via their own computer system...................
Perhaps not intentionally provided, but its there nonetheless.
There is a gent named Hugo Teso, a commercial pilot, who wondered whether you could treat a commercial heavy aircraft like you would a computer on the internet.
He’s part of a company called n.runs Professionals, and they do security research.
In April 2013 he gave a presentation for the BlackHat conference that not only shows you can do it, he did it, and he details the exact steps for doing it.
These aircraft use the Automatic Dependent Surveillance-Broadcast (ADS-B 101) which is a ‘radar substitute’. It has a data rate of 1Mbit/sec, and its used for locating and plotting large targets.
It can be exploited either for passive surveillance or you can do message jamming, replaying, or injection.
It has no security on it as late as April 2013.
Then there is ACARS 101 - the Aircraft Comms Addressing and Reporting System, which is a digital datalink for transmission of messages between aircraft and ground stations.
Monoalphabetic cyphers are as sophisticated as the security on that system gets. It can be accessed worldwide and you have access to detailed flight and aircraft info.
Then there is the FMS, the Flight Management System. This was the basis for the demo. n.runs bought an FMS off of e-bay. They bought an ACARS for around $10.00 used. They bought an FMS training package that uses actual aircraft codes for $90.
They then used a Software Defined Radio - works like a hardware radio except that the hardware components are implemented by means of software.
The Flight Management System is the link to Inertial Reference, Air Data, Nav Receivers, Engine and Fuel Systems, Surveillance Systems, Flight Controls, Aircraft Displays, the MCDU, and the air to ground data link. It’s bi-directional, meaning you can read from and send to all of those component flight systems.
So, if you understood none of that, the plane is as secure as the WiFi at Starbucks and you can read from and send data to any system connected to the FMS, including the autopilot.
That doesn’t mean this is what happened here, but it does mean that, currently, you average commercial heavy is as secure as a pallet of heroine in Detroit on Devil’s night.
www.48bits.com is where you can investigate Hugo Teso. I sourced this from his powerpoint preso from BlackHat.