Relies very strongly on simple airgapping. Can't do anything to it if there's no wires in the direction you want. Can't remotely hack if there's nothing antenna connected that can talk to flight control. It has the luxury of not needing to do the "limited RCE" that is a modern web request
Reminds me of an episode of Leverage where they wanted to hack into Congress and change the text of a bill. In the show, it turned out everything was airgapped so they had to send a person to drop off a paper copy of the compromised bill. Hmm, that was also a plot line in Better Call Saul.
In the article above, in-flight wifi has an API reporting position, altitude, and velocity. That is a feed from avionics, which renders the claim of airgapped systems essentially null.
They could, for the sake of a ridiculous but clear example, have a display hooked up to the avionics and a camera hooked up to a separate computer which reads the values.
There are various ways of connecting systems while physically guaranteeing one way data flow—a fiber optic link with the transmitter removed from one end and the receiver removed from the other is basically a less silly “camera pointed at a display” and used in the real world.
You could argue the exact semantics of “air gapped”, but for the discussion here that’s accomplishing the same thing. The fact that the passenger network has some visibility into the avionics network is not, in and of itself, any indication of an issue.
The plane has a transponder that reports this information to the ground, ATC, other aircraft etc. The infotainment server has a receiver that gets this data. Or in some cases they instead pull it from a ground based service via the internet. The transponder is not able to receive signals, so it is air gapped.
A quick review of published information reveals this claim as false. A typical airliner FMS feeds information to IFE via gateway devices. The integration is intended to be one-way. Airgapped they are not.
Such analytical delusions are the first step on the road to failing to adequately mitigate threats. As practiced by “it can’t happen here” school of fucking up.
Fortunately, it seems far more likely that aircraft system designers do not rely on any such assumption, and practice defence in depth. There was a good talk at DEFCON 22 by Phil Polstra on the matter.
