Compromising vital infrastructure: air traffic control

Compromising vital infrastructure: air traffic control

While most of us know that flying is the safest mode of transport, we still feel that sigh of relief when the plane has made its landing on the runway and we can text our loved ones that we have arrived safe and sound. Accidents may be rare, but they’re often shocking and horrific and accompanied by the loss of many lives. Unfortunately, they also tend to make the news, which only heightens fear.

In this blog post, we look at the dangers related to flying from a cybersecurity perspective. As we know, cybercriminals are motivated mostly by money, power, and ego—and messing with air traffic and air traffic control can boost any of those factors. While the majority of these cybersecurity incidents result in data breaches, make no mistake: Attacks on this vital infrastructure could lead to much more grim consequences.

Air traffic control

Air traffic can roughly be divided into four general categories:

  • Public transport
  • Cargo and express freight
  • Military operations
  • Smaller aircrafts (recreational, training, helicopters, and drones)

Organizations like the ATO and EUROCONTROL manage the air traffic across entire continents, communicating with commercial and military bodies to control the coordination and planning of air traffic in their designated territory. These organizations work closely together, as there are many intercontinental flights that pass from one territory to another.

Air traffic control organizations need to react quickly to incidents, and their instructions should be followed to the T. They need flawless communication to work properly, as they are crucial to maintaining the normal flow of air traffic. Therefore, these organizations and their related systems are heavily computerized. This makes them primary targets for cyberattacks.

Public transportation

Using airlines as a means of public transport brings with it certain security-related dangers. Online bookings have led to many data leaks. Recently we have learned about breaches at Cathay Pacific, British Airways, Arik Air, and Air Canada. Some of these breaches were website hacks. Others only concerned users of mobile apps.

Another privacy-related cause for worry is the type of information displayed on an airline ticket or boarding pass. Some people post pictures of their tickets on social media, and the Aztec codes used on those tickets are easy to decipher. This can provide a threat actor with a wealth of personally identifiable information, such as payment method, confirmation numbers, names, and addresses.

Travelers should also pay extra attention to spam that comes in looking convincingly like a ticket confirmation. This type of spam has been around for a few years, and is usually easy to discard—except when you actually happened to have booked with the same airline being spoofed.

For more travel safety tips read: Tips for safe summer travels: your cybersecurity checklist

Air cargo

Air cargo is by definition always in a hurry. If delivery of the cargo wasn’t urgent, it would have been put on a less costly mode of transportation. This makes shipment information valuable to both thieves and scammers. How often have you received a phishing mail claiming to be shipment information from one of the major express freighters such as DHL, FedEx, or UPS? If a threat actor were to know you were expecting air cargo or an express delivery from a particular company, these blind attempts could become more targeted and efficient.


In warfare, competition for air supremacy is fierce. It is defined by the USDoD and NATO as the “degree of air superiority wherein the opposing air force is incapable of effective interference.” There are several levels of control of the air, but the general idea is that air supremacy is a major goal on the way to victory.

In modern warfare, you can expect every side to try every possible way to gain control of the air, including cyberattacks on the enemies’ air traffic infrastructure. In such a scenario, the infrastructure includes planes, aircraft factories, airports, air traffic control, and the lines of communications between all of them.

Recreational use of the airways

Interfering with recreational air traffic may not be a target for cybercriminals, but recreational traffic can, and has been known to, hinder other forms of air traffic. Drones have been reported in hundreds of near misses with commercial air liners, and one even managed to land on the grounds of the White House. Considering that the number of drones is expected to grow exponentially in years to come—with increasing commercial use-cases, such as delivery, photography, inspection, and reconnaissance—expect more interference problems to emerge.

Drones come in many forms and shapes, and the same is true for their level of security. But you can readily assume that most of them can be remotely hacked. In the US, drone operations are not allowed within five miles of an airport unless they inform traffic control. One would expect these rules to become stricter as we proceed.

Terrorist attacks

Aircrafts have been hijacked by terrorists in the past, the most famous example being 9/11, where terrorists snuck their way onto four different aircrafts, incapacitated the pilots, and flew the planes into the World Trade Centers, Pentagon, and crashing into a field in Pennsylvania. These physical, in-person hijacks are the reason for the extensive security measures that you encounter at every major airport.

But hijackers don’t have to be physically present to cause huge damage. As demonstrated in the past, aircrafts can be hacked remotely and malware can infect computer systems in the aircraft.

Ransomware victims

Like any other industry, you will find many ransomware victims in the aviation and air traffic sector.

The flight information screens on Bristol Airport went dark after the airport’s administration system was the subject of a cyberattack. The attack was suspected to be ransomware, although I could not find official confirmation for this. In this case, flight operations were (thankfully) not affected.

Boeing was one of the many victims of the WannaCry attack in May 2017, even though the attack was played down afterward, since the production lines had not been disturbed.

As mentioned in an earlier blog, air and express freight carrier FedEx has been a ransomware victim twice: once through their TNT division hit by NotPetya, and once in their own delivery unit by WannaCry.

Targeted cyberattacks

A targeted attack was suspected when malware was found in the IT network of Boryspil International Airport, located in the Ukraine, which reportedly included the airport’s air traffic control system. Due to rocky relations between Ukraine and Russia, attribution quickly swerved to BlackEnergy, a Russian APT group held responsible for many cyberattacks on the Ukraine.

Ukranian aircraft builder Antonov was also a victim of NotPetya, ransomware that was suspected of targeting Ukrainian users. In hindsight, it may just have looked that way because the malware was spread with software update systems for a Ukrainian tax accounting package called MeDoc.

Budget concerns

In 2017, the Air Traffic Control Association (ATCA) published a white paper issuing the following warning:

Where budgets are concerned, cybersecurity is treated reactively instead of proactively.

This was after a 2016 report by the Ponemon Institute that found organizations did not budget for the technical, administrative, testing, and review activities that are necessary to operate a truly secure system. Instead, at least two-thirds of businesses waited until they had experienced a cyberattack or data breach to hire and retain security vendors to help.

The budgeting process for systems architecture in the aviation industry does not account for built-in security. It would certainly make sense to include it if we want to protect our passengers and cargo making use of this vital infrastructure. It would even be more cost effective, since retroactively securing a system after an attack is usually much more expensive than preventing one.

So, while the physical security on airports has been tightened significantly, it would seem the cybersecurity of this important infrastructure still needs a lot of work, especially when you consider the sheer number of cyberattacks on the industry that have taken place in the last few years.

Those in the aviation, air traffic, and air cargo industries need to include cybersecurity in their budget and design proposals for 2019, otherwise the excrement might really hit the propeller.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.