Airline Ransomware Caused by Cell Phone

Wednesday’s ransomware attack on Flight 175 was caused by malware introduced into the plane’s avionics system via the first officer’s cell phone, this according to Immanuel C. Securitage spokesman for ECS-CERT which is assisting the Federal Bureau of Inquiry in investigating the incident. The malware was introduced to the aircraft systems when the phone’s charging cable was plugged into a USB port on the flight deck.

ECS-CERT and FBI agents were able to access the Fieseler Fi133 yesterday evening when airline maintenance personnel were finally able to shut down the aircrafts engines while the aircraft was sitting just feet from the terminal’s gateway at Boston’s Logan Airport. The FBI is still interviewing the flight’s crew and passengers who were offloaded after almost 24 hours on the aircraft.

The FBI has discovered that every member of the flight crew and cabin crew had the malware on their phones. It appears, according to Johnathan Quest, FBI spokesman, that the airline’s crew-scheduling website had been hacked, apparently just before this crew boarded their aircraft Wednesday and uploaded the malware to any device logged into the site.

Dade Murphy from Dragonfire reported that that organization, working with both ECS-CERT and the FBI has found the malware on other Fieseler aircraft operated by the airline. Murphy reported that the malware was designed to trigger the shutdown of the Robotron Reichenberg control system when commands were initiated to move the aircraft backwards from the terminal gate. Dade commented that this would seem to indicate that the financial motive seen in most malware attacks was in play here. Murphy did admit that it would only require some minor changes in the software to cause the shutdown while the aircraft was in flight.

Securitage announced that ECS-CERT has confirmed that the malware has been successfully removed from the airline web site. The agency was working with the Federal Airline Administration to remove the malware from the avionics systems on affected aircraft. ECS-CERT and the FAA have issued an alert to other airlines and aircraft manufacturers about the attack providing indicators of compromise and a detailed description of the attack methods to help prevent similar attacks on other aircraft avionics systems. Oscar Holmes from the FAA said that they were working on crafting additional safety and security regulations to prevent such attacks in the future.

The FBI said that they still have no information on who may have been behind the attacks.

Congressional hearings are scheduled for next week. No legislation is expected in the remaining weeks of the lame duck session. There are indications that multiple bills will be introduced in January in the 116^th Congress to address aviation cybersecurity issues.