A team of academics and private industry experts, led by DHS officials, remotely hacked a Boeing 757 airplane parked at an airport in Atlantic City, New Jersey.
The hack took place in September 2016 and was part of a controlled experiment. DHS owned the plane the hack was attempted on, and pilots had no knowledge that the research team was trying to break into the plane.
The DHS-led team said they didn't have physical access to interact with any system on the plane and all was done remotely via "radio frequency communications." The team needed only two days to come up with the hack and execute it.
The experiment came to light last week, on Wednesday, during a keynote at the 2017 CyberSat Summit in Tysons Corner, Virginia, by Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.
Hickey told the audience the hack's details and the team's work are classified, but they used "typical stuff that could get through security."
Aviation experts said they knew of the flaw exploited by Hickey and the DHS team, but seven experienced pilots at regular airline companies had no knowledge of the issue when they were briefed in a March 2017 issue.
"All seven of them broke their jaw hitting the table when they said, 'You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible,'" Hickey was quoted by Avionics, an aviation news site that first reported on Hickey's conference disclosures.
Boeing has stopped mass-producing the 757 in 2004, but it's still one of the most popular planes in use. It and other older legacy models make up 90% of the current commercial flying airplanes.
Newer planes are built with security in mind and have better protection against such attacks. Studies have shown that changing a line of code in avionics equipment costs vendors around $1 million to implement and ship, so updates are few and far between.
President Donald Trump's personal airplane is a Boeing 757, and so is the plane that Vice President Pence uses.
In 2015, the FBI arrested a man who admitted to hacking commercial airplanes while in flight at least 20 times. The hacker, Chris Roberts, said he broke into the plane's systems via a WiFi flaw in the in-flight entertainment system and even interacted with engine controls.