Mitigating Cyber Threats on Business Jets

When was the last time you opened your email and didn’t see it loaded with spam? Or go a day without receiving a text asking you to confirm an account number or payment method? Like practically anyone with a smart device, you probably can’t remember. And it’s no surprise that phishing schemes have become part of our everyday lives.

And while not long ago, your aircraft’s cabin Wi-Fi was believed to be a safe refuge from cyber-threats—with firewalls protecting against the flow of phishing attempts through junk email—it isn’t anymore, if it was at all. Anywhere your personal connectivity device goes, phishing is sure to follow—and along with it, the threat of having your personal and business data stolen and possibly used against you.

“Today, the only secure cabin is the one with no data network at all,” said Josh Wheeler, senior director, entry-into-service and customer service for Gogo. “Cyber threats have grown and become multifaceted, and it’s all due to the growth of high-speed cabin connectivity.” The risk profile goes up as passengers can do more on their aircraft, such as real-time video conferences and video streaming.

“Hackers know that private aircraft carry very important and influential people, and that access to these high-net-worth individuals means access to their personal information,” Wheeler added. “And with so many C-level individuals using social media, it makes it even easier for hackers to find out where they are.”

Joshua Crumbaugh, founder and CEO of PhishFirewall, warned that this activity is no longer limited to bored teenagers or professional criminal hackers. “Unfriendly nation-states are 100% doing this right now, and it happens every time a high-value target lands,” Crumbaugh said. “If you are a defense contractor or an executive carrying sensitive intellectual property, your device and aircraft will be targeted.”

He further pointed to FBO vulnerabilities. “Most private FBO terminals are designed for convenience, placing the aircraft just a few hundred feet from public parking lots,” he explained. “With a Yagi [high-gain directional] antenna, a hacker can maintain a two-way connection with your aircraft’s network and sit there and pound away through the Wi-Fi, and you would never know they were there.

“If I were a hacker tasked with compromising a major corporation, I wouldn’t waste my time trying to break through their corporate firewall,” Crumbaugh added. “I would just wait for their Gulfstream to land at a private terminal and attack it from a distance.”

According to experts, many private aircraft require no password to access the cabin Wi-Fi. More often than not, the owner or CEO doesn’t want the added inconvenience of signing in.

Cyber Enemy Is Close

Claudio D’Amico, Viasat’s v-p of strategic market engagement, business aviation, explained, “As personal connectivity solutions have become more advanced, enabling a greater volume and diversity of devices onboard, so too have the number of access points for malware or a cyber threat of some form to be introduced into the aircraft’s network.”

A rough estimate says that there are some 8.8 billion connected devices, and Crumbaugh said, “While exact numbers vary widely, industry reports often suggest figures ranging from 10% to over 30% are infected with some malware, especially when considering all types of lower-risk adware and potentially unwanted programs. It’s an ever-present, evolving threat.”

Even if a personal device is completely clean, hackers have a range of tools to obtain the information they need. In today’s world, one of the most popular tools is phishing.

“Statistics show that email phishing schemes are growing at about 600%, year over year,” Wheeler said. “And in business aviation, I’d say it’s doubling each year, so it’s definitely a growing problem.”

Created to be pixel-perfect duplicates of familiar emails or texts, these phishing schemes usually ask a user to log in to confirm an account number or payment source, and they often have some pressure for you to act immediately—that’s a red flag.

Once the unsuspecting person is on the bad actor's website, they can not only collect all of the device’s data, but also plant a bug on said device, giving them access to its ongoing connections.

“You are inadvertently divulging where you are and who you may be with, and no, the hackers aren’t trying to take down aircraft—that’s not happening—what they want is passenger data,” Wheeler said. “Proprietary information, intellectual property, trade secrets, executive schedules, and the like.”

Digital Doppelgangers

As if cyber-pirates weren’t crafty enough, Crumbaugh said they’re upping their game with the use of sophisticated AI voice and video.

“I only need a few minutes of audio to create a deep fake impersonation of someone’s voice, and believe me, you can’t tell it apart from the real thing,” he explained. “And the audio is easy to get. I don’t know of many C-level executives who are not very public-facing, and that makes it easy to get the voice sample they need.”

Hackers can do more than most realize with a deep fake voice. Crumbaugh shared the following scenario: if the hackers know when the senior executives are on the airplane—and they do because they’ve hacked that person’s schedule—they can place a Zoom call to someone in the CFO’s department, and, using the executive’s voice, tell them they need to do an immediate wire transfer of a large sum of money to close a deal quickly.

While this might seem too much like a plot from an Ian Fleming book, a situation like that occurred involving a multinational financial institution, and the hacker’s take was a cool $25 million.

“It was a great example of the deepest level of fake, but it’s not that uncommon, Crumbaugh said. “We work with call centers for a Fortune 500 company, and they get these kinds of deep fake calls almost daily. The scary thing is that with AI, they can be automated, with no human interaction.”

Crumbaugh also shared that tech-savvy scammers are now starting to use AI-created videos to simulate kidnappings of people and even pets. As an illustration, he told a story about an executive receiving a video call showing her daughter being held hostage and demanding the immediate payment of her ransom. As the executive’s mind reeled with panic about what to do, her daughter walked into the room and asked what was wrong.

Protecting from Phishing

What can your flight department do to help keep its aircraft and passengers safe from cybercriminals? The first step, and often the most difficult, is to educate everyone who has anything to do with the aircraft about the dangers that come with the convenience of high-speed cabin connectivity.

“When it comes to approaching the aircraft’s owner or C-suite executives on the subject, we strongly advocate that flight departments use caution and diligence,” D’Amico said. “The increasing reliance on connected platforms for critical business operations and sensitive data means that understanding and mitigating cyber threats is no longer an IT concern; it’s a strategic business imperative.

“We firmly believe that an educated and engaged leadership team is critical for driving effective cybersecurity strategies across the organization. Perhaps the biggest mistake we see is a perception that cybersecurity can be an afterthought or that a one-size-fits-all approach is sufficient. It’s not.”

Experts say there are still a significant number of executives and aircraft owners who incorrectly believe that, because their aircraft is cruising at FL410, their data is secure.

One of the most critical aspects is educating C-suite executives on the fact that if they can see the internet, the internet can see them, and secondly, no network is secure if they leave the proverbial door open.

“What I’ve seen in so many instances is the more responsibility someone has, the less time they are going to spend on the little details,” Wheeler said. “It’s not that they don’t care, but cybersecurity is just one more thing they don’t want to think about because their IT provider is ‘taking care of it.’”

That’s why experts stress that C-level buy-ins are essential and that no one with access to the aircraft’s network should be allowed to bypass any available security protocols. Everyone must follow established protocols to use the aircraft’s Wi-Fi network, which may include:

• Use passwords, update them frequently, and never share them with anyone.
• Use multi-factor authentication for emails, VPNs, and everything else that requires login.
• Control AI use and ban pasting of sensitive company data into public tools.
• Train people by providing recurring updates on phishing, deep fake, and other cybercrime activities.
• Stop allowing passengers to log into the company network with their personal devices. If that’s not possible, require that their devices be scanned for bugs before use on the aircraft.
• Have a third-party service audit the aircraft and the flight department’s cybersecurity protocols.
• Talk to the connectivity service provider about the types of data security services it offers.

“We have to reevaluate what we are doing with our human element, because at its root, cybersecurity is not a technology problem, it’s a human problem,” Crumbaugh continued. “I know a lot of people will argue that, but I’ve seen hundreds of breaches, and I cannot find a single instance that cannot be tracked back to human error. If we can just stop making the simple mistakes— like clicking on the wrong email—we can stop being victims of cybercrime.”

Slow down, he advised. “In most cases, hackers are trying to use emotions like urgency, authority, and fear to get to you. If you can just step back and look at what the likelihood is that you not doing anything at all will turn out badly, you can free your mind up to make an informed decision.”

Wheeler added, “Unfortunately, cybercrime is not going to go away, and that’s something that most people don’t consider. There’s just a lot more opportunity, availability, and exposure to your personal and business information today than ever before. You need to be actively aware of what you are sharing with the world.”