Close
Open Search

Can Someone Really Hack an Aircraft SatCom via an In-Flight Entertainment System?

Wed, 10/01/2014 - 12:00 admin

By the time this article is published, most of the aviation world has read about the statements of cyber security researcher Ruben Santamarta who claims that he has figured out how to hack the satellite communications equipment on passenger jets through their Wi-Fi and inflight entertainment systems — a claim that, if confirmed, could (and should) prompt a review of aircraft security. This claim was presented at the Black Hat annual hacker conference in Las Vegas in August, and a white paper was actually published earlier by this researcher’s firm, IOActive.

What Claim Is Being Made?

Many of Santamarta’s claims have been rebuked by the satellite communication vendors whose products he identified in his report (which can be found at https://www.blackhat.com/docs/us-14/materials/us-14-Santamarta-SATCOM-Terminals-Hacking-By-Air-Sea-And-Land-WP.pdf). This includes avionics from many of the largest vendors of communications equipment, such as Cobham Plc, Harris Corp, EchoStar Corp’s Hughes Network Systems, Iridium Communications Inc. and Japan Radio Co. Ltd. He claims to have to uncovered vulnerabilities by reverse engineering firmware from these products using publically-available data, manuals, etc. These vulnerabilities would allow a hacker to use a plane’s onboard Wi-Fi signal or inflight entertainment system to potentially disrupt satellite communications, which could interfere with other aircraft’s systems that depend upon SatCom.

One particular vulnerability that Santamarta found in equipment made by all five manufacturers he identifies is the use of hardcoded logon credentials, which allows multiple persons to access a plane’s communications system using a single username and password. By reverse engineering the equipment’s firmware, hackers can obtain login credentials and penetrate each system using these credentials. The vendors who publicly responded (in other articles) noted that an attacker would need physical access to such equipment to make use this particular vulnerability. This is true, but it is still a bit disconcerting that such devices apparently only have one set of logon credentials for all users of their products on a global basis. (This is a guess based upon what was presented — hopefully this is wrong.)

To summarize the other key findings, the main issues are the use of undocumented and/or insecure protocols (those that pose a security risk), weak password reset capabilities (mechanisms that allow resetting others’ passwords), and the use of backdoors (mechanisms used to access undocumented features or interfaces not intended for end users). Each of these should have been caught in a security assessment test prior to the product(s) reaching market.

He has simulated such attacks/access in a laboratory environment, but not in an operational situation.

After documenting these and other findings, IOActive apparently approached the U.S. government CERT Coordination Center and the vulnerable vendors identified to help remediate all security findings uncovered in the lab testing phase of IOActive research. In fact, IOActive provided them several months to enact changes prior to publishing its findings, in order to mitigate the risks to the industry. Other articles have quotes from a number of these named vendors which dismiss some of the claims, or their severity, but also providing some acknowledgement. In fact, an actual operational environment differs greatly from the virtual lab environment, so Santamarta’s findings, while interesting, are not exactly as severe as they first seem, while other issues may not be possible to duplicate in an operational situation in an aircraft.

What Does This Mean to the Aviation Industry?

Anyone who understands how modern avionics systems are designed, integrated, managed and supported will be able to find significant issues with this researcher’s approach and findings. There are many, to be sure — but there are also red flags that should not be ignored. Let’s concentrate on those.

We have reached a point where new eEnabled aircraft have begun entering service, where iPads and other off-the-shelf consumer-industry devices are taking over cockpits/cabins/maintenance bays, and where wireless communications are replacing hard-wired communication capabilities. We are also preparing for NextGen, and it’s GPS-enabled, ADS-B-augmented, data-driven operations will replace voice as the primary means to route commercial aircraft. Legacy aircraft are being retrofitted with updated avionics and communications capabilities which also increase risks in general since no two aircraft configurations are ever exactly alike, as well as due to the enlarged complexity of the aviation ecosystem.

The research that uncovered some of the security flaws was based upon performing analysis in a laboratory setting, and in fact, they did not actually have access to many of the named systems at all. They created simulations based upon downloaded firmware, information found in documentation and press releases, and other available data. This is quite impressive in itself and also quite repeatable by those with ill intent.

The results of these simulations are what is found in the published paper and follow-on presentations, neither of which can be considered conclusive and comprehensive security testing results.

With that said, it is inexcusable that a cyber-security researcher with no specific experience with aircraft (or the other transportation modes identified in his paper) is able to find significant flaws with critical communications systems. The vendors identified in his report should be holding their engineering teams responsible for not performing more invasive and comprehensive security testing on their products, as well as for not identifying more stringent security requirements in the requirements/design phases of the product development cycle in the first place. No complex product is ever without flaws, but flaws of omission are still flaws.

Most on-board systems use embedded software to provide functionality, and thus differ from desktop PCs in how security solutions can be implemented. “Mission-critical systems, such as an aircraft onboard communication, navigation and surveillance (CNS) systems, cannot rely on standard cyber security commercial products such as anti-virus or signature based intrusion detection systems (IDS), due to the nature of their embedded operating systems and application code. They are simply not up to the challenge of defending against many of today’s cyber-attacks,” according to Alan Gallagher, president of Virtual Security International. Other avionics and aircraft on-board systems have similar issues, in that purpose-built software for specific functionality is unlike general-purpose operating systems such as Windows-based computers, which can host security applications with continuous updates to virus definitions, malware protection or firewall applications.

Since embedded systems need to have the same level, or higher, degree of safety and assurance, avionics vendors should be performing complete line-by-line code review and risk assessment of their software (which all do, but perhaps not enough from a security perspective). According to various industry sources, the software development industry average rule of thumb is that every 1,000 lines of code will have 10 to 50 bugs (possible vulnerabilities). For example, a stripped-down specialized version of Linux can eliminate all unnecessary services such as printing, USB drivers, keyboard/video, etc., dramatically reducing the number of lines of code and the security risk while increasing speed and performance. Microsoft’s average is 10 to 20 bugs per 1,000 so a Windows operating system containing 90 million lines of code can have up to 1,800,000 bugs when introduced into the market.

The FAA and the industry standards bodies need to identify more comprehensive guidance and policies for identifying and mitigating potential cyber security issues with all on-board and support systems.

What Needs to be Done To Remedy This Situation

Thankfully, it is not very feasible for anyone to easily access critical aircraft systems via the IFE, since in-flight entertainment systems are either physically or virtually walled off from such devices. Some aircraft use virtual private networks (VPNs) to separate various networks in an aircraft, which are generally safe from cyber issues (but, in full disclosure, not completely).

Another typical approach is the use of network extension device (NED) which is a networking solution that enables data transfers between avionics systems and IP-based equipment (such as IFE systems). These NEDs enforce network security via firewalls and manage communication systems and high-speed datalinks to provide connectivity between an aircraft and ground/satellite networks.

Aircraft are generally safe from cyber-attacks emanating from IFE systems. Wireless access to an IFE system has some degree of built-in security by the IFE vendor, in addition to the security provided via VPNs/NEDs/aircraft networking equipment. USB ports on some seatbacks are becoming an issue since researchers have uncovered vulnerabilities with all such ports. (This is a specialized emerging topic for another day.)

In general, it can be said that modern aircraft, avionics and their ground systems have not kept up with the cyber security risks that have emerged in recent years. IFE systems are merely part of the equation here, with other systems being a higher risk. Part of this is a legacy issue where aircraft used to have completely separated data communications (no longer true in some newer-build aircraft), where avionics systems had minimal computer interfaces (not anymore, especially with Ethernet-inspired data busses such as AFDX /ARINC 664), and where it was tolerable for industry best-practices and FAA guidance to lag behind technology to some degree. This is no longer acceptable. It is time for a change.

While it is not feasible for the world’s aviation regulatory authorities to be able to provide guidance regarding new technologies and how safety issues are mitigated prior to the launch of modern software-based avionics and aircraft, such guidance must evolve to encompass cyber issues much more swiftly than it does today. Regulatory authorities need to ensure that security requirements are addressed in the initial stages of a product design, and that qualification and certification testing includes cyber security assessments/checks/tests/etc. In fact, if an avionics or aircraft manufacturer does not have such capabilities, perhaps they should be required to use third-party testing services.

Industry groups such as ARINC/SAE and others also need to provide more timely guidelines to the manufacturers as well. There are various efforts happening in the U.S. and EU to address such concerns, but we are obviously not quite there yet. These efforts needs to be sped up due to the looming deadlines of not only NextGen and SESAR (among other air traffic management systems in other parts of the world) coming online, but also due to the forthcoming entry in the airspace of drones in 2015. Many of the larger drones will depend upon similar communications gear as what manned aircraft will utilize, not to mention their reliance on ground and satellite communications systems.

As readers of this aviation maintenance magazine, what can you do to mitigate such risks as identified here?  Plenty. Here is my list:

1.  Review any components contained on the aircraft you are responsible for, and those with software/firmware, ensure that they are up to date (just like you do with your home PCs, where Microsoft Updates are performed automatically, and your antivirus software is also constantly updated ... right?).

2.  I would highly recommend that you contact the manufacturers of critical systems you have to express concerns outlined in the white paper from the cyber security researcher earlier in the article, and read Santamarta’s entire white paper. You might not care about everything identified, but you need to be aware of how a hacker might operate. This is invaluable information, especially since the lab environment used is not far off from a maintenance environment where you would have physical access to some of the systems mentioned in the report.

3.  Consider bringing in cyber security experts to perform more in-depth testing of critical systems under your purview. This includes any on-board systems you might have concerns with, but, just as importantly, your ground-based support and IT systems. A comprehensive network architecture risk assessment of all internal and external system connections and all other trusted and untrusted interconnecting systems should be performed. This sounds overwhelming, but, security professionals have a good understanding of how to do this.

This list could go on, but let’s start with these three identified major sets of tasks.

Wrap-up

The aviation industry has historically required high quality and safety in all aviation systems and components. Current business drivers are forcing avionics vendors, airlines and airframe manufacturers to integrate new technology solutions which include commercial off-the-shelf products, into the aircraft without a true understanding of the inherent risks involved.

According to Alan Gallagher, “Onboard devices or applications must be held to a higher level of cyber security assurance than a standard commercial product, much higher. We are currently courting with disaster.” Gallagher recommends a very detailed and comprehensive risk assessment and analysis by non-aviation industry independent cyber security subject matter experts for existing products and applications. Perhaps the FAA can incorporate such an approach into the certification process in the future.

It’s all about software in the end. The ultimate long-term solution is to reduce the vulnerabilities in the original code of all software-based products by developing secure coding languages, standards, methodologies and automated security testing applications. The problem is that this is all expensive and at this point in time the aviation industry does not appear to be prepared to handle the issue of cyber security threats properly. We might be fairly secure from an attack launched via an IFE system, but there are many more entry points in aircraft and support systems for those with ill intent and the knowledge to apply it.  

John Pawlicki is CEO and principal of OPM Research. He also works with Information Tool Designers (ITD), where he consults to the DOT’s Volpe Center, handling various technology and cyber security projects for the FAA and DHS. He managed and deployed various products over the years, including the launch of CertiPath (with world’s first commercial PKI bridge). John has also been part of industry efforts at the ATA/A4A, AIA and other industry groups, and was involved in the effort to define and allow the use of electronic FAA 8130-3 forms, as well as in defining digital identities with PKI. His recent publication, ‘Aerospace Marketplaces Report’ which analyzed third-party sites that support the trading of aircraft parts is available on OPMResearch.com as a PDF download, or a printed book version is available on Amazon.com.

About D.O.M. Magazine

D.O.M. magazine is the premier magazine for aviation maintenance management professionals. Its management-focused editorial provides information maintenance managers need and want including business best practices, professional development, regulatory, quality management, legal issues and more. The digital version of D.O.M. magazine is available for free on all devices (iOS, Android, and Amazon Kindle).

Privacy Policy  |  Cookie Policy  |  GDPR Policy

More Info

Joe Escobar (jescobar@dommagazine.com)
Editorial Director
920-747-0195

Greg Napert (gnapert@dommagazine.com)
Publisher, Sales & Marketing
608-436-3376

Bob Graf (bgraf@dommagazine.com)
Director of Business, Sales & Marketing
608-774-4901

Powered by Drupal
Designed by Tews Interactive, Inc