Attacks/Breaches

5/20/2015
10:31 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Planes, Tweets & Possible Hacks From Seats

There are conflicting reports over whether security researcher Chris Roberts hacked into flight controls and manipulated a plane.

What started with a tweet from an airplane seat in flight has boiled over into a heated debate and serious concerns over taking security research too far when public safety is at risk.

The FBI has charged in an affidavit that security researcher Chris Roberts, managing director of One World Labs LLC in Denver, was able to hack into an aircraft's controls via the passenger WiFi network in midflight, causing the airplane to briefly climb and move sideways, or laterally.

But Roberts, who made headlines last month for a controversial tweet during a United Airlines flight on April 15 where he appeared to suggest that he would hack into the plane's controls, maintains that the live-hacking allegation was overblown. In an interview with Wired late last week, Roberts said that the paragraph in the FBI's affidavit was taken out of context and basically a misunderstanding of what he told them:

"That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about," he told Wired. "It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others."

Roberts told Dark Reading yesterday that his legal team advised him to refrain from commenting at this time. He has maintained all along that the main motivation for his research has been to better the aircraft security.

After his tweet from the United Airlines flight, federal agents barred Roberts from boarding a United Airlines airplane and confiscated his laptop and other equipment; speculation ran high that the action was due to his bold and ill-advised tweet. The plot thickened several days ago when the FBI affidavit, which was filed on April 17, was obtained and published by APTN National News and indicated that he had tampered with flight controls while a passenger. The filing also shows that the FBI in March had conversations with Roberts about vulnerabilities he had discovered in the in-flight entertainment systems (IFE) on the Boeing 737-800, 737-900, 757-200, and Airbus A-320 aircraft.

It was during those conversations that Roberts allegedly said he had "compromised" IFE systems with Thales and Panasonic video screens on seatbacks some 15-20 times between 2011 and 2014. He used an Ethernet cable to connect to the seat electronic box under the passenger seats.

Security expert Bruce Schneier says while it's unclear whether the FBI's statements of Roberts tipping a plane in-flight are accurate, if Roberts indeed was hacking a plane while a passenger, it was "a stupid thing to do," he wrote in a blog post yesterday.

"The real issue is that the avionics and the entertainment system are on the same network. That's an even stupider thing to do. Also last month, I wrote about the risks of hacking airplanes, and said that I wasn't all that worried about it. Now I'm more worried," Schneier wrote.

Roberts isn't the only security researcher who has studied airplane network vulnerabilities. Ruben Santamarta, IOActive, on April of 2014 revealed critical design flaws he discovered in the firmware of popular satellite land equipment that could allow attackers to hijack and disrupt communications links to ships, airplanes, military operations, industrial facilities, and emergency services. At Black Hat USA in August of last year, he explained possible attack scenarios exploiting those vulns, including how the plane's passenger WiFi network running Cobham AVIATOR 700 satellite terminals could be abused if an attacker were to gain control over the Satellite Data Unit or the SwiftBroadband Unit interface by taking advantage of the weak password reset feature, hardcoded credentials or the insecure protocols in the AVIATOR 700.

An attacker could wrest control of the satellite link channel used by the Future Air Navigation System (FANS), Controller Pilot Data Link Communications (CPDLC) or Aircraft Communications Addressing and Reporting System (ACARS), according to Santamarta's findings.

Santamarta says if Roberts experimented with a live flight, he crossed a serious line. "Roberts' claims need be carefully examined. Putting hundreds of lives at risk has nothing to do with security research," Santamarta told Dark Reading.

So are airplanes truly hackable from your seat? Experts say in some cases it's physically impossible, but in other cases, it's possible in theory.

"The ability to cross the red line between passenger entertainment and owned domains and the aircraft control domain heavily relies on the specific devices, software and configuration deployed on the target aircraft," Santamarta says. "Under my point of view, one of the main concerns are the SATCOM devices which are shared between different data domains. Therefore, this equipment might be used to pivot from IFE [in-flight entertainment] to certain avionics."

Santamarta says the plane's in-flight WiFi is "not a problem per se" and can be securely deployed such that the actual avionics network is safe.

There are four different domains on an airplane's network, he explains:  the  passenger entertainment and owned-devices domain, airline information services, and the aircraft control domain. "The SATCOM equipment is usually shared between different domains. It has to provide internet access for passengers but also air-to-ground communications for avionics," he says.

Santamarta says the avionics controls should be housed in the aircraft control domain and physically isolated from the passenger network domain. Unfortunately, that is not always the case on planes, he says. "Therefore, as long as there is a physical path that connects both domains, we can't discard a potential attack."

[Every security topic we research, everything we hack, every joke we make on Twitter, now, more than ever, has a quantifiable cost, researcher says. Read Hacking Airplanes: No One Benefits When Lives Are Risked To Prove A Point.]

Whether Roberts indeed was able to pivot from the infotainment network to the airplane controls "is moot," says security researcher Don Bailey. The real issue is that increasingly networked systems, if tampered with, have public safety ramifications [and] are vulnerable.

"This industry has seen Windows XP systems controlling critical water dams, life-critical medical devices with unencrypted remote radio protocols, and automotive security systems directly connected to the Internet. The real issue isn't whether Chris accomplished this attack, it's the knowledge that the FAA, TSA, and other agencies aren't enforcing engineering companies to adhere to stringent security standards," Bailey says. "Because we all know, eventually, a breach of the entertainment system will result in a pivot to control systems. It's not if Chris made it happen, it's when someone else will."

So what now?

"Airlines cannot not rely on reactive solutions to detect attacks. The best way to avoid live attacks during a flight is analyze the security posture of the aircraft on the ground," Santamarta says.

He says the newest air-to-ground technology is a security challenge. It's best to be proactive about securing it, he says.

Even so, there's no reason to panic: "We should not be thinking airplanes are going to start falling down the sky if someone just presses a key in their laptop," Santamarta says. "Aircraft rely on redundancy to operate safely, [and] … pilots are well-trained professionals. It's not that easy."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
JimM699
50%
50%
JimM699,
User Rank: Apprentice
6/3/2015 | 4:33:24 PM
Re: It's also not that simple.
Unfortunately unauthorized acccess and resulting unauthorized changes to a system don't need a published exploit or flaw in code to occur. This is one of the many premises of airgapping highrisk, mission critical systems. Indeed, even when someone puts the system on an IP stack the game changes. Accessibility means everything.

And the use of probability as a factor in this is flawed.  Time and time again estimated probabilities have been shown to be flawed. Just look up "Black Swan."  To be clear when human life is at stake there is no room for a simple equation to justify a decision to allow a potentially unsafe system to operate when the consequences are dire.  It is morally and ethically irresponsible. Try talking probabilty to a lineman or carman who deals with lifethreatening materials every hour of his working life. Does he think in probabilities or certainties when they enter the operational environment. There is a reason that the field as Safety rules.

The use of risk to manage IT Security has been showed as a flawed approach resulting in misapplication of resources and worst of all, incorrect and misleading meausurements. People should realize this by now. How many "unforeseen" "Mega" breaches have to occur?

 

 
graywilliams
0%
100%
graywilliams,
User Rank: Apprentice
6/1/2015 | 6:51:27 PM
Re: It's also not that simple.
The nav systems (I'm told by Green Hill) are based on green hill's proprietary integrity kernel.

This kernel has achieved some pretty amazing safety and security certifications:
FAA: DO-178B, Level A (INTEGRITY-178 RTOS)
NSA: EAL 6+ High Robustness Common Criteria

That its not windows or linux-based essentially drops the risk probability of the flight systems being hijacked/hacked thru the wifi service *substantially* - if not all the way to near-zero.

The outcome of the risk assessment swings radically on this one bit - i'd say, most critical bit - of information (Risk and Probability plummets as Vulnerabilities and Threats both fall to zero; r=pvta) yet no one seems to have loudly pointed this out anywhere online or in the recent hearings, and that includes Wired, GAO, Boeing and Airbus.

The primary takeaway points out the importance of the risk assessment process and thinking in terms of probabilities. We risk wasting precious time & resources when the discussion occurs outside of this framework.
ramsha
50%
50%
ramsha,
User Rank: Apprentice
5/25/2015 | 8:07:15 PM
Re: Just a publicity ploy perhaps?!
Why would he do such a thing to risk his professional life you ask. One reason, perhaps because as I stated earlier "... his bulldog mouth ...." wants to call attention to himself, perhaps it's professional immaturity, or he's hoping to get a job with the FAA or NTSB. Who knows what his real motivations are, but until the facts come out, there's no need for anyone to run around like a chicken with its head cut off.
ramsha
50%
50%
ramsha,
User Rank: Apprentice
5/25/2015 | 8:07:13 PM
Re: Just a publicity ploy perhaps?!
Why would he do such a thing to risk his professional life you ask. One reason, perhaps because as I stated earlier "... his bulldog mouth ...." wants to call attention to himself, perhaps it's professional immaturity, or he's hoping to get a job with the FAA or NTSB. Who knows what his real motivations are, but until the facts come out, there's no need for anyone to run around like a chicken with its head cut off.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/23/2015 | 11:44:15 AM
Re: field completed
Better solution is to secure the device, correct? When we do a root cause analysis on this situation it will come down to "secure the device" first.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/23/2015 | 11:41:15 AM
Re: It's also not that simple.
Not only pilots but nobody else should be overwriting certain things. Why would anybody in the passenger end be able to access a box with a port in the first place?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/23/2015 | 11:35:23 AM
Re: Just a publicity ploy perhaps?!
That may be the case but why he would take that much risk, he may be discredited if it is all cleared out, that would be end of security expert life for him.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/23/2015 | 11:33:30 AM
Noting surprising
I am not sure why we are getting very surprised on this situation. Situation is that somebody has access to a device with a port. From that point forward the security is already compromised. Whether he can go to plan's control system or not should not really the question here.
JayWestbrooke
50%
50%
JayWestbrooke,
User Rank: Apprentice
5/21/2015 | 5:23:08 PM
field completed
"Even so, there's no reason to panic: "We should not be thinking airplanes are going to start falling down the sky if someone just presses a key in their laptop," Santamarta says. "Aircraft rely on redundancy to operate safely, [and] ... pilots are well-trained professionals. It's not that easy." "

Is this assuming that in theory if a plane is hacked, the hacker will automatically attempt to shut down the avionic systems? What if the hacker does what Chris claims that he did, tilt the plane, how would redundancy help?
neutronneedle
50%
50%
neutronneedle,
User Rank: Apprentice
5/21/2015 | 1:28:38 PM
It's also not that simple.
Recent airline catastrophe news has revealed filght control systems which the pilots cannot override. One was an anti-stall feature which causes the plane to decrease altitude until the sensors involved indicate stall is not a danger.

The more automated aircraft operation becomes, the more likely a plane will be pwned and abused or destroyed.
Page 1 / 2   >   >>
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11350
PUBLISHED: 2019-04-19
CloudBees Jenkins Operations Center 2.150.2.3, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page.
CVE-2019-11351
PUBLISHED: 2019-04-19
TeamSpeak 3 Client before 3.2.5 allows remote code execution in the Qt framework.
CVE-2019-2039
PUBLISHED: 2019-04-19
In rw_i93_sm_detect_ndef of rw_i93.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1...
CVE-2019-2040
PUBLISHED: 2019-04-19
In rw_i93_process_ext_sys_info of rw_i93.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Androi...
CVE-2019-2041
PUBLISHED: 2019-04-19
In the configuration of NFC modules on certain devices, there is a possible failure to distinguish individual devices due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Produc...