Aircraft control-system circuit boards and electronics littered a long table around which hackers tinkered with the mostly retired avionics equipment components, including cockpit display units and in-flight entertainment systems. The goal of this hands-on station — part of the inaugural Aviation Village at DEF CON 27 earlier this month in Las Vegas — was to give white-hat hackers a rare opportunity to learn how on-board airplane electronic devices operate and communicate.
"[The devices] are what a well-funded researcher could have access to," says Ken Munro, a consultant with Pen Test Partners, whose embedded systems security team created and hosted the display and helped teach wannabe hackers about the components they had procured from eBay and electronic boneyards.
"We were not there just to hack planes," says Munro, who is also a pilot. "We're trying to build a bridge between industry, regulators, and security researchers. The last thing we want is consumer confidence to be damaged."
The most high-profile participants in the Aviation Village were the US Air Force and the US Department of Defense Digital Service, which runs the department's bug bounty programs. For fun the Air Force brought along an F-35 fighter jet simulator. Meantime, a team of researchers found major security holes in the F-15's Trusted Aircraft Information Download Station, which gathers data from the jet's video cameras and sensors in-flight.
Conspicuously missing from the Aviation Village, though, were major airplane manufacturers Airbus and Boeing, as well as big-name international airlines. Boeing said it was involved behind the scenes, however, and plans for "more active participation going forward," a company spokesperson told Dark Reading.
The only commercial airline with a visible presence in the Aviation Village was Norwegian Air, whose CISO, Gerard Duerrmeyer, describes himself as a former cybersecurity researcher and longtime member of the DEF CON community. Duerrmeyer has been with the airline for about a year.
"I see the need to marry [my] two 'families,'" says Duerrmeyer, who is responsible for all things IT security at the airline, including the on-board airplane networks. "That's something I have been spending a lot of time on," working with the aviation industry to introduce it to security researchers, he explains.
Some participants privately bemoaned the lack of active involvement by airplane manufacturers and other commercial airlines. They noted the Aviation Village even had dropped the word "Hacking" from its original label, the Aviation Hacking Village, to appease aviation industry officials worried about public perception.
Boeing Front and Center
The Aviation Village debut landed on the heels of a big dustup from a major cybersecurity vulnerability disclosure earlier in the week about Boeing's 787 airplane. At Black Hat USA, also held in Vegas, IOActive researcher Ruben Santamarta disclosed security flaws in an on-board network component on the Boeing 787 that he said could allow a remote attacker to reach the sensitive avionics network — aka the crew information systems network — on the plane.
Santamarta was able to reverse-engineer the firmware of the VxWorks 6.2-based Honeywell module, known as the Crew Information System File Server/Maintenance System Module, after discovering documentation of the device sitting on a Boeing server that was inadvertently exposed publicly on the Internet.
That firmware belongs to a core network component that segregates the on-board networks. Santamarta discovered harbor buffer overflow, memory corruption, stack overflows, and denial-of-service flaws that he said could allow a remote attack.
Boeing pushed back hard on the research just prior to the presentation at Black Hat, saying its existing network defenses would thwart the attack cases Santamarta posed, and that an attacker could not reach its avionics systems via those attack methods. IOActive had been in contact with Boeing for months after the initial findings, holding weekly teleconferences.
"IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems, like the avionics system," a Boeing spokesperson said during Black Hat. "Our extensive testing confirmed that existing defenses in the broader 787 network prevent the scenarios claimed."
Santamarta and IOActive stand by their findings, noting that Boeing had declined to provide additional information on its internal test results.
According to a Boeing spokesperson contacted last week, the company worked with IOActive to "understand" its research. "As part of the investigation, we tested in a representative Airplane Integration Lab and on a production 787 airplane to investigate the claims. We were not able to validate any of the claims and provided that feedback to IO Active. They wanted specific technical details of the protections, which we did not provide at the level desired," he said.
But Santamarta maintains that IOActive merely was asking for more information to see why Boeing did not reproduce its findings. "It's not like we were after technical details of their [security] protections. That's not our interest. We were trying to understand what was going on and why they couldn't reproduce [our findings]," he says.
Familiar Story
The apparent standoff between Santamarta and Boeing is reminiscent of a story that has played out over and over again, since Microsoft first squared off against security researchers poking holes in Windows in the early 2000s: Researchers start digging around for vulnerabilities in software and firmware, the affected vendor or industry initially ignores it or pushes back, but it ultimately relents as it's forced to work more closely with researchers to find and fix flaws before the bad guys do.
Automakers, medical device manufacturers, and industrial control systems industries all are in various stages of this evolution right now. The auto industry has begun to accelerate its security research posture: Tesla now headlines the Car Hacking Village at DEF CON and has brought its vehicles onto the conference show floor for local inspection over the past few years.
Then there's Toyota, which was one of the first public subjects of car hacking in 2013 when famed car hackers Charlie Miller and Chris Valasek were able to take control of the electronic smart steering, braking, acceleration, engine, and other features of the 2010 Toyota Prius and the 2010 Ford Escape. The carmaker recently released a car hacking tool of its own called PASTA, or the Portable Automotive Security Testbed, along with an open source version of the software — this after the carmaker in 2013 initially and for the most part dismissed Miller and Valasek's work, saying its focus was on remote attacks and that Miller and Valasek's research did not constitute hacking since it required physical access to the vehicle.
Aviation experts say their industry's hesitation to go all in with security researchers has a lot to do with its heavy emphasis on physical safety and concern for public perception if a vuln became publicized. Organizers of the Aviation Village emphasized over and over that the purpose of the demonstrations and workshops was not about hacking planes, and that aviation systems remain the safest, with layers of redundancy to ensure safety.
Even so, security researchers point to increasingly networked airplane systems and components, which also encompass ground networks that connect to the aircraft. They worry that aviation industry players are relying too heavily on security by obscurity and avoiding the intersection of cybersecurity and public safety.
Jen Ellis, vice president of community and public affairs at security firm Rapid7 and one of the organizers of the Aviation Village, says the airline industry has a strong history of prioritizing safety. "They collaborate and are very safety-focused. Where there's a challenge and perhaps where they are a little behind is they haven't necessarily yet connected the dots between safety and cybersecurity."
Bringing the two communities together is key to starting conversations and ultimately building trust relationships. In an interview at DEF CON with Dark Reading, DHS Cybersecurity and Information Security Agency director Christopher Krebs noted that the aviation industry is undergoing a trust-building process.
"This is a community that is continuing to mature and understand what the implications are and the benefits, and sometimes the drawbacks, of engaging openly and collaborating on research," Krebs said. "It takes time to build trust ... it doesn't happen overnight," and there will always be some friction between the vendors and researchers, he noted.
Rapid7 researcher Patrick Kiley, who recently found and reported vulnerabilities on the CAN bus of a general avionics system used mainly in small private aircraft, had a less contentious experience than IOActive. His firm decided not to publicly name the affected vendors since it was an underlying CAN bus issue not specific to the vendors' equipment Kiley had hacked. Even so, he doesn't know whether the vendors actually fixed the flaws he found.
"I let the vendors know what I did with the equipment, and they didn't indicate what they would do or change. They thanked us and sent us along our way," Kiley says.
He hopes aviation vendors will get more comfortable with letting third-party researchers and others analyze their code before they deploy it. "We want to get ahead of this problem," says Kiley, who showed a demo of his research at the Aviation Village. "We want to work with the industry instead of work against them."
The Problem With Plane-Patching
Like other industrial system operators, the aviation industry's software and firmware patching practices are complicated. Safety and availability of plane systems are prioritized over a new feature or bug fix.
Retired US Air Force pilot Steve Luczynski, CISO at TRex Solutions and an organizer of the Aviation Village, says the goal is to find vulnerabilities and issues in components in systems or in the supply chain in advance. Cybersecurity in aviation should learn from the industry's physical safety redundancies. "It would be nice not to relearn" this with cybersecurity, according to Luczynski, but rather build it in. {Continued on Next Page}
{Continued from Page 1}
Boeing said there's no "quick" patch program for software in the aviation industry, and development of software for planes follows specific regulatory guidelines.
Jeffrey Troy, executive director of the Aviation-ISAC, the official threat intelligence-sharing arm of the industry, describes patching in avionics systems as a "case-by-case" situation. "Every instance of a vulnerability is a unique case," he says. "You also have to understand what the impact is and how to address it based on that impact."
He says aviation companies, when contacted by researchers, listen and then vet the findings. "They go out and conduct tests to validate whether or not the vuln that has been made known can be replicated. And if so, they do their assessments to determine what they need to do," he notes.
It's only a matter of time before Boeing and other aviation industry vendors are forced to find common ground with the researcher community, experts say. The increasingly networked aircraft fleet naturally will open avenues for security holes that need spotting and fixing.
"We've gone literally from having to physically go to planes and their avionics and upload a floppy [disk] for 20 minutes to now updating them over the air," Pen Test Partners' Munro notes. "You get reduced costs, but it [brings] security implications, too."
And aviation firms have invested large amounts of money in developing safe and secure code, he says. "It will be some time before avionics opens up their source code" to security researchers, though, he says.
Progress, Actually
John Sheehy, IOActive's director of strategic security services, worked with Santamarta on his disclosure with Boeing. He believes some good progress has been made in relationships between researchers and the avionics industry over the past three years.
"Boeing clearly understood what Ruben was going to present [at Black Hat]," Sheehy says. "They did not take any aggressive action to stop us from doing so. I think they understand the value of this kind of research."
Related Content:
- Researcher Successfully Hacked In-Flight Airplanes - From the Ground
- Planes, Tweets & Possible Hacks From Seats
- This Time, Miller & Valasek Hack The Jeep At Speed
- State Trooper Vehicles Hacked
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "You Gotta Reach 'Em to Teach 'Em."