Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:30 PM
Connect Directly

Aviation Faces Increasing Cybersecurity Scrutiny

Some aviation experts and security researchers are trying to foster closer alliances for securing airplane networks.

Aircraft control-system circuit boards and electronics littered a long table around which hackers tinkered with the mostly retired avionics equipment components, including cockpit display units and in-flight entertainment systems. The goal of this hands-on station — part of the inaugural Aviation Village at DEF CON 27 earlier this month in Las Vegas — was to give white-hat hackers a rare opportunity to learn how on-board airplane electronic devices operate and communicate.

"[The devices] are what a well-funded researcher could have access to," says Ken Munro, a consultant with Pen Test Partners, whose embedded systems security team created and hosted the display and helped teach wannabe hackers about the components they had procured from eBay and electronic boneyards.

"We were not there just to hack planes," says Munro, who is also a pilot. "We're trying to build a bridge between industry, regulators, and security researchers. The last thing we want is consumer confidence to be damaged."

The most high-profile participants in the Aviation Village were the US Air Force and the US Department of Defense Digital Service, which runs the department's bug bounty programs. For fun the Air Force brought along an F-35 fighter jet simulator. Meantime, a team of researchers found major security holes in the F-15's Trusted Aircraft Information Download Station, which gathers data from the jet's video cameras and sensors in-flight.

Conspicuously missing from the Aviation Village, though, were major airplane manufacturers Airbus and Boeing, as well as big-name international airlines. Boeing said it was involved behind the scenes, however, and plans for "more active participation going forward," a company spokesperson told Dark Reading.

The only commercial airline with a visible presence in the Aviation Village was Norwegian Air, whose CISO, Gerard Duerrmeyer, describes himself as a former cybersecurity researcher and longtime member of the DEF CON community. Duerrmeyer has been with the airline for about a year.

"I see the need to marry [my] two 'families,'" says Duerrmeyer, who is responsible for all things IT security at the airline, including the on-board airplane networks. "That's something I have been spending a lot of time on," working with the aviation industry to introduce it to security researchers, he explains.

Some participants privately bemoaned the lack of active involvement by airplane manufacturers and other commercial airlines. They noted the Aviation Village even had dropped the word "Hacking" from its original label, the Aviation Hacking Village, to appease aviation industry officials worried about public perception.

Boeing Front and Center
The Aviation Village debut landed on the heels of a big dustup from a major cybersecurity vulnerability disclosure earlier in the week about Boeing's 787 airplane. At Black Hat USA, also held in Vegas, IOActive researcher Ruben Santamarta disclosed security flaws in an on-board network component on the Boeing 787 that he said could allow a remote attacker to reach the sensitive avionics network — aka the crew information systems network — on the plane.

Santamarta was able to reverse-engineer the firmware of the VxWorks 6.2-based Honeywell module, known as the Crew Information System File Server/Maintenance System Module, after discovering documentation of the device sitting on a Boeing server that was inadvertently exposed publicly on the Internet.

That firmware belongs to a core network component that segregates the on-board networks. Santamarta discovered harbor buffer overflow, memory corruption, stack overflows, and denial-of-service flaws that he said could allow a remote attack.

Boeing pushed back hard on the research just prior to the presentation at Black Hat, saying its existing network defenses would thwart the attack cases Santamarta posed, and that an attacker could not reach its avionics systems via those attack methods. IOActive had been in contact with Boeing for months after the initial findings, holding weekly teleconferences.

"IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems, like the avionics system," a Boeing spokesperson said during Black Hat. "Our extensive testing confirmed that existing defenses in the broader 787 network prevent the scenarios claimed."

Santamarta and IOActive stand by their findings, noting that Boeing had declined to provide additional information on its internal test results.

According to a Boeing spokesperson contacted last week, the company worked with IOActive to "understand" its research. "As part of the investigation, we tested in a representative Airplane Integration Lab and on a production 787 airplane to investigate the claims. We were not able to validate any of the claims and provided that feedback to IO Active. They wanted specific technical details of the protections, which we did not provide at the level desired," he said.

But Santamarta maintains that IOActive merely was asking for more information to see why Boeing did not reproduce its findings. "It's not like we were after technical details of their [security] protections. That's not our interest. We were trying to understand what was going on and why they couldn't reproduce [our findings]," he says.

Familiar Story
The apparent standoff between Santamarta and Boeing is reminiscent of a story that has played out over and over again, since Microsoft first squared off against security researchers poking holes in Windows in the early 2000s: Researchers start digging around for vulnerabilities in software and firmware, the affected vendor or industry initially ignores it or pushes back, but it ultimately relents as it's forced to work more closely with researchers to find and fix flaws before the bad guys do.

Automakers, medical device manufacturers, and industrial control systems industries all are in various stages of this evolution right now. The auto industry has begun to accelerate its security research posture: Tesla now headlines the Car Hacking Village at DEF CON and has brought its vehicles onto the conference show floor for local inspection over the past few years.

Then there's Toyota, which was one of the first public subjects of car hacking in 2013 when famed car hackers Charlie Miller and Chris Valasek were able to take control of the electronic smart steering, braking, acceleration, engine, and other features of the 2010 Toyota Prius and the 2010 Ford Escape. The carmaker recently released a car hacking tool of its own called PASTA, or the Portable Automotive Security Testbed, along with an open source version of the software — this after the carmaker in 2013 initially and for the most part dismissed Miller and Valasek's work, saying its focus was on remote attacks and that Miller and Valasek's research did not constitute hacking since it required physical access to the vehicle. 

Aviation experts say their industry's hesitation to go all in with security researchers has a lot to do with its heavy emphasis on physical safety and concern for public perception if a vuln became publicized. Organizers of the Aviation Village emphasized over and over that the purpose of the demonstrations and workshops was not about hacking planes, and that aviation systems remain the safest, with layers of redundancy to ensure safety.

Even so, security researchers point to increasingly networked airplane systems and components, which also encompass ground networks that connect to the aircraft. They worry that aviation industry players are relying too heavily on security by obscurity and avoiding the intersection of cybersecurity and public safety.

Jen Ellis, vice president of community and public affairs at security firm Rapid7 and one of the organizers of the Aviation Village, says the airline industry has a strong history of prioritizing safety. "They collaborate and are very safety-focused. Where there's a challenge and perhaps where they are a little behind is they haven't necessarily yet connected the dots between safety and cybersecurity."

Bringing the two communities together is key to starting conversations and ultimately building trust relationships. In an interview at DEF CON with Dark Reading, DHS Cybersecurity and Information Security Agency director Christopher Krebs noted that the aviation industry is undergoing a trust-building process.

"This is a community that is continuing to mature and understand what the implications are and the benefits, and sometimes the drawbacks, of engaging openly and collaborating on research," Krebs said. "It takes time to build trust ... it doesn't happen overnight," and there will always be some friction between the vendors and researchers, he noted.

Rapid7 researcher Patrick Kiley, who recently found and reported vulnerabilities on the CAN bus of a general avionics system used mainly in small private aircraft, had a less contentious experience than IOActive. His firm decided not to publicly name the affected vendors since it was an underlying CAN bus issue not specific to the vendors' equipment Kiley had hacked. Even so, he doesn't know whether the vendors actually fixed the flaws he found.

"I let the vendors know what I did with the equipment, and they didn't indicate what they would do or change. They thanked us and sent us along our way," Kiley says.

He hopes aviation vendors will get more comfortable with letting third-party researchers and others analyze their code before they deploy it. "We want to get ahead of this problem," says Kiley, who showed a demo of his research at the Aviation Village. "We want to work with the industry instead of work against them."

The Problem With Plane-Patching
Like other industrial system operators, the aviation industry's software and firmware patching practices are complicated. Safety and availability of plane systems are prioritized over a new feature or bug fix.

Retired US Air Force pilot Steve Luczynski, CISO at TRex Solutions and an organizer of the Aviation Village, says the goal is to find vulnerabilities and issues in components in systems or in the supply chain in advance. Cybersecurity in aviation should learn from the industry's physical safety redundancies. "It would be nice not to relearn" this with cybersecurity, according to Luczynski, but rather build it in. {Continued on Next Page}

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/31/2019 | 9:03:33 PM
Re: Boeing blames the "pilots" again?
Didn't the same thing happen in a movie where the pilot had to land the plane in a river in NY - Sully? In the movie, the panel did not disclose to Sully that it took the pilots 6-7 times during the simulation that they had failed and crashed the plane numerous times in their simulation. 

This does not surprise me, because when the birds hit the engines and the pilot experienced failure, he reacted in the best manner to protect the passengers during a stressful time. In this instance, it took them 13 months to share information with the public about their lack of security testing because they wanted to get their stories right before presenting them to the public. They wanted to find a scapegoat before they brought this to the public's attention. 

From the findings Rapid7 submitted to the airline industry, they should present information much like "Project-Zero - Google's Security Team", they offered their help and they shunned them away like small children. The way to deal with that is to take their findings public so this does not happen again. 
His firm decided not to publicly name the affected vendors since it was an underlying CAN bus issue not specific to the vendors' equipment Kiley had hacked. Even so, he doesn't know whether the vendors actually fixed the flaws he found.
"I let the vendors know what I did with the equipment, and they didn't indicate what they would do or change. They thanked us and sent us along our way," Kiley says.
Avi S
Avi S,
User Rank: Apprentice
8/30/2019 | 3:39:51 AM
Boeing blames the "pilots" again?
Boeing lost 2 planes and did not disclose 737 MAX alert software issue to FAA for 13 months. 
Only after China had grounded the aircraft, they've published some details of new system requirements for the problematic MCAS software that caused these crashes.

"Our extensive testing confirmed that existing defenses in the broader 787 network prevent the scenarios claimed." 🕵️🤷‍♂️
[email protected],
User Rank: Author
8/23/2019 | 7:13:39 PM
Aviation Security Opportunities
Interesting problem space - tough GTM and sales cycle for independent startup, but seems like there is some opportunity for innovation, here.
User Rank: Apprentice
8/23/2019 | 1:33:26 AM
useful suggestion
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.