Cathay Pacific. British Airways. Air Canada. Airlines and airports are hot targets for cyberattackers, whose motivations range from financial and identity theft to cyber espionage.
Those three recent incidents reflect a growing trend. It was late August 2018 when Air Canada alerted users to a mobile app breach affecting 20,000 people. British Airways admitted to a breach compromising 380,000 passengers in September; a month later, it learned 185,000 more were affected in a second attack. Cathay Pacific spooked us all when, a few days before Halloween, it disclosed a breach exposing the data of 9.4 million people — the largest of any airline to date.
For attackers hoping to cash in on sensitive data, the aviation industry is a gold mine.
"Nation states have targeted airlines for a long time to collect data on passengers, but we've seen an increase in targeting by cybercriminals," explains Christopher Porter, chief intelligence strategist at FireEye.
"Because air travel is high-dollar and time-sensitive, criminals have realized they can extract payment data from customers, who will have valuable credit cards to commit fraud with, or use ransomware to extort the airline," he adds. In the last two years, FireEye has seen an increase in the use of ransomware to disable ticketing and support processes for short periods of time.
Cyberattacks exploiting air travel are "gaining momentum," he continues. In a recent report on threats to watch in 2019, FireEye researchers pointed to the aviation sector as a prime target. In addition to cyber espionage, airlines face threats like third-party ticket sellers profiting from illicit tickets on the Dark Web, and breaches designed to capture the valuable data they store.
Consider passports. "The airlines have one thing that virtually nobody else has, and that's passport information," says Randy Abrams, senior security analyst at Webroot. While more valuable on a nation-state level, passports can aid fraudsters in phishing attacks and identity theft. When you add them up, they can also earn quite a bit of money on the Dark Web.
There isn't enough publicly available data to determine if passports are an objective in aviation cyberattacks, he adds; however, successful attackers will likely take passport data they find. It's one of many types of information airlines hold, in addition to users' names, home and email addresses, payment card numbers, phone numbers, and other personal data. Sure, payment information is handy for financial theft, but all the other info can be used for identity fraud.
"There's a lot of people doing a lot of flying these days, and there's a good chance of picking up a lot of personal information in one fell swoop," says David Emm, principal security researcher at Kaspersky Lab. "We're used to seeing attacks on individuals, but it's easier if you can hit one target and grab all the data. Airlines are strategically placed from a criminal's point of view."
How They're Breaking In
Emm explains how a common technique among modern attackers is capturing information as it's entered online. Someone who breaches a provider to steal payment card data likely won't access all the info they need (for example, the cards' CVV numbers) because the company won't store it. However, that data can be captured by a script sitting on a website.
A number of airlines, including British Airways and Cathay Pacific, have been targeted by injecting a script into one of the processors for handling online payments, he adds. It's more fruitful for the attackers but makes breach remediation harder for organizations hit.
Emm, Porter, and Abrams all point to the dangers of the aviation supply chain, another common attack vector.
The risk of a security breach intensifies with the number of third-party vendors involved with a company's processes. Airports work with many, and their operations demand constant exchange of data among governments, credit card companies, baggage handlers, maintenance, and a wealth of other organizations responsible for keeping the industry in business.
"Those are all good targets … all potential entry points for a cybercriminal," says Porter. He calls the supply chain "a hidden risk" airlines didn't consider when they were corporate risk planning but now is top of mind.
If an airline is using a process developed by a third party — payments, for example — they're putting security into the hands of the third party and giving attackers "a bit of an advantage," Emm explains. "They know there's an opportunity to slide between the cracks there," he says of the attackers.
"If there's not a good reason to be using a third-party script, well, don't," he notes. It's like high-tech systems, he says: the simpler the equipment, the less of a problem you're likely to have.
Buckle Up: Airline Security Tips and Challenges
It's one of many pieces of advice for an industry challenged with a wave of cyberattacks.
Abrams advises airlines and airports to make sure their assets are well-protected and perform high-quality penetration testing, especially on Web-facing systems, which are "getting hit left and right." He also suggests implementing third-party auditing for the supply chain and correlating data across geographical regions to detect threat patterns as they occur.
"If I'm seeing something anomalous on my site in New Jersey, and seeing the same anomaly on my sites in Hong Kong and Croatia, and I'm not correlating all these events, then that's where I'm missing the big picture," he explains.
Emm recommends developing scripts internally to maintain more control over security. For businesses relying on third-party providers, he strongly suggests evaluating external code with the same rigor they'd use to check code they built: give it a good and thorough test.
"Make sure all the processes have evolved and the handling of personal information is solid," he adds.
Taking Control: Who's Responsible for Cyber
Airports in the US are sometimes privately owned, owned by different municipalities, or have a mix of different stakeholders, begging the question: who takes control for infosec?
"Everyone gives a different answer on who's responsible," says Porter, noting that his team has asked airports and airlines about potential threats.
There's room for improvement here, and it can be filled by getting stakeholders together and running security exercises: practicing a major cyber threat that disables operations, for example, or impairs a flight. It's imperative airlines determine who is responsible for each element of response — something they don't want to find out when an incident strikes.
"In the US, a bigger factor is that Congress and the executive branch have been growing more concerned about potential lethal risks from cyberattacks on aviation," says Porter. To prove air travel is resilient to that, airlines and their partners have to re-examine their security posture. He says some airports, and the DHS, have begun doing these exercises, which is encouraging.
Can Cybercrime Bring Down A Plane? Probably Not.
While data breaches generally make for bad publicity, those against the aviation sector often cause concern among passengers who wonder if the effects of cybercrime can hit mid-flight. Experts say there's little reason to be concerned here — most cyberattacks targeting the industry affect systems unrelated to fliers' safety — but these attacks are still concerning.
While he's not aware of an attack that would remotely bring down an aircraft, Porter points out how attacks like ransomware could disrupt flight operations. It may not affect passenger safety but could affect a pilot's ability to take off if they can't access a flight plan, for example.
FireEye doesn't defend aircrafts themselves, so Porter points to a 2017 US Department of Homeland Security study that found a threat to planes "was at least technically feasible." He gives the world's most skilled hacker groups the benefit of the doubt. "You have the be cognizant of worst-case scenario," he says.
Security researchers have already shown it's possible. Earlier this year, Ruben Santamarta, principal security consultant with IO/Active, took the stage at Black Hat USA to demonstrate how he gained access to an in-flight aircraft and its on-board satellite communications devices from the ground. Equipment flaws including backdoors, insecure protocols, and network misconfigurations could affect hundreds of commercial planes from major carriers like Southwest, Norwegian, and Icelandair.
However, for the general public and policymakers, the most relevant threats affect their data and not the plane's safety. Cyber espionage is a far more common threat to aviation security.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.