Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/26/2018
05:12 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Buckle Up: A Closer Look at Airline Security Breaches

Cyberattacks on airports and airlines are often unrelated to passenger safety - but that's no reason to dismiss them, experts say.

Cathay Pacific. British Airways. Air Canada. Airlines and airports are hot targets for cyberattackers, whose motivations range from financial and identity theft to cyber espionage.

Those three recent incidents reflect a growing trend. It was late August 2018 when Air Canada alerted users to a mobile app breach affecting 20,000 people. British Airways admitted to a breach compromising 380,000 passengers in September; a month later, it learned 185,000 more were affected in a second attack. Cathay Pacific spooked us all when, a few days before Halloween, it disclosed a breach exposing the data of 9.4 million people — the largest of any airline to date.

For attackers hoping to cash in on sensitive data, the aviation industry is a gold mine.

"Nation states have targeted airlines for a long time to collect data on passengers, but we've seen an increase in targeting by cybercriminals," explains Christopher Porter, chief intelligence strategist at FireEye.

"Because air travel is high-dollar and time-sensitive, criminals have realized they can extract payment data from customers, who will have valuable credit cards to commit fraud with, or use ransomware to extort the airline," he adds. In the last two years, FireEye has seen an increase in the use of ransomware to disable ticketing and support processes for short periods of time.

Cyberattacks exploiting air travel are "gaining momentum," he continues. In a recent report on threats to watch in 2019, FireEye researchers pointed to the aviation sector as a prime target. In addition to cyber espionage, airlines face threats like third-party ticket sellers profiting from illicit tickets on the Dark Web, and breaches designed to capture the valuable data they store.

Consider passports. "The airlines have one thing that virtually nobody else has, and that's passport information," says Randy Abrams, senior security analyst at Webroot. While more valuable on a nation-state level, passports can aid fraudsters in phishing attacks and identity theft. When you add them up, they can also earn quite a bit of money on the Dark Web.

There isn't enough publicly available data to determine if passports are an objective in aviation cyberattacks, he adds; however, successful attackers will likely take passport data they find. It's one of many types of information airlines hold, in addition to users' names, home and email addresses, payment card numbers, phone numbers, and other personal data. Sure, payment information is handy for financial theft, but all the other info can be used for identity fraud.

"There's a lot of people doing a lot of flying these days, and there's a good chance of picking up a lot of personal information in one fell swoop," says David Emm, principal security researcher at Kaspersky Lab. "We're used to seeing attacks on individuals, but it's easier if you can hit one target and grab all the data. Airlines are strategically placed from a criminal's point of view."

How They're Breaking In

Emm explains how a common technique among modern attackers is capturing information as it's entered online. Someone who breaches a provider to steal payment card data likely won't access all the info they need (for example, the cards' CVV numbers) because the company won't store it. However, that data can be captured by a script sitting on a website.

A number of airlines, including British Airways and Cathay Pacific, have been targeted by injecting a script into one of the processors for handling online payments, he adds. It's more fruitful for the attackers but makes breach remediation harder for organizations hit.

Emm, Porter, and Abrams all point to the dangers of the aviation supply chain, another common attack vector.

(Image: Peshkov - stock.adobe.com)

(Image: Peshkov stock.adobe.com)

The risk of a security breach intensifies with the number of third-party vendors involved with a company's processes. Airports work with many, and their operations demand constant exchange of data among governments, credit card companies, baggage handlers, maintenance, and a wealth of other organizations responsible for keeping the industry in business.

"Those are all good targets … all potential entry points for a cybercriminal," says Porter. He calls the supply chain "a hidden risk" airlines didn't consider when they were corporate risk planning but now is top of mind.

If an airline is using a process developed by a third party — payments, for example — they're putting security into the hands of the third party and giving attackers "a bit of an advantage," Emm explains. "They know there's an opportunity to slide between the cracks there," he says of the attackers.

"If there's not a good reason to be using a third-party script, well, don't," he notes. It's like high-tech systems, he says: the simpler the equipment, the less of a problem you're likely to have.

Buckle Up: Airline Security Tips and Challenges

It's one of many pieces of advice for an industry challenged with a wave of cyberattacks.

Abrams advises airlines and airports to make sure their assets are well-protected and perform high-quality penetration testing, especially on Web-facing systems, which are "getting hit left and right." He also suggests implementing third-party auditing for the supply chain and correlating data across geographical regions to detect threat patterns as they occur.

"If I'm seeing something anomalous on my site in New Jersey, and seeing the same anomaly on my sites in Hong Kong and Croatia, and I'm not correlating all these events, then that's where I'm missing the big picture," he explains.

Emm recommends developing scripts internally to maintain more control over security. For businesses relying on third-party providers, he strongly suggests evaluating external code with the same rigor they'd use to check code they built: give it a good and thorough test.

"Make sure all the processes have evolved and the handling of personal information is solid," he adds.

Taking Control: Who's Responsible for Cyber

Airports in the US are sometimes privately owned, owned by different municipalities, or have a mix of different stakeholders, begging the question: who takes control for infosec?

"Everyone gives a different answer on who's responsible," says Porter, noting that his team has asked airports and airlines about potential threats.

There's room for improvement here, and it can be filled by getting stakeholders together and running security exercises: practicing a major cyber threat that disables operations, for example, or impairs a flight. It's imperative airlines determine who is responsible for each element of response — something they don't want to find out when an incident strikes.

"In the US, a bigger factor is that Congress and the executive branch have been growing more concerned about potential lethal risks from cyberattacks on aviation," says Porter. To prove air travel is resilient to that, airlines and their partners have to re-examine their security posture. He says some airports, and the DHS, have begun doing these exercises, which is encouraging.

Can Cybercrime Bring Down A Plane? Probably Not.

While data breaches generally make for bad publicity, those against the aviation sector often cause concern among passengers who wonder if the effects of cybercrime can hit mid-flight. Experts say there's little reason to be concerned here — most cyberattacks targeting the industry affect systems unrelated to fliers' safety — but these attacks are still concerning.

While he's not aware of an attack that would remotely bring down an aircraft, Porter points out how attacks like ransomware could disrupt flight operations. It may not affect passenger safety but could affect a pilot's ability to take off if they can't access a flight plan, for example.

FireEye doesn't defend aircrafts themselves, so Porter points to a 2017 US Department of Homeland Security study that found a threat to planes "was at least technically feasible." He gives the world's most skilled hacker groups the benefit of the doubt. "You have the be cognizant of worst-case scenario," he says.

Security researchers have already shown it's possible. Earlier this year, Ruben Santamarta, principal security consultant with IO/Active, took the stage at Black Hat USA to demonstrate how he gained access to an in-flight aircraft and its on-board satellite communications devices from the ground. Equipment flaws including backdoors, insecure protocols, and network misconfigurations could affect hundreds of commercial planes from major carriers like Southwest, Norwegian, and Icelandair.

However, for the general public and policymakers, the most relevant threats affect their data and not the plane's safety. Cyber espionage is a far more common threat to aviation security.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...