Vulnerabilities in aircraft systems allow remote airplane hijacking,
researcher says
Communication technologies like ADS-B and ACARS can be abused to remotely
exploit vulnerabilities in aircraft systems, a researcher said
Lucian Constantin
April 11, 2013 (IDG News Service)
The lack of security in communication technologies used in the aviation
industry makes it possible to remotely exploit vulnerabilities in critical
on-board systems and attack aircraft in flight, according to research
presented Wednesday at the Hack in the Box security conference in Amsterdam.
The presentation, by Hugo Teso, a security consultant at consultancy firm
N.runs in Germany, who has also had a commercial pilot license for the past
12 years, was the result of the researcher's three-yearlong research into
the security of avionics.
Teso showed how the absence of security features in ADS-B (automatic
dependent surveillance-broadcast), a technology used for aircraft tracking,
and ACARS (Aircraft Communications Addressing and Reporting System), a
datalink system used to transmit messages between aircraft and ground
stations via radio or satellite, can be abused to exploit vulnerabilities in
flight management systems.
He did not experiment on real airplanes, which would be both dangerous and
illegal, according to his own account. Instead Teso acquired aircraft
hardware and software from different places, including from vendors offering
simulation tools that use actual aircraft code and from eBay, where he found
a flight management system (FMS) manufactured by Honeywell and a Teledyne
ACARS aircraft management unit.
Using these tools, he set up a lab where he simulated virtual airplanes and
a station for sending specifically crafted ACARS messages to them in order
to exploit vulnerabilities identified in their flight management systems --
specialized computers that automate in-flight tasks related to navigation,
flight planning, trajectory prediction, guidance and more.
The FMS is directly connected to other critical systems like navigation
receivers, flight controls, engine and fuel systems, aircraft displays,
surveillance systems and others, so by compromising it, an attacker could
theoretically start attacking additional systems. However, this aspect was
beyond the scope of this particular research, Teso said.
Identifying potential targets and gathering basic information about them via
ADS-B is fairly easy because there are many places online that collect and
share ADS-B data, such as flightradar24.com, which also has mobile apps for
flight tracking, Teso said.
ACARS can be used to gather even more information about each potential
target, and by combining this information with other open-source data, it is
possible to determine with a fairly high degree of certainty what model of
FMS a specific aircraft is using, Teso said.
After this is done, an attacker could send specifically crafted ACARS
messages to the targeted aircraft to exploit vulnerabilities identified in
the code of its FMS. In order to do this, the attacker could build his own
software-defined radio system, which would have a range limit depending on
the antenna being used, or he could hack into the systems of one of the two
main ground service providers and use them to send ACARS messages, a task
that would probably be more difficult, Teso said.
Either way, sending rogue ACARS messages to real aircraft would most likely
lead to the authorities searching and eventually locating you, the
researcher said.
Teso created a post-exploitation agent dubbed SIMON that can run on a
compromised FMS and can be used to make flight plan changes or execute
various commands remotely. SIMON was specifically designed for the x86
architecture so that it can only be used in the test lab against virtual
airplanes and not against flight management systems on real aircraft that
use different architectures.
The researcher also created an Android app called PlaneSploit that can
automate an entire attack, from discovering targets using Flightradar24 to
exploiting vulnerabilities in their FMS, installing SIMON and then
performing various actions, like modifying the flight plan.
As previously mentioned, the research and demonstrations were performed
against virtual planes in a lab setup. However, the FMS vulnerabilities
identified and the lack of security in communication technologies like ADS-B
and ACARS are real, Teso said
In a real-world attack scenario, the pilot could realize that something is
wrong, disengage the auto-pilot and fly the plane like in the old days using
analog systems, Teso said. However, flying without auto-pilot is becoming
increasingly difficult on modern aircraft, he said.
Teso did not reveal any specifics about the vulnerabilities he identified in
flight management systems because they haven't been fixed yet. The lack of
security features like authentication in ADS-B and ACARS is also something
that will probably take a lot of time to address, but the researcher hopes
that it will be done while these technologies are still being deployed. In
the U.S., the majority of aircraft are expected to use ADS-B by 2020.
N.runs has been in contact with the European Aviation Safety Agency (EASA)
for the past few weeks about the issues identified during this research,
Teso said, adding that he has been pleasantly surprised by their response so
far. "They haven't denied the issues, they listened to us and they offered
resources," he said. "They're trying to help us to take this research on a
real plane."
==========================================
(F)AIR USE NOTICE: All original content and/or articles and graphics in this
message are copyrighted, unless specifically noted otherwise. All rights to
these copyrighted items are reserved. Articles and graphics have been placed
within for educational and discussion purposes only, in compliance with
"Fair Use" criteria established in Section 107 of the Copyright Act of 1976.
The principle of "Fair Use" was established as law by Section 107 of The
Copyright Act of 1976. "Fair Use" legally eliminates the need to obtain
permission or pay royalties for the use of previously copyrighted materials
if the purposes of display include "criticism, comment, news reporting,
teaching, scholarship, and research." Section 107 establishes four criteria
for determining whether the use of a work in any particular case qualifies
as a "fair use". A work used does not necessarily have to satisfy all four
criteria to qualify as an instance of "fair use". Rather, "fair use" is
determined by the overall extent to which the cited work does or does not
substantially satisfy the criteria in their totality. If you wish to use
copyrighted material for purposes of your own that go beyond 'fair use,' you
must obtain permission from the copyright owner. For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
THIS DOCUMENT MAY CONTAIN COPYRIGHTED MATERIAL. COPYING AND DISSEMINATION IS
PROHIBITED WITHOUT PERMISSION OF THE COPYRIGHT OWNERS.
Posts
No comments:
Post a Comment