Aircraft Can Be Successfully Hacked In-Flight

IOActive researcher will demonstrate at Black Hat USA (4th-9th August Ls Vegas) how satellite equipment can be 'weaponised.'

It's been four years since researcher Ruben Santamarta rocked the security world with his chilling discovery of major vulnerabilities in satellite equipment that could be abused to hijack and disrupt communications links to airplanes, ships, military operations, and industrial facilities.

Santamarta has now proven out those findings and taken his research to the level of terrifying, by successfully hacking into in-flight airplane WiFi networks and Satcom equipment from the ground. 

"As far as I know I will be the first researcher that will demonstrate that it's possible to hack into communications devices on an in-flight aircraft … from the ground," he says.

He accessed on-board WiFi networks including passengers' Internet activity, and also was able to reach the planes' Satcom equipment, he says, all of which in his previous research he had concluded, but not proven, was possible.  Furthermore: "In this new research, we also managed to get access to important communications devices in the aircraft," Santamarta, principal security consultant with IO/Active, says.

That's as much detail about the hack that Santamarta will share publicly before his Black Hat talk, where he plans to demonstrate just how he gained access to the aircraft and on-board satellite communications devices. He'll show how Satcom gear could be weaponised as a radio frequency (RF) tool, he says, that ultimately could "pose security risks" to the aircraft.
Santamarta's previous work on hacking an airplane network had been met with some skepticism. "Everybody told us it was impossible. But basically, it's possible, and we [now] have proof and [will] present the proof of that."

He says he used similar Satcom hacking techniques to locate multiple NATO military installations in conflict zones, which were exposed on the Internet, and employed similar methods to access maritime vessels' networks at sea, the details of which he'll also cover in his talk.

Not surprisingly, the vulnerability disclosure process associated with the research was, he says, "extremely sensitive." Santamarta contacted all of the affected parties, he says, and ensured that no hacks he performed would put anyone in physical danger, for instance. "We improved … security and safety" with this research, he says.
Security Holes

In his 2014 research, Santamarta provided a report on several possible attack scenarios using the vulnerabilities he had discovered in the firmware of popular satellite ground terminal equipment. In his latest research he studied other Satcom systems and infrastructure and found the usual suspects of industrial Internet of Things flaws: backdoors, insecure protocols, and hard-coded credentials as well as buffer overflows, code injections, and exposed services.

These vulnerabilities "allowed us to take control of these devices and allow anyone to access the satellite services," he says. "We can leverage Satcom devices to perform cyber-physical attacks."

But like with Santamarta's previous research, the affected vendors and providers unfortunately aren't all on board with fixes for the newly discovered security holes. "The critical things have been fixed mostly. But there are other significant vulnerabilities that are still there, and that’s a still a problem," he says.

"The Satcom environment right now is really a mess. That's one of the reasons we called this talk 'The Last Call for Satcom Security,'" he says. "It's really worrying me what I am seeing in this area."

He declined to discuss in detail just how much damage an attacker could do with the aircraft hack they pulled off, saying: "This has to be explained carefully, and we've got all the technical details backing our claim. It's not an apocalypse, but basically there are some scenarios that are possible" that will be covered at Black Hat, he says.

In his 2014 research, Santamarta found that an in-flight airline WiFi network was vulnerable to malicious behavior via vulnerable Cobham AVIATOR 700 satellite terminals on the WiFi. 

The danger there was an attacker gaining control over the Satellite Data Unit or the SwiftBroadband Unit interface by taking advantage of the weak password reset feature, hardcoded credentials, or the insecure protocols in the terminal. Santamarta's new research illustrates just how an attacker could abuse Satcom and other equipment vulnerabilities. He says he spotted hundreds of "exposed" aircraft from multiple airlines, but only focused on a few in his hacking research.

"These are real cases. They are no longer theoretical scenarios," he says of his new research. "We are using vulns in Satcom devices to turn those devices into weapons" to trigger cyber-physical effects, he says.

There are two other known airplane-hacking research projects, but neither were accomplished from the ground to a flying plane like Santamarta's. 

The first was a controversial and disputed one in May of 2015, when security researcher Chris Roberts was accused by the FBI of hacking into an aircraft's controls via the WiFi network from his airplane seat, causing the airplane to briefly climb and move sideways, or laterally. 

Roberts at the time said the FBI's assessment of his experiment was overblown, and he later reportedly said the charges had been dropped.

A US Department of Homeland Security official in 2017 revealed at a satellite conference that his team had remotely hacked into a parked Boeing 757 at the Atlantic City, NJ, airport, using RF communications.  

Dark Reading

You Might Also Read: 

The Cyber Threat To Airports:

MH370 Loss Could Have Been A Remote Skyjacking:
 

« Ex-GCHQ Boss: Nation State Cyber-Attacks Affect Everyone
A Looming US vs China Tech War Over Huawei »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

BCS, The chartered Institute for IT

BCS, The chartered Institute for IT

BCS provides IT professionals with up to date and relevant certifications enabling them to manage IT security effectively within their budget.

Echelon

Echelon

Echelon Company is a provider of information security services specializing in certification of security software and hardware products in Russia.

MIT Internet Policy Research Initiative (IPRI)

MIT Internet Policy Research Initiative (IPRI)

IPRI's mission is to work with policy makers and technologists to increase the trustworthiness and effectiveness of interconnected digital systems

Early Warning Services

Early Warning Services

Early Warning is committed to providing awareness, education, and enablement around fraud prevention.

TorGuard

TorGuard

TorGuard is a Virtual Private Network services provider offering secure encrypted access to the internet.

VerSprite

VerSprite

VerSprite is a specialist information security consulting firm. We provide organizations with detection across all their attack surfaces and deliver critical insight into all possible attack methods.

NSIT

NSIT

NSIT SAS is a consulting, advisory and service provider in IT systems. Solution areas include networking & infrastructure, IT management & administration, and cyber security.

NGS (UK)

NGS (UK)

NGS (UK) Ltd are independent, vendor agnostic, next generation security trusted advisors, providing all-encompassing solutions from the perimeter to the endpoint.

The Legal 500

The Legal 500

The Legal 500 Hall of Fame highlights, to clients, the law firm partners who are at the pinnacle of the profession. Practice areas covered include Data Protection, Privacy and Cybersecurity.

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI) is an independent, global think-tank. We bring together the world’s top global researchers to undertake ground-breaking research on blockchain technology.

Stamus Networks

Stamus Networks

Stamus Networks offers Scirius Security Platform solutions that marry real-time network traffic data with enhanced Suricata intrusion detection (IDS) and an advanced analytics engine.

Soliton

Soliton

Soliton is a leading Japanese technology company and a pioneer in IT security solutions for protecting company resources and data from external IT security threats.

Open Quantum Safe (OQS)

Open Quantum Safe (OQS)

The Open Quantum Safe (OQS) project is an open-source project that aims to support the development and prototyping of quantum-resistant cryptography.

Vectra AI

Vectra AI

Vectra threat detection & response - see and stop threats across hybrid and multi-cloud enterprises.

SecurWeave

SecurWeave

SecurWeave's Configurable Hardware Enforced Safety and Security (CHESS) platform has been designed to meet the security and safety criticality needs of the evolving digital industry.

Algoritha

Algoritha

Algoritha is a pioneering entity in the realm of security and forensic services.