Aircraft Hacking Practical Aero Series

Similar documents
Civil Aviation and CyberSecurity Dr. Daniel P. Johnson Honeywell Aerospace Advanced Technology

Cyber-hijacking Airplanes:

SAGEM FOQA Hardware & Software

Evolution in Regional Aircraft Avionics

Understanding Compliance with Automatic Dependent Surveillance Broadcast (ADS-B) Out

ARINC 653. An Avionics Standard for Safe, Partitioned Systems

Aircraft Tracking & Flight Data Recovery

ADS-B is intended to transform air traffic control by providing more accurate and reliable tracking of airplanes in flight and on the ground.

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

C-130 Fleet CNS/ATM Solutions

Microsoft Technologies

Australian Enhanced Flight Tracking Evaluation Performance Report. August 2015

Notes and terms of conditions. Vendor shall note the following terms and conditions/ information before they submit their quote.

Communication Management Unit : Single Solution of Voice and Data Routing Unit

With all of the new hype the

Linux Technologies QUARTER 1 DESKTOP APPLICATIONS - ESSENTIALS QUARTER 2 NETWORKING AND OPERATING SYSTEMS ESSENTIALS. Module 1 - Office Applications

GPS SPOOFING. Low-cost GPS simulator. HUANG Lin, YANG Qing Unicorn Team Radio and Hardware Security Research Qihoo 360 Technology Co. Ltd.

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Mobile Technology: Learn About Managing Mobility

SESAR Air Traffic Management Modernization. Honeywell Aerospace Advanced Technology June 2014

Policy Regarding Datalink Communications Recording Requirements. AGENCY: Federal Aviation Administration (FAA), Department of Transportation (DOT).

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

ROCKWELL COLLINS FLIGHT INFORMATION MANAGEMENT SYSTEM (FIMS) Real-time information management in the cockpit.

Trends in Aeronautical Information Management

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Web Application Security Payloads. Andrés Riancho Director of Web Security OWASP AppSec USA Minneapolis

SAST, DAST and Vulnerability Assessments, = 4

WHITEPAPER. Nessus Exploit Integration

Oracle Corporation

CAUSES OF AIRCRAFT ACCIDENTS

White Paper Mode S and the European Mandates

Introduction to ACARS Messaging Services

Rapid Modular Software Integration (RMSI)

N02-IBM Managed File Transfer Technical Mastery Test v1

Security in SCADA solutions

Best Practices for Consolidation Projects

WebSphere MQ Managed File Transfer. Parineeta Mattur

Aerospace Cyber Physical Systems Challenges in Commercial Aviation

Web Application Security

Post-Access Cyber Defense

Air Traffic Controllers use StarCaster ATIS software to create, update and verify the contents of ATIS messages

Comparison of versions 7.5 and 9.2. IBM License Metric Tool & Software Use Analysis Questions and Answers ILMT Central Team

Opening the Airspace for UAS

AVIATION INVESTIGATION REPORT A02P0004 OPERATING IRREGULARITY

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Tuesday, March 18, :00 p.m. 5:30 p.m. MODERATED BY: Carey Miller Universal Avionics Systems Corp.

Penetration: from Application down to OS

Attacks from the Inside

THE INTERNET OF THINGS IN COMMERCIAL AVIATION

Appendice 1 al Regolamento ENAC ATSEP Basic training Shared

INFORMATION SECURITY TRAINING CATALOG (2015)

SECURITY: THE KEY TO AFFORDABLE UNMANNED AIRCRAFT SYSTEMS. By Alex Wilson, Director of Business Development, Aerospace and Defense

SITA AIRCOM Service (VHF & Satellite)

Embedded Storycrafting: Key to Controlling Risk and Schedule

2. Highlights and Updates: ITSM for Databases

Automatic Dependent Surveillance Broadcast (ADS-B)

Endpoint Security for Mobile Devices NIST/OCR HIPAA Security Rule Conference June 6, David Shepherd, CISSP

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Cyber Physical Systems An Aerospace Industry Perspective

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Automated Engine & LLP Hard Time Tracking: Moving on from manual records.

PENTEST. Pentest Services. VoIP & Web.

Presenters: Glen Elliott and Bryan Johnson

AERONAUTICAL COMMUNICATIONS PANEL (ACP) ATN and IP

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Invitation to Dialogue

McAfee Endpoint Protection Products

Top 10 Database. Misconfigurations.

AutoPilot Middleware-Centric Application Performance Monitoring

Nastel Technologies 48 South Service Road Melville, NY, USA Copyright 2014 Nastel Technologies, Inc.

Mesa Resolves Multiple Comms Issues with AvFinity s AIRS Solution

Ways. to Shore Up. Security. Your. ABSTRACT: By Trish Crespo

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Installation and Configuration Guide for Windows and Linux

Integrating Electronic Security into the Control Systems Environment: differences IT vs. Control Systems. Enzo M. Tieghi

Flight Processor Virtualization

Item rd International Transport Forum. Big Data to monitor air and maritime transport. Paris, March 2016

PRESENTATION. Patrick Ky Executive Director EUROPEAN COMMISSION

Payment Card Industry (PCI) Data Security Standard

5 Steps to Advanced Threat Protection

Deep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison

Deep Discovery. Technical details

Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015

Information Management Systems and Connectivity. David Poltorak Vice President, Aviation & Network Services Cancun, June 2014

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Security in Vehicle Networks

(WAPT) Web Application Penetration Testing

Addonics T E C H N O L O G I E S. NAS Adapter. Model: NASU Key Features

Learning security through insecurity

Rockwell Collins ARINC MultiLink SM flight tracking service

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Integrated Threat & Security Management.

Database security issues PETRA BILIĆ ALEXANDER SPARBER

FAA AIRCRAFT SYSTEMS INFORMATION SECURITY PROTECTION OVERVIEW. Abstract


A Binary Tree SMART Migration Webinar. SMART Solutions for Notes- to- Exchange Migrations

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Transcription:

Aircraft Hacking Practical Aero Series

IT Security Commercial Pilot Hugo Teso (@hteso) (@48bits) www.48bits.com One and a half architecture Aero Series www.commandercat.com

Agenda Part 1: The $PATH to the exploit Part 2: The $PATH to exploit Disclaimer Time constraints Too much to explain Aircrafts!= Computers Safety reasons Still too much to fix

Part 1 The $PATH to the exploit

The Target In the beginning there was The Question Would I be able to convert THIS......into THIS?

The Answer

Today s Answer

Attack Overview Discovery: ADS-B Info gathering: ACARS Exploitation: Via ACARS Against on-board systems vulns. Post-Exploitation: Party hard!

ADS-B 101 Automatic Dependent Surveillance-Broadcast Radar substitute Position, velocity, identification, and other ATC/ATM-related information. ADS-B has a data rate of 1 Mbit/sec. Used for locating and plotting targets

ADS-B Security None at all Attacks range from passive attacks (eavesdropping) to active attacks (message jamming, replaying, injection). Target selection Public Data Virtual Aircrafts Local data (SDR*) * Software Defined Radio

ACARS 101 Aircraft Communications Addressing and Reporting System Digital datalink for transmission of messages between aircraft and ground stations Multiple data can be sent from the ground to the A/C * Used for passive OS fingerprinting and plotting targets * Aircraft

ACARS Security None at all sometimes monoalphabetic ciphers Detailed flight and Aircraft information Public DB Local data (SDR) Virtual Aircrafts Ground Service Providers Two main players Worldwide coverage

FMS 101 Flight Management System typically consists of two units: A computer unit A control display unit Control Display Unit (CDU or MCDU) provides the primary human/machine interface for data entry and information display. FMS provides: Navigation Guidance Flight planning Trajectory prediction Performance computations

FMS Goal: Exploit the FMS Using ACARS to upload FMS data Many different data types available Upload options: Software Defined Radio Ground Service Providers The path to the exploit: Audit aircraft code searching for vulnerabilities We use a lab with virtual airplanes but real aircraft code and HW

Aircraft Hardware and Software The good old... ebay!! Russian scrapings You name it Loving salesman Value-added products Third party vendors /wp-admin... Sigh Resentful users or former employees

The Lab A/C == Aircraft SDR == Software Defined Radio

The Lab

FMS vulnerabilities Many different data types to upload Many FMS manufacturers, models and versions. Architectures: PPC (Lab x86) Language: mostly ADA (old ones) SO RTOS realm: DeOS VxWorks ACARS: ACARS datalink allows real time (avg of 11s delay) data transmission Size: Max 220 chars * 16 blocks :S

ACARS Messages during flight http://www.sita.aero/file/3744/aircom Ekaterinburg - Oct 09 ENG.pdf

Demo

Part II The $PATH to exploit

SITA/ARINC Société Internationale de Télécommunications Aéronautiques (SITA) IT and telecommunication services to the air transport industry. 90% of the world's airline business. Aeronautical Radio, Incorporated (ARINC) Major provider of transport communications and systems solutions: Aviation, airports, defense, government, healthcare, networks, security, and transportation.

Access methods: E-Mail Clients SMTP / POP3 Lotus Notes Desktop Apps, connection over: X.25 TCP MQ Series (IBM WebSphere) MSMQ (Microsoft queues) MS SQL Database ORACLE Database Web App Mobility Printer SDK Mobile App Pager/SMS Be my guest... What could possibly go WRONG? Stations http://www.sita.aero/file/3744/aircom Ekaterinburg - Oct 09 ENG.pdf

Software Defined Radio 101 A radio communication system where components that have been typically implemented in hardware are instead implemented by means of software. HW: USRP1/USRP2 Universal Software Radio Peripheral USB or Gigabit Ethernet link SW: GNU Radio LabVIEW, MATLAB and Simulink SDK that provides signal processing blocks to implement software radios. Python/C++

Post-Exploitation Consolidation Protection & Monitoring Communication Two way communication Expansion Other systems Back to Discovery Smiths Aerospace chose Wind River Systems' VxWorks 653 RTOS for the B787's common core system (CCS), a cabinet that will host 80 to 100 applications, including Honeywell's FMS and health management software and Collins' crew alerting and display management software

Aircraft Post-Exploitation Aircraft and Pilots Predictables Checklists and procedures Exploiting other comm and nav systems or protocols Planning and timing! C&C Two way communication Actions Limitations

SIMON Why SIMON? Multi-stage payload Control ADS-B/ACARS Upload via ADS-B/ACARS Persistence Stealthness (No Rootkit) Accept and inject: FP/DB Payloads (scripts) Plugins (code) Commands Two way comm 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

Demo

Conclusions

Remediation Safety!= Security Where to start from? NextGen Security On-board systems security audit Who is affected? Manufacturers Airlines Ground Service Providers We are working with EASA to improve the situation

References Aviation 101 http://en.wikipedia.org/wiki/portal:aviation ADS-B http://en.wikipedia.org/wiki/automatic_ dependent_surveillance-broadcast https://www.blackhat.com/html/bh-us-12/bh-us- 12-briefings.html#Costin ACARS http://en.wikipedia.org/wiki/aircraft_ Communications_Addressing_and_Reporting_ System http://spench.net/ FMS http://en.wikipedia.org/wiki/flight_ management_system http://www.b737.org.uk/fmc.htm SDR http://en.wikipedia.org/wiki/software-defined_ radio http://gnuradio.org

Thanks to: @d0tslash @vierito5 @searchio @48bits @kuasar Many others http://conference.hitb.org/hitbsecconf2013ams/materials/ Hugo Teso hugo.teso@nruns.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information