hugo teso - aircraft hacking
TRANSCRIPT
![Page 1: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/1.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Aircraft HackingPractical Aero Series
![Page 2: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/2.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Aero Serieswww.commandercat.com
✈ IT Security ✈ Commercial Pilot
Hugo Teso(@hteso)
(@48bits)www.48bits.comOne and a half architecture
![Page 3: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/3.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Agenda
Disclaimer
✈ Part 1: The $PATH to the exploit
✈ Part 2: The $PATH to exploit
✈ Time constraints » Too much to explain
¤ Aircrafts != Computers
✈ Safety reasons » Still too much to fix
![Page 4: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/4.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
The $PATH to the exploitPart 1
![Page 5: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/5.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
The Target
In the beginning there was “The Question”
Would I be able to convert THIS... ...into THIS ?
![Page 6: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/6.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
The Answer
![Page 7: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/7.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Today’s Answer
![Page 8: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/8.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Attack Overview
DIScOvery: » ADS-B
exPlOITATIOn: » Via ACARS » Against on-board systems vulns.
POST-exPlOITATIOn: » Party hard!
InfO gATHerIng: » ACARS
![Page 9: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/9.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
ADS-B 101
✈ Automatic Dependent Surveillance-Broadcast
✈ Radar substitute
✈ Position, velocity, identification, and other ATC/ATM-related information.
✈ ADS-B has a data rate of 1 Mbit/sec.
✈ Used for locating and plotting targets
![Page 10: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/10.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
ADS-B Security
✈ None at all
✈ Attacks range from passive attacks (eavesdropping) to active attacks (message jamming, replaying, injection).
✈ Target selection » Public Data » Local data (SDR*) » Virtual Aircrafts
* Software Defined Radio
![Page 11: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/11.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
AcArS 101
✈ Aircraft Communications Addressing and Reporting System
✈ Digital datalink for transmission of messages between aircraft and ground stations
✈ Multiple data can be sent from the ground to the A/C *
✈ Used for passive “OS fingerprinting” and plotting targets
* Aircraft
![Page 12: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/12.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
AcArS Security
✈ None at all » sometimes monoalphabetic ciphers
✈ Detailed flight and Aircraft information » Public DB » Local data (SDR) » Virtual Aircrafts
✈ Ground Service Providers » Two main players » Worldwide coverage
![Page 13: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/13.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
fMS 101
✈ Flight Management System typically consists of two units: » A computer unit » A control display unit
✈ Control Display Unit (CDU or MCDU) provides the primary human/machine interface for data entry and information display.
✈ FMS provides: » Navigation » Flight planning » Trajectory prediction » Performance computations » Guidance
![Page 14: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/14.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
fMS ✈ Goal: Exploit the FMS
» Using ACARS to upload FMS data
» Many different data types available
✈ Upload options: » Software Defined Radio » Ground Service Providers
✈ The path to the exploit: » Audit aircraft code searching for vulnerabilities
✈ We use a lab with virtual airplanes » but real aircraft code and HW
![Page 15: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/15.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Aircraft Hardware and Software
✈ The good old... » eBay!!
✈ Russian scrapings » You name it
✈ Loving salesman » Value-added products
✈ Third party vendors » /wp-admin... Sigh
✈ Resentful users or former employees
![Page 16: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/16.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
![Page 17: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/17.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
![Page 18: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/18.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
![Page 19: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/19.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
![Page 20: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/20.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
![Page 21: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/21.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
![Page 22: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/22.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
![Page 23: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/23.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
![Page 24: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/24.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
![Page 25: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/25.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
![Page 26: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/26.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
![Page 27: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/27.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
A/C == AircraftSDR == Software Defined Radio
The lab
![Page 28: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/28.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
The lab
![Page 29: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/29.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
✈ Many different data types to upload
✈ Many FMS manufacturers, models and versions.
✈ Architectures: PPC (Lab x86)
✈ Language: mostly ADA (old ones)
✈ SO – RTOS realm: » DeOS » VxWorks
✈ ACARS: » ACARS datalink allows real time (avg of 11s delay) data transmission
» Size: Max 220 chars * 16 blocks :S
fMS vulnerabilities
![Page 30: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/30.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
http://www.sita.aero/file/3744/Aircom Ekaterinburg - Oct 09 ENG.pdf
AcArS Messages during flight
![Page 31: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/31.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Demo
![Page 32: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/32.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Part IIThe $PATH to exploit
![Page 33: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/33.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
SITA/ArInc ✈ Société Internationale de Télécommunications Aéronautiques (SITA)
» IT and telecommunication services to the air transport industry. » 90% of the world's airline business.
✈ Aeronautical Radio, Incorporated (ARINC) » Major provider of transport communications and systems solutions: » Aviation, airports, defense, government, healthcare, networks, security, and transportation.
![Page 34: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/34.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Be my guest...What could possibly go WrOng?
Access methods:
✈ E-Mail Clients » SMTP / POP3 » Lotus Notes
✈ Desktop Apps, connection over: » X.25 » TCP » MQ Series (IBM WebSphere) » MSMQ (Microsoft queues) » MS SQL Database » ORACLE Database
✈ Web App
✈ Mobility » Mobile App » Pager/SMS » Printer » SDK » Stations http://www.sita.aero/file/3744/Aircom Ekaterinburg - Oct 09 ENG.pdf
![Page 35: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/35.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Software Defined radio 101
✈ A radio communication system where components that have been typically implemented in hardware are instead implemented by means of software.
✈ HW: USRP1/USRP2 » Universal Software Radio Peripheral » USB or Gigabit Ethernet link
✈ SW: GNU Radio » LabVIEW, MATLAB and Simulink » SDK that provides signal processing blocks to implement software radios.
» Python/C++
![Page 36: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/36.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Post-exploitation ✈ Consolidation
» Protection & Monitoring
✈ Communication » Two way communication
✈ Expansion » Other systems » Back to Discovery
“Smiths Aerospace chose Wind River Systems' VxWorks
653 RTOS for the B787's common core system (CCS),
a cabinet that will host 80 to 100 applications, including
Honeywell's FMS and health management software and Collins' crew alerting and
display management software”
![Page 37: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/37.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
![Page 38: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/38.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
✈ Aircraft and Pilots » Predictables » Checklists and procedures
✈ Exploiting other comm and nav systems or protocols
✈ Planning and timing!
✈ C&C » Two way communication » Actions » Limitations
Aircraft Post-exploitation
![Page 39: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/39.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
SIMOn ✈ Why SIMON?
✈ Multi-stage payload
✈ Control ADS-B/ACARS » Upload via ADS-B/ACARS
✈ Persistence
✈ Stealthness (No Rootkit)
✈ Accept and inject: » FP/DB » Payloads (scripts) » Plugins (code) » Commands » Two way comm
© 2013, n.runs Professionals - Security Research Team - April 2013
![Page 40: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/40.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Demo
![Page 41: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/41.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Conclusions
![Page 42: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/42.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
✈ Where to start from? » NextGen Security » On-board systems security audit
✈ Who is affected? » Manufacturers » Ground Service Providers » Airlines
✈ We are working with EASA to improve the situation
remediationSafety != Security
![Page 43: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/43.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
✈ Aviation 101 » http://en.wikipedia.org/wiki/Portal:Aviation
✈ ADS-B » http://en.wikipedia.org/wiki/Automatic_dependent_surveillance-broadcast
» https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Costin
✈ ACARS » http://en.wikipedia.org/wiki/Aircraft_Communications_Addressing_and_Reporting_System
» http://spench.net/
✈ FMS » http://en.wikipedia.org/wiki/Flight_management_system
» http://www.b737.org.uk/fmc.htm
✈ SDR » http://en.wikipedia.org/wiki/Software-defined_radio
» http://gnuradio.org
references
![Page 44: Hugo Teso - Aircraft Hacking](https://reader036.vdocuments.us/reader036/viewer/2022062317/58499e371a28aba93a919c45/html5/thumbnails/44.jpg)
© 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Hugo [email protected]://conference.hitb.org/hitbsecconf2013ams/materials/
THAnkS TO:
✈ @d0tslash
✈ @vierito5
✈ @searchio
✈ @48bits
✈ @kuasar
✈ Many others