aircraft hacking: practical aero series
TRANSCRIPT
-
7/28/2019 Aircraft Hacking: Practical Aero Series
1/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
2/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
Aero Serieswww.commandercat.com
IT Security Commercial Pilot
Huo Tso(@hteso)
(@48bits)
www.48bits.comOne and a hal architecture
-
7/28/2019 Aircraft Hacking: Practical Aero Series
3/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Ada
Disaim
Pat 1: Th $PATH to th poit
Pat 2: Th $PATH to poit
Tim ostaits Too muh to pai
Aircrats != Computers
Sat asos Sti too muh to
-
7/28/2019 Aircraft Hacking: Practical Aero Series
4/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
5/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
Th Tat
I th bii th wasTh Qustio
Would I be able to convert THIS... ...into THIS ?
-
7/28/2019 Aircraft Hacking: Practical Aero Series
6/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
Th Asw
-
7/28/2019 Aircraft Hacking: Practical Aero Series
7/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
Todas Asw
-
7/28/2019 Aircraft Hacking: Practical Aero Series
8/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
Atta Oiw
DIScOvery: ADS-B
exPlOITATIOn: Via ACARS Against on-boardsystems vulns.
POST-exPlOITATIOn: Party hard!
InO gATHerIng: ACARS
-
7/28/2019 Aircraft Hacking: Practical Aero Series
9/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
ADS-B 101
Automatic DependentSurveillance-Broadcast
Radar substitute
Position, velocity,identifcation, andother ATC/ATM-relatedinormation.
ADS-B has a data rate
o 1 Mbit/sec. Used or locating andplotting targets
-
7/28/2019 Aircraft Hacking: Practical Aero Series
10/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
ADS-B Suit
None at all
Attacks range rompassi attas(eavesdropping) to
ati attas (messagejamming, replaying,injection).
Target selection Public Data
Local data (SDR*) Virtual Aircrats
* Sotware Dened Radio
-
7/28/2019 Aircraft Hacking: Practical Aero Series
11/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
AcArS 101
Aircrat CommunicationsAddressing and Reporting System
Digital datalink ortasmissioo mssas btw aiat adoud statios
Multiple data can be sent romthe ground to the A/C *
Used or passive OS
ngerprinting and plottingtargets
* Aircrat
-
7/28/2019 Aircraft Hacking: Practical Aero Series
12/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
AcArS Suit
None at all sometimes monoalphabetic ciphers
Detailed fight and Aircrat inormation
Public DB Local data (SDR) Virtual Aircrats
Ground Service Providers Two main players Worldwide coverage
-
7/28/2019 Aircraft Hacking: Practical Aero Series
13/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
MS 101
Flight Management Systemtypically consists o two units: A computer unit A control display unit
Control Display Unit (CDU or
MCDU) provides the primaryhuman/machine interace ordata entry and inormationdisplay.
FMS provides: Navigation Flight planning Trajectory prediction Perormance computations Guidance
-
7/28/2019 Aircraft Hacking: Practical Aero Series
14/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
MS
Goal: Exploit the FMS Using ACARS to upload FMSdata
Many dierent data typesavailable
Upload options:
Sotware Dened Radio Ground Service Providers
The path to the exploit: Audit aircrat code searchingor vulnerabilities
We use a lab with virtualairplanes but real aircrat code and HW
-
7/28/2019 Aircraft Hacking: Practical Aero Series
15/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Aiat Hadwa ad Sotwa
The good old... eBay!!
Russian scrapings You name it
Loving salesman Value-added products
Third party vendors /wp-admin... Sigh
Resentul users orormer employees
-
7/28/2019 Aircraft Hacking: Practical Aero Series
16/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
17/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
18/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
19/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
20/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
21/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
22/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
23/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
24/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
25/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
26/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
27/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
A/C == Aircrat
SDR == Sotware Dened Radio
Th lab
-
7/28/2019 Aircraft Hacking: Practical Aero Series
28/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
Th lab
-
7/28/2019 Aircraft Hacking: Practical Aero Series
29/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Many dierent data types to upload
Many FMS manuacturers, modelsand versions.
Architectures: PPC (Lab x86)
Language: mostly ADA (old ones)
SO RTOS realm: DeOS VxWorks
ACARS: ACARS datalink allows real time(avg o 11s delay) data transmission
Size: Max 220 chars * 16 blocks :S
MS uabiitis
-
7/28/2019 Aircraft Hacking: Practical Aero Series
30/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
http://www.sita.aero/fle/3744/Aircom Ekaterinburg - Oct 09 ENG.pd
AcArS Mssas dui fiht
-
7/28/2019 Aircraft Hacking: Practical Aero Series
31/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
32/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
33/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
SITA/ArInc Socit Internationale de Tlcommunications Aronautiques (SITA)
IT and telecommunication services to the air transport industry.
90% o the world's airline business.
Aeronautical Radio, Incorporated (ARINC) Major provider o transport communications and systems solutions: Aviation, airports, deense, government, healthcare, networks, security, andtransportation.
-
7/28/2019 Aircraft Hacking: Practical Aero Series
34/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
B m ust...
What oud possib o WrOng?
Ass mthods:
E-Mail Clients SMTP / POP3
Lotus Notes
Desktop Apps, connectionover: X.25 TCP MQ Series (IBM WebSphere) MSMQ (Microsot queues) MS SQL Database ORACLE Database
Web App
Mobility Mobile App Pager/SMS Printer SDK Stations http://www.sita.aero/le/3744/Aircom Ekaterinburg - Oct 09 ENG.pd
-
7/28/2019 Aircraft Hacking: Practical Aero Series
35/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Sotwa Ddradio 101
A radio communication system wherecomponents that have been typicallyimplemented in hardware are insteadimplemented by means o sotware.
HW: USRP1/USRP2 Universal Sotware Radio Peripheral USB or Gigabit Ethernet link
SW: GNU Radio LabVIEW, MATLAB and Simulink
SDK that provides signal processing blocksto implement sotware radios.
Python/C++
-
7/28/2019 Aircraft Hacking: Practical Aero Series
36/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
Post-epoitatio
Consolidation Protection & Monitoring
Communication Two way communication
Expansion Other systems Back to Discovery
Smiths Aerospace chose Wind
River Systems' VxWorks653 RTOS for the B787's
common core system (CCS),a cabinet that will host80 to100 applications, including
Honeywell'sFMSandhealthmanagement software and
Collins'crew alertinganddisplay management software
-
7/28/2019 Aircraft Hacking: Practical Aero Series
37/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
38/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Aircrat and Pilots Predictables Checklists and procedures
Exploiting other command nav systems or
protocols
Planning and timing!
C&C Two way communication Actions
Limitations
Aiat Post-epoitatio
-
7/28/2019 Aircraft Hacking: Practical Aero Series
39/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
SIMOnWhy SIMON?
Multi-stage payload
Control ADS-B/ACARS Upload via ADS-B/ACARS
Persistence
Stealthness (No Rootkit)
Accept and inject: FP/DB Payloads (scripts) Plugins (code)
Commands Two way comm
2013, n.runs Proessionals - Security Research Team - April 2013
-
7/28/2019 Aircraft Hacking: Practical Aero Series
40/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
41/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
-
7/28/2019 Aircraft Hacking: Practical Aero Series
42/44
2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso
Where to start rom? NextGen Security On-board systems securityaudit
Who is aected? Manuacturers Ground Service Providers Airlines
We are working with EASA toimprove the situation
rmdiatioSat != Suit
-
7/28/2019 Aircraft Hacking: Practical Aero Series
43/44
2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso
Aviation 101 http://en.wikipedia.org/wiki/Portal:Aviation
ADS-B http://en.wikipedia.org/wiki/Automatic_dependent_surveillance-broadcast
https://www.blackhat.com/html/bh-us-12/bh-us-12-briengs.html#Costin
ACARS http://en.wikipedia.org/wiki/Aircrat_Communications_Addressing_and_Reporting_System
http://spench.net/
FMS http://en.wikipedia.org/wiki/Flight_management_system
http://www.b737.org.uk/mc.htm
SDR http://en.wikipedia.org/wiki/Sotware-dened_radio
http://gnuradio.org
rs
-
7/28/2019 Aircraft Hacking: Practical Aero Series
44/44
Huo [email protected]://conerence.hitb.org/hitbseccon2013ams/materials/
THAnkS TO:
@d0tslash
@vierito5
@searchio
@48bits
@kuasar
Many others