Hacker Claims Airplanes Are Vulnerable to Attacks
Amanda Cyr August 04, 2014
A cybersecurity researcher claims he’s discovered a way to hack into passenger jets’ satellite communications equipment. Ruben Santamarta, a consultant with cybersecurity firm IOActive, plans to share the technical details of his findings at the Black Hat hacking conference taking place in Las Vegas this Thursday. His presentation on vulnerabilities in satellite communications systems used in aerospace and other industries is expected to be one of the conference’s most popular.
The vulnerabilities, according to Santamarta, lie in the jets’ WiFi and inflight entertainment systems. He discovered it through reverse engineering firmware used to operate communications equipment made by Cobham Plc, Harris Corp, EchoStar Corp’s Hughes Network Systems, Iridium Communications Inc and Japan Radio Co Ltd.
Representatives for Cobham, Harris, Hughes and Iridium have reviewed Santamarta’s findings, which were originally published in a 25-page report in April. The companies have since confirmed some of the research, but downplayed the potential risks.
Cobham claims hackers cannot use WiFi signals to interfere with critical systems that rely on satellite communications, such as those used for navigation or safety purposes. In order to tap into such systems, according to Cobham spokesman Greg Caires, hackers would need physical access to the company’s equipment.
Harris spokesman, Jim Burke, called the risk of compromise based on Santamarta’s findings “very small.”
Diane Hockenberry, an Iridium spokeswoman, said the risk to subscribers was minimal, but that the company was “taking precautionary measures” to protect users.
Hughes spokeswoman, Judy Blake, said the worst a hacker could do was disable the communication link.
A spokesman for Japan Radio Co declined to comment on Santamarta’s report. They said information of such vulnerabilities was not public.
Santamarta has said he will respond to the manufacturers’ comments during his presentation, which will conclude with an open Q-and-A session. An abstract of his presentation states that “100 percent of the devices could be abused.”
“These devices are wide open. The goal of this talk is to help change that situation,” Santamarta told Reuters.
A member of Black Hat’s review board, Vincenzo Iozzo, has called Santamarta’s paper the first of its kind. It marks the first time a researcher has identified potentially devastating vulnerabilities in satellite communications equipment.
“I am not sure we can actually launch an attack from the passenger inflight entertainment system into the cockpit,” Iozzo said. “The core point is the type of vulnerabilities he discovered are pretty scary just because they involve very basic security things that vendors should already be aware of.”
[Photo: iStock]
No, hackers can't bring down an airplane. This is a re-hash of an old story. IOAtive originally published this in April 2014, they didn't get their expected 15 minutes of fame them. They know most people have a relatively short attention span and probably forgot about the lackluster response to their initial release in April and with the recent crash cluster now would be a good time to re-release old work. Well, in true Hollywood fashion it seems to have worked this time around and they're getting their 15 minutes. Safety critical systems can not be accessed and controlled via the WiFi and SATCOM systems and communication channels. There are separate data buses, DCUs, etc and not of them connect to the Flight Control Computer, Flight Management computer, etc. This is just a bad case of poor optics being perpetuated by an Information Security person that has no clue about the safety engineering world and is trying to draw parallels between safety and security where no parallels can be drawn. In the aviation engineering world Safety != Security & Security != Safety. The worst thing can can happen here is some sort of access that will result in a commercial (ie cost money) impact, not a safety impact. Before these "hackers" (I use the term very loosely) go running off making half cocked statements about how insecure (and therefore infer how unsafe) a system/platform is, they should become intimately familiar with DO-178B & C, DO-254, DO-326A, ED-203, ARP4754A and ARP4761. Until such time, anyone person that makes the claim they have found a way to hack an airplane system that will result in a safety related failure is not worth the salt in their hash. :rollseyes:
Genuine hackers (= old school?) like myself expose flaws of a system to improve overall security and to point out what the manufacturers and users missed. They will never ever maliciously cause damage, and most certainly not with aircraft. It is good for knowledge to come in the open, before it is used by some savvy badguys. With the advancement of everything-is-wirelessly-connected-to-everything, "hacking" an airplane in mid-flight to steer it from the surface is not too far-fetched though. Inside the hackers community ideas to do just this already have been proposed. Really do it? Not interesting or motivating for hackers, but for criminals... yeah. The holy grail however, would be to take over a communications satellite. You better believe that it is true what the investigator has found here.
I have been working in IT networking since 1990, and I've been Senior Network Administrator for major US corporations for years. And I can tell you this: if something is "digital" and connects to a "network", it CAN be hack. There is NO 100% security. When you integrate software after software after software one on top of another there WILL BE VULNERABILITY. Network security always plays catch-up. This is why I am shock as heck when Boeing geniuses decided that for B787 "themost advanced aircraft" they put aircraft essential systems and common systems (like internet for pax) on the SAME platform without any physical separations. At least when people write software codes for essential systems there are layers of network security crunches they went through. The people that writes software that offers internet to pax on the plane? Not as much sense of urgency. Seriously, I am waiting to hear how hackers bring down planes...
Very misleading headline - expected a conspiracy theory on how terrorists took down MH370. I can see it now - hackers loading inappropriate versions of security announcements in to the IFE system, redirecting all inflight wifi connections to gay porn sites..