So I don’t fly a lot. When I do I’m looking out the window
because I tend to get motion sick. While I do open my tablets,
electronics devices, and laptops on planes and do computer programming in a
crunch, I am 999 times out of 1000 doing it on localhost. I have numerous
reasons: such as I hate super slow networks, can’t bear the agony of dealing
with intermittent satellite Wifi, I don’t trust the network to be “secure,” and
my e-mail can wait until I land. On one of the last flights I was on though I did open
the flight tracker to see where the plane was to identify the fork of the
Mississippi River I was flying over; the lady sitting next to me thought that
should be illegal to know the whereabouts of the plane.
I blow through Twitter headlines when I’m taking a break from securing and refining code. Tonight I saw many airline
security jokes in response to this article on Feds and airlines and a retweet by @thegrugq here:
The FBI wants you to report airplane hackers? Look for old laptops, gloves and ski masks. http://t.co/matleXeMiO pic.twitter.com/KW0GgankxA
— Paco Hope (@pacohope) April 21, 2015
The headline and jokes got me to thinking about the issue seriously, but I didn't actually read the article yet. I, like
most people, was under the impression that the airplane manufacturers had
security professionals who had been to Security 101 and heard the first rule of
security: limit physical access. Likely also the norm I assumed this was a security issue
about the Wifi on the planes after seeing the original tweets last week and couldn’t imagine anyone being able to get into
the avionics systems of a plane over the wifi / satellite Internet connection to hack or access anything.
I jumped into the "discussion," and one of the jokes was about encryption, so I responded with
something I’ve been well aware of for a long time now: if it’s not your network
you can’t trust it. It doesn’t matter how encrypted you think your information
is, someone could perform a man-in-the-middle attack and spoof the connection. There are hundreds of articles on operations security and information security that refer to people stealing traffic. So I tweeted the following:
Interesting... planes could capture all traffic, #MITM. Then decode later. Same as #FreeWifi https://t.co/XYPYDjlJDc
— Chris Patterson (@cpattersonv1) April 22, 2015
Free wifi is one of those areas where the security is assumed to be non-existent. If someone wants their passwords to be stolen, they should use free Wifi.
I thought about it a little more and was trying to think of
what a flight attendant might be approached with, in regard to someone trying
to “hack” airplane. What would the slightly technical people in my family think was hacking? So I posted this:
"Miss, the guy in 27f is using the command line." https://t.co/sXRMUwTjqd
— Chris Patterson (@cpattersonv1) April 22, 2015
It looks a little official or techy to be using the command line or terminal. DOS is for hackers; most people likely haven't seen a Bash prompt. Then it occurred to me that most people would think someone
hacking the flight would try to control it into a building from their seat in a
suicide attempt, à la 911-style so I
tweeted this:
Int'l Flight? Joysticks & Microsoft Flight Sim will now scare a lot of people. #TSA #hacking #hackingplanes #FBI http://t.co/daLjmMtAZY
— Chris Patterson (@cpattersonv1) April 22, 2015
To finish up my joking prior to returning to work I posted a
very blunt image and suggested that the airplane manufacturers replace the
cabin network ports with a simple solid wall plate. They could also use a pair of scissors to secure the ports on the terminals as well.
I couldn’t focus on my work though; so here I am.
The real problem here
All joking aside, this is a very serious issue for air travelers, not just
from an airline marketing standpoint; "can I trust this plane?"; but also from a security standpoint. On the
off-chance that avionics systems, fuel systems, or any of the other control
systems are accessible from the cabin this is a very dangerous security design oversight. These sensitive systems
need to be separated immediately if they are in fact accessible from the cabin. With no stretch of the imagination, anyone in the security industry can imagine how an attacker could force a plane down.
Qualifying the onlooker
I often look for malicious activity when I travel. I look gruff, so I always get stopped by the TSA when I’m on my own. Two bags of tech and a little facial hair tends to do that. When I have my kindergartener with me it's all together a different security experience; they just see me as a “Dad,” we even go through the fastest lines. I tend to daydream about the thought that “everyone is a possible terrorist” in my head. When I’m going through the security checkpoints and watching the poor, poor lady with 3 kids trying to find a way to leave her bags outside of the ladies room because one of the kids really has to go and they need assistance I wonder who is using a disguise? American paranoia thanks to the media.
On a plane, I look for "suspicious activity." People not disabling their devices, not obeying the rules; I can size a person up instantly mentally, emotionally, I can see what makes them tick. That being said, I myself have Kali Linux for penetration testing, and Debian, FreeBSD, Ubuntu, and every other type of non-Windows OS on a thumb drive or a virtual machine in my bag (including several Windows OSes). I know what Wireshark looks like, and have done a fair share of network sniffing and log filtering; I’ve done pen testing on corporate networks, and know what that looks like too; injection attacks, you name it. If it looks remotely realistically hacker-ish I've probably seen it. Work IT somewhere there are a couple of script kiddies and you'll see a lot of bad stuff. I've even got a phone that runs Linux, and it's not Android and it has pen testing tools. Nobody ever suspects that sort of thing unless they're in the know.
I often look for malicious activity when I travel. I look gruff, so I always get stopped by the TSA when I’m on my own. Two bags of tech and a little facial hair tends to do that. When I have my kindergartener with me it's all together a different security experience; they just see me as a “Dad,” we even go through the fastest lines. I tend to daydream about the thought that “everyone is a possible terrorist” in my head. When I’m going through the security checkpoints and watching the poor, poor lady with 3 kids trying to find a way to leave her bags outside of the ladies room because one of the kids really has to go and they need assistance I wonder who is using a disguise? American paranoia thanks to the media.
On a plane, I look for "suspicious activity." People not disabling their devices, not obeying the rules; I can size a person up instantly mentally, emotionally, I can see what makes them tick. That being said, I myself have Kali Linux for penetration testing, and Debian, FreeBSD, Ubuntu, and every other type of non-Windows OS on a thumb drive or a virtual machine in my bag (including several Windows OSes). I know what Wireshark looks like, and have done a fair share of network sniffing and log filtering; I’ve done pen testing on corporate networks, and know what that looks like too; injection attacks, you name it. If it looks remotely realistically hacker-ish I've probably seen it. Work IT somewhere there are a couple of script kiddies and you'll see a lot of bad stuff. I've even got a phone that runs Linux, and it's not Android and it has pen testing tools. Nobody ever suspects that sort of thing unless they're in the know.
If you look at the movies though, they, rather Hollywood portray hacking as an
all together different thing: the bad guys have 300 baud modems and they use payphones like Hackers or Wargames; they have funky cell phones they can hack everything
with: Tron Legacy; or they’re sporting
the screen savers from The Matrix.
That’s not really how it works though, nobody sneaks Sony MiniDiscs around in hide a books about simulations in a simulation. And while Blackhat might be based loosely based on a writer's impression of a true story, so was the Texas Chainsaw Massacre. Hollywood writers and directors sensationalize everything, so nothing they put out can be trusted beyond the remote
possibility that a bad guy might use nmap, and that Unix is of the Devil.
I love Unix.
On #oppsec, the guy sitting next to me on the plane however with the
mirror reflective blackout privacy screen on his laptop seems up to no good. He's nervous, fidgety, paranoid, and sweaty despite the freezing A/C. Coming
back from the facilities it’s easy to see he’s looking at porn. On the train
coming out of Chicago you could see these professionals with the blackout screens work for the banks: LaSalle,
Bank of America, Chase; that’s a completely different topic though. My point is it seems
really suspicious when nobody can see a screen. I don’t want anybody looking
at my screens because it usually invites conversations about stuff I don't care about.
On #infosec I definitely won’t be telling any of my unintentional travel companions that I’m a hacker, or security professional, or a whitehat anytime soon though; it invites too much questioning. People are always interested in what a "grey hat" is; I respond with a grey hat is a black hat because you can't be ethically a white hat if you do bad hacking. I'm a professional white hat, so I know the ways of the dark side; I have to; I have to think like a black hat to catch a black hat, block a black hat, or stop their never-ending botnet; or determine it's a misconfigured system thanks to IT.
Then there is the physical issue that I’m always dealing with: the never-ending fumbling under my seat because there isn’t enough room for 2 laptops, 2 tablets, 50 feet of power cables, network cables, electronics chargers, twenty pounds of books on computer forensics and my large shoes under the seat in front of me. Red flags? I hope not but who should be the judge? I mean are the airlines going to teach infosec to flight attendants? Are the systems going to be fixed?
What happens when you get the people who aren't hackers at all, but they want free access to the Internet because they recognized the network jack? I can imagine the ramifications of an inadvertent DDoS attack on a network due to pop-up ads, attempts for all programs on someone's overloaded system all trying to call home, the network traffic from Bonjour or the like.
On #infosec I definitely won’t be telling any of my unintentional travel companions that I’m a hacker, or security professional, or a whitehat anytime soon though; it invites too much questioning. People are always interested in what a "grey hat" is; I respond with a grey hat is a black hat because you can't be ethically a white hat if you do bad hacking. I'm a professional white hat, so I know the ways of the dark side; I have to; I have to think like a black hat to catch a black hat, block a black hat, or stop their never-ending botnet; or determine it's a misconfigured system thanks to IT.
Then there is the physical issue that I’m always dealing with: the never-ending fumbling under my seat because there isn’t enough room for 2 laptops, 2 tablets, 50 feet of power cables, network cables, electronics chargers, twenty pounds of books on computer forensics and my large shoes under the seat in front of me. Red flags? I hope not but who should be the judge? I mean are the airlines going to teach infosec to flight attendants? Are the systems going to be fixed?
What happens when you get the people who aren't hackers at all, but they want free access to the Internet because they recognized the network jack? I can imagine the ramifications of an inadvertent DDoS attack on a network due to pop-up ads, attempts for all programs on someone's overloaded system all trying to call home, the network traffic from Bonjour or the like.
Closing thoughts
The following is not meant to scare people, but I can say, if someone gains access to these systems, studies
the network traffic, and makes repeated connections to the same systems over
time to learn how they work, what they’re doing, and when they operate, it
could be a matter of seconds for someone to connect, deliver a worm or a virus,
or other malicious payload, and unplug before anyone ever notices if there is a
physical access to the system. What does typical run of the mill malware do to an airplane computer system? I run clean read-only images. The guy with the laptop full off warez does not need to plug into this system. These computer systems need to be secured; and I mean yesterday; and
if the airline companies aren’t sure if there is a security issue or not, they need to
seriously investigate with proper security professionals. I can guarantee a “bad guy”
who writes a virus for avionics systems won’t be going down in flames, but something
like that getting out on the black market could cause a world of hurt to innocent
bystanders.
If someone installs these applications on the plane when they are getting off and it causes the system to fail for the next flight, then this is a very serious issue indeed. Who was it then? Will the black box say? Will they know what to look for? Hopefully the avionics systems aren't running Microsoft Windows.
The last thing the aviation industry needs is a bunch of rogue "researchers" hammering a flight's control systems with Raspberry Pis for the sake of research though. In this instance curiosity could kill the cat and the other 211 passengers onboard.
If someone installs these applications on the plane when they are getting off and it causes the system to fail for the next flight, then this is a very serious issue indeed. Who was it then? Will the black box say? Will they know what to look for? Hopefully the avionics systems aren't running Microsoft Windows.
 |
| BSOD at Heathrow |
The last thing the aviation industry needs is a bunch of rogue "researchers" hammering a flight's control systems with Raspberry Pis for the sake of research though. In this instance curiosity could kill the cat and the other 211 passengers onboard.
