Tuesday, April 21, 2015

Hacking Airplanes and why this needs to be fixed.

So I don’t fly a lot. When I do I’m looking out the window because I tend to get motion sick.  While I do open my tablets, electronics devices, and laptops on planes and do computer programming in a crunch, I am 999 times out of 1000 doing it on localhost. I have numerous reasons: such as I hate super slow networks, can’t bear the agony of dealing with intermittent satellite Wifi, I don’t trust the network to be “secure,” and my e-mail can wait until I land. On one of the last flights I was on though I did open the flight tracker to see where the plane was to identify the fork of the Mississippi River I was flying over; the lady sitting next to me thought that should be illegal to know the whereabouts of the plane.

I blow through Twitter headlines when I’m taking a break from securing and refining code. Tonight I saw many airline security jokes in response to this article on Feds and airlines and a retweet by @thegrugq here:

The headline and jokes got me to thinking about the issue seriously, but I didn't actually read the article yet. I, like most people, was under the impression that the airplane manufacturers had security professionals who had been to Security 101 and heard the first rule of security: limit physical access. Likely also the norm I assumed this was a security issue about the Wifi on the planes after seeing the original tweets last week and couldn’t imagine anyone being able to get into the avionics systems of a plane over the wifi / satellite Internet connection to hack or access anything.

I jumped into the "discussion," and one of the jokes was about encryption, so I responded with something I’ve been well aware of for a long time now: if it’s not your network you can’t trust it. It doesn’t matter how encrypted you think your information is, someone could perform a man-in-the-middle attack and spoof the connection. There are hundreds of articles on operations security and information security that refer to people stealing traffic. So I tweeted the following:
Free wifi is one of those areas where the security is assumed to be non-existent. If someone wants their passwords to be stolen, they should use free Wifi.

I thought about it a little more and was trying to think of what a flight attendant might be approached with, in regard to someone trying to “hack” airplane. What would the slightly technical people in my family think was hacking? So I posted this:

It looks a little official or techy to be using the command line or terminal. DOS is for hackers; most people likely haven't seen a Bash prompt. Then it occurred to me that most people would think someone hacking the flight would try to control it into a building from their seat in a suicide attempt, à la 911-style so I tweeted this:
To finish up my joking prior to returning to work I posted a very blunt image and suggested that the airplane manufacturers replace the cabin network ports with a simple solid wall plate. They could also use a pair of scissors to secure the ports on the terminals as well.


I couldn’t focus on my work though; so here I am.

The real problem here

All joking aside, this is a very serious issue for air travelers, not just from an airline marketing standpoint; "can I trust this plane?"; but also from a security standpoint. On the off-chance that avionics systems, fuel systems, or any of the other control systems are accessible from the cabin this is a very dangerous security design oversight. These sensitive systems need to be separated immediately if they are in fact accessible from the cabin. With no stretch of the imagination, anyone in the security industry can imagine how an attacker could force a plane down.

Qualifying the onlooker
I often look for malicious activity when I travel. I look gruff, so I always get stopped by the TSA when I’m on my own. Two bags of tech and a little facial hair tends to do that. When I have my kindergartener with me it's all together a different security experience; they just see me as a “Dad,” we even go through the fastest lines. I tend to daydream about the thought that “everyone is a possible terrorist” in my head. When I’m going through the security checkpoints and watching the poor, poor lady with 3 kids trying to find a way to leave her bags outside of the ladies room because one of the kids really has to go and they need assistance I wonder who is using a disguise? American paranoia thanks to the media.

On a plane, I look for "suspicious activity." People not disabling their devices, not obeying the rules; I can size a person up instantly mentally, emotionally, I can see what makes them tick. That being said, I myself have Kali Linux for penetration testing, and Debian, FreeBSD, Ubuntu, and every other type of non-Windows OS on a thumb drive or a virtual machine in my bag (including several Windows OSes). I know what Wireshark looks like, and have done a fair share of network sniffing and log filtering; I’ve done pen testing on corporate networks, and know what that looks like too; injection attacks, you name it. If it looks remotely realistically hacker-ish I've probably seen it. Work IT somewhere there are a couple of script kiddies and you'll see a lot of bad stuff. I've even got a phone that runs Linux, and it's not Android and it has pen testing tools. Nobody ever suspects that sort of thing unless they're in the know.

If you look at the movies though, they, rather Hollywood portray hacking as an all together different thing: the bad guys have 300 baud modems and they use payphones like Hackers or Wargames; they have funky cell phones they can hack everything with: Tron Legacy; or they’re sporting the screen savers from The Matrix. That’s not really how it works though, nobody sneaks Sony MiniDiscs around in hide a books about simulations in a simulation. And while Blackhat might be based loosely based on a writer's impression of a true story, so was the Texas Chainsaw Massacre. Hollywood writers and directors sensationalize everything, so nothing they put out can be trusted beyond the remote possibility that a bad guy might use nmap, and that Unix is of the Devil. 


I love Unix.

On #oppsec, the guy sitting next to me on the plane however with the mirror reflective blackout privacy screen on his laptop seems up to no good. He's nervous, fidgety, paranoid, and sweaty despite the freezing A/C. Coming back from the facilities it’s easy to see he’s looking at porn. On the train coming out of Chicago you could see these professionals with the blackout screens work for the banks: LaSalle, Bank of America, Chase; that’s a completely different topic though. My point is it seems really suspicious when nobody can see a screen. I don’t want anybody looking at my screens because it usually invites conversations about stuff I don't care about.

On #infosec I definitely won’t be telling any of my unintentional travel companions that I’m a hacker, or security professional, or a whitehat anytime soon though; it invites too much questioning. People are always interested in what a "grey hat" is; I respond with a grey hat is a black hat because you can't be ethically a white hat if you do bad hacking. I'm a professional white hat, so I know the ways of the dark side; I have to; I have to think like a black hat to catch a black hat, block a black hat, or stop their never-ending botnet; or determine it's a misconfigured system thanks to IT.

Then there is the physical issue that I’m always dealing with: the never-ending fumbling under my seat because there isn’t enough room for 2 laptops, 2 tablets, 50 feet of power cables, network cables, electronics chargers, twenty pounds of books on computer forensics and my large shoes under the seat in front of me. Red flags? I hope not but who should be the judge? I mean are the airlines going to teach infosec to flight attendants? Are the systems going to be fixed?

What happens when you get the people who aren't hackers at all, but they want free access to the Internet because they recognized the network jack? I can imagine the ramifications of an inadvertent DDoS attack on a network due to pop-up ads, attempts for all programs on someone's overloaded system all trying to call home, the network traffic from Bonjour or the like.

Closing thoughts


The following is not meant to scare people, but I can say, if someone gains access to these systems, studies the network traffic, and makes repeated connections to the same systems over time to learn how they work, what they’re doing, and when they operate, it could be a matter of seconds for someone to connect, deliver a worm or a virus, or other malicious payload, and unplug before anyone ever notices if there is a physical access to the system. What does typical run of the mill malware do to an airplane computer system? I run clean read-only images. The guy with the laptop full off warez does not need to plug into this system. These computer systems need to be secured; and I mean yesterday; and if the airline companies aren’t sure if there is a security issue or not, they need to seriously investigate with proper security professionals. I can guarantee a “bad guy” who writes a virus for avionics systems won’t be going down in flames, but something like that getting out on the black market could cause a world of hurt to innocent bystanders.

If someone installs these applications on the plane when they are getting off and it causes the system to fail for the next flight, then this is a very serious issue indeed. Who was it then? Will the black box say? Will they know what to look for? Hopefully the avionics systems aren't running Microsoft Windows.

BSOD at Heathrow

The last thing the aviation industry needs is a bunch of rogue "researchers" hammering a flight's control systems with Raspberry Pis for the sake of research though. In this instance curiosity could kill the cat and the other 211 passengers onboard.

No comments:

Post a Comment

I'm going to read this before it goes live if you don't mind.