Security researcher to demo airplane Wi-Fi hack

IOActive security researcher Ruben Santamarta claims to have figured out how to hack the satellite communication equipment on airplanes, by infiltrating on-board Wi-Fi and entertainment systems.

Security researcher to demo airplane Wi-Fi hack
Security researcher to demo airplane Wi-Fi hack

Santamarta is due to demonstrate the attack at the Black Hat conference in Las Vegas on Thursday, where he hopes that the evidence of satellite communications system vulnerabilities will result in a wider talk on the standards these systems are using.

The presentation comes off the back of Santamarta's in-depth reporting of the matter in an April report which – among other things – found that many of these systems had ‘hardcoded' log-in credentials, meaning that engineers used the same authentication across multiple devices. This could allow hackers to swipe these credentials if they hacked the device firmware, said the security researcher.

"These devices are wide open. The goal of this talk is to help change that situation," Santamarta told Reuters.

The researcher says that he was able to compromise satellite communications system after reverse engineering (or decoding) firmware used on equipment from manufacturers Cobham, Harris, EchoStar, Iridium and Japan Radio Co, with these systems also used in military, maritime transportation, energy and communications.

In theory, he said that it would then be possible to hack into avionics equipment, potentially disrupting or modifying satellite communication, or interfering with navigation and safety systems. However, he did note that his tests so far have been carried out in a controlled environment at IOActive's laboratory in Madrid, Spain and are thus not necessarily guaranteed to work in practice.

Some of the aviation companies cited in Santamarta's research have contested the findings, saying that it is inaccurate. Cobham's Aviation 700 equipment was used as part of the research but the Dorset-based firm said that hackers must have physical access to the system as it cannot be hacked over Wi-Fi.

Japan Co spokesman told the newswire that information on such vulnerabilities was not public, while Harris and Iridium deemed the risk “very small” and “minimal” respectively. However, the latter said that it was taking precautionary methods to protect its customers.

Santamarta has said he will respond to the comments from manufacturers during his presentation.

Javvad Malik, a security analyst at The 451 Group, said that the demonstration shows how more vulnerable aircraft are becoming as they seek to improve the overall experience of flyers.

“I think it's another case that demonstrates how, in the attempt to provide facilities such as Wi-Fi, USB interfaces, and on-board charging on planes, cars and trains, security is neglected and leaves open vulnerabilities that can be exploited,” Javvad told SCMagazineUK.com.

“Whilst this may not be a major issue for say, your toaster, when it comes to medical devices or transport these vulnerabilities jump from being a mere inconvenience or prank to something that could result in loss of life.”

He added further that the proposal that you can access traffic and navigation systems by compromising Wi-Fi is a sign of weak network segmentation.

“I assume a lot of this is poor network segregation. The customer side should be properly separated out from the actual network – it seems as if that isn't the case,” he said.

And Malik said that – if the attack vector is viable – it will be interesting to see if countries look at this as an avenue for future cyber warfare.

“To what extent countries will be looking into this is a very interesting question. In a classic risk assessment statement, the current probability of a country using such means to attack commercial flights is low, but the impact is very high indeed.

“Do airlines wait for something to happen before fixing it – especially when it's a known issue? Bearing in mind, this can potentially allow someone with no missiles/rockets or other anti-aircraft weaponry to board a plane going through full security body scans, swabs and bag checks with only a laptop and bring it down.”

Dr Gareth Owen, senior lecturer for the school of computing for the University of Portsmouth, added that airplane Wi-Fi and entertainment systems have vulnerabilities like other embedded devices.

“Airplane Wi-Fi and entertainment systems are no different to any other type of embedded device, often based on a common OS such as Linux with some application-specific software,” Owen told SC.

“As these systems receive little scrutiny outside of the manufacturer due to Intellectual Property concerns, it is highly likely they will have unknown vulnerabilities that could be exploited.  Of course, air plane avionics should be isolated from any entertainment and Wi-Fi system; it's unlikely an attacker couldn't use this to down the plane.  

“In the worst case, an attacker may be able to leverage a vulnerability to snoop on communications for Internet connected planes, or in the best case, he might simply be able to play cat videos and display messages on your chair's screen.”

There has been a lot of speculation around cyber-attacks against aircraft, most recently on the disappearance of the Malaysia Airlines 370 airplane. Some information security professionals claimed at the time that the aircraft could have been brought down remotely, voluntarily or involuntarily.

And back in April 2013, security researcher Hugo Teso demonstrated at the Hack In The Box conference how he could use a smartphone application to deceive pilots by plying their navigation systems with fake data, although American and European air regulators said that it was not possible to hack an aircraft this way.