Very Spooky on several levels..


Why is it possible
Why give this hacker a forum for the topic
Who is going to be at the discussion
Is he on barry's hit list



Hacker uses an Android to remotely attack and hijack an airplane
By Darlene Storm
April 10, 2013 4:28 PM EDT

The Hack in the Box (#HITB2013AMS) security conference in Amsterdam has a very interesting lineup of talks [pdf]. One that jumped out was the Aircraft Hacking: Practical Aero Series presented by Hugo Teso, a security consultant at n.runs in Germany. According to the abstract, “This presentation will be a practical demonstration on how to remotely attack and take full control of an aircraft, exposing some of the results of my three years research on the aviation security field. The attack performed will follow the classical methodology, divided in discovery, information gathering, exploitation and post-exploitation phases. The complete attack will be accomplished remotely, without needing physical access to the target aircraft at any time, and a testing laboratory will be used to attack virtual airplanes systems.

While keeping an eye on Twitter #HITB2013AMS, greatly interesting tweets started to appear as hackers who attended were excited. I will add some of those throughout this article.

continued: (http://blogs.computerworld.com/cybercrime-and-hacking/22036/hacker-uses-android-remotely-attack-and-hijack-airplane)

Very Spooky on several levels..


Why is it possible
Why give this hacker a forum for the topic
Who is going to be at the discussion
Is he on barry's hit list


1. Unknown. I still need to review the information publicly-available.

2. Because he is a legitimate security researcher and security-through-obscurity has proven a poor technique in the information security world.

3. Who will be at the discussion: Other security researchers and vendor engineers, govt (including US IC) officials.

4. Probably not, because getting the information out there is critical. It's standard practice to communicate with the affected parties before public disclosure. So those who need to know probably weren't (or shouldn't have been) caught off-guard.

More info from the researcher/presenter: http://commandercat.com/2013/04/hitb2013.html

Security and avionics, two of my most favorite subjects. These attack utilize software-defined radios, which are quite fantastic if you haven't heard about them before. The hardware portion of SDR is commoditizing and dropping sharply in price. I've spent some time playing with POCSAG and APRS with a $20 radio adapter with an RTL chipset from China.

http://www.rtlsdr.org/

http://en.wikipedia.org/wiki/Software-defined_radio

Personal life and work have kept me from getting full situational awareness, but I'll get to it and hopefully get some time to expand on my thoughts.

I am partial to FUNcube (http://www.funcubedongle.com/), which I have used to assess wireless utility meters(yes, I can shut off your meter :eek: :D - certain ones anyway).

A cursory glance at the presentation shows that he used ACARS (http://en.wikipedia.org/wiki/Aircraft_Communications_Addressing_and_Reporting_S ystem) to remotely(via the SDR) exploit a vulnerability in the Honeywell FMZ-2000 (http://www51.honeywell.com/aero/common/documents/myaerospacecatalog-documents/BA_brochures-documents/FMZ-2000_Flight_Management_Systems_032009.PDF) flight management system, and from there control the aircraft's navigation way points when running on autopilot.

My .02(for now)

I am partial to FUNcube (http://www.funcubedongle.com/), which I have used to assess wireless utility meters(yes, I can shut off your meter :eek: :D - certain ones anyway).


ZigBee, by chance? I am researching a line of a manufacturer's residential power meter equipment for a class right now. Good stuff.

Hmmm,

I'm curious as to who is telling the truth.

http://www.informationweek.com/security/application-security/faa-dismisses-android-app-airplane-takeo/240152838?cid=nl_IW_weekend_2013-04-13_html&elq=0b52b1f9f04e412195c5d4a5c24687cc

I agree with the last article!! Besides ACARS is not even a required system and can be dis-abled by simply pulling a CB!!

ZigBee, by chance? I am researching a line of a manufacturer's residential power meter equipment for a class right now. Good stuff.

I wish, then I could have went with Arduino/Netduino, ZigBee shields and pre-written protocol stack. Unfortunately, they are/were running a proprietary protocol over the ISM band, similar to the water meters(Aclara-STAR AMI/AMR (http://www.aclaratech.com/AclaraRF/Pages/specifications_WaterMTU.aspx)) that NYC DEP uses.

As for the OP, I don't know enough about FMS and avionics to comment on the research and/or the statement put out the FAA, however, I will say that many embedded mission critical systems are hardened to protect from these types of attacks.

That said, these issues are not new. For example, multiple security issues (http://www.tgdaily.com/security-features/49769-security-researchers-say-they-can-take-over-a-car) were noted with CAN(Car Area Network) (http://en.wikipedia.org/wiki/CAN_bus) in which the vehicle could be remotely disabled and security systems disarmed. Or, closer to home, a killer pace maker. (http://www.computerworld.com/s/article/9232477/Pacemaker_hack_can_deliver_deadly_830_volt_jolt)

I will end with this: In many instances, software design and implementation unfortunately suffers from a lack of security, both in the design/architecture of the application and within the source code itself. This is usually due to a lack of knowledge, will and financial resources by both the product manager(s), developer(s) and even the QA to implement security and/or engage the appropriate resources from the outset. Lastly, contracting out the programming to the lowest bidder rarely ensures a secure end product.

My .02

That said, these issues are not new. For example, multiple security issues (http://www.tgdaily.com/security-features/49769-security-researchers-say-they-can-take-over-a-car) were noted with CAN(Car Area Network) (http://en.wikipedia.org/wiki/CAN_bus) in which the vehicle could be remotely disabled and security systems disarmed.

My .02

Anyone catch this article the other day??

High-tech car thieves break into vehicles without leaving a trace

http://news.msn.com/science-technology/high-tech-car-thieves-break-into-vehicles-without-leaving-a-trace

:munchin

I am going from memory here, but am pretty sure I am recounting the story from last September correctly. I went to a computer security presentation by an individual whose is hired to hack systems. In a controlled lab with the flight sim stuff, he was able to connect in through the entertainment system and deploy the plane flaps at 30,000 feet and make the plane dive. This was because the networking protocol (the plane's version of TCP-IP) was shared between systems.

As part of the project, he researched all the pieces of the system via patent applications, online resumes of people, press releases, etc. He was also able to spoof some sort of air traffic system to make fake plane transponders appear. This would ( in the lab), cause the target plane to readjust course.

It was a pretty interesting talk. I tried to hire him to work on our systems but my company was not interested. I can get his name and company to anyone who PMs me.

...security-through-obscurity has proven a poor technique in the information security world.



Bingo. But we still haven't learned that lesson yet for some reason.

I am going from memory here, but am pretty sure I am recounting the story from last September correctly. I went to a computer security presentation by an individual whose is hired to hack systems. In a controlled lab with the flight sim stuff, he was able to connect in through the entertainment system and deploy the plane flaps at 30,000 feet and make the plane dive. This was because the networking protocol (the plane's version of TCP-IP) was shared between systems.

As part of the project, he researched all the pieces of the system via patent applications, online resumes of people, press releases, etc. He was also able to spoof some sort of air traffic system to make fake plane transponders appear. This would ( in the lab), cause the target plane to readjust course.

It was a pretty interesting talk. I tried to hire him to work on our systems but my company was not interested. I can get his name and company to anyone who PMs me.

http://blogs.computerworld.com/cybercrime-and-hacking/20775/curious-hackers-inject-ghost-airplanes-radar-track-celebrities-flights

As far as I know, the infotainment systems and fly by wire systems are generally isolated, but that may not always be the case.

The bigger issue is that many of these systems fail at 2 of the 3 security principals in the CIA triad(Confidentiality, Integrity and Availability), namely confidentiality and integrity. While there may be redundancy built in, there is generally no mechanism(or whatever mechanisms there are, fail) to verify the information that is received. Basically, "no one would ever <insert favorite attack on ATC or fly by wire here>" becomes "wanna bet?". It's less security by obscurity and more relying on the consequences and penalties levied on the perpetrator to prevent such an attack, which is, well, an exercise in futility.

ETA: Hence the public "shaming" of software/hardware vendors. Unfortunately, with each technological iteration(take IPv6 for example), we repeat the same mistakes, especially on the security side.

My .02

Systems are more vulnerable for many reasons but a big part of it is the lack of programmers knowing the fundamental details (BIOS, OS, and Network Protocols) of how the system they are building an app on work and function.

Security is as some of you are aware starts at advanced and adaptive firewalls, hardened OS network stack, a good OS (not win based), and ends with the platform used to develop the app (Java anyone?, or similar languages with huge footprints) and the developer writing the code (exception and data validation). Many are using these huge footprint languages for systems level uses and controlling devices for rapid development and less trained 'engineers', a bad combination no matter which firewall or OS implemented.

Nothing is a hundred percent, but it could be better than the coin toss it is now.

Entire post


Agreed. That said, once you peel back the defense in depth onion, what do you have?

Security is as much a mindset as it is best practice. Developers and product managers tend to focus on solutions to (complex) problems while security professionals focus on breaking said solutions or using them in unintended ways that ultimately compromise system security. The key is to diverge the two, i.e: Could my solution/product be used in a way to make the problem worse? Or introduce a larger, more acute issue? Conversely, as a security professional: Does the issues noted with the application void it entirely from a (flawed) architectural perspective, or can we resolve the noted issues and move on? At the same time, how do we implement practices that avoid these flaws going forward, i.e. SDL?

A good example of this (surprise, suprise!) is Microsoft. While they are still far from perfect, they have also implemented (http://www.wired.com/techbiz/media/news/2002/01/49826) what is probably one of the best SDL(Secure Development Lifecycle) (http://www.microsoft.com/security/sdl/default.aspx) policy in the industry. This effectively took them from one of the worst, to one of the better (http://productsecurityblog.emc.com/2012/01/happy-anniversary-to-microsoft-trustworthy-computing-initiative/) companies in the industry. While the attack vectors and actors have changed, their approach has definitely had some measurable (http://www.computerworld.com/s/article/9102998/Gates_pushed_change_in_security_culture_at_Microso ft) impact on the software industry.

My .02

Good points as well...have personally experienced some whom have tried to exploit some CGI programs in a way I hadn't thought of...

I sometimes wonder if they let Tim Paterson finish DOS if win would have been more solid earlier (it had many internal data structures that hinted towards a multi-threaded/process OS)

Win7 and 8, minus the UI; are much better internally...

Win7 and 8, minus the UI; are much better internally...

Yup, albeit a bit late. DEP, ASLR, and heap alloc/dealloc protections have been around for some time, take a look at the research done by GRSecurity (http://grsecurity.net/research.php), who have been working at for 10+ years on the Linux side. As for the UI, pigs will fly...you get the point ;)