An Idiot's Guide to Hacking Aircraft

[allardjd 1,853]

Quote

Let’s not get bogged down with minutia allardjd. This thread should not be about correcting every single little mistake, it’s the general picture that should be relevant. 50, 100, 1000 ft, it’s not all that important surely. The premise is correct.

 

If the PF can overpower the autopilot while the PNF pulls the breaker(s), it's not minutia - it negates the autopilot as a source of trouble if the crew can pull that off.

 

On the other hand, trim, engines, flaps, spoilers, speed brakes, reversers and all the systems stuff are quite separate and if those are being diddled too, it's pretty much game over.

 

John

[MartinW 0]

Doubtfull they could pull it off though. Imagine being at 50 feet or 100 feet or any low altitude, and suddenly the AP is on and minus 5000 feet per minute and a right turn commanded.

The pilot would be struggling to gain control while also trying to process what the hell was going on. It would take considerable time for either pilot to come up with a "pull the breaker" sollution. In that time the plane would be toast.

I would say the aircraft heading toward the ground at low altitude is even more deadly than the other systems you mentioned. And reversers can't be deployed in flight of course.

There are many critical phases of flight where inappropriate AP commands would be deadly and the pilots little time to react.

Given what Tom told us, that the hackers rapid on off commands prevented the pilots from turning off the autopilot with the switches on glare shield or yokes, and that the yoke movement autopilot off system is most likely a simple switch, then it too would be non functional.

[allardjd 1,853]

True enough, and all more or less in line with what I said about a rogue pilot in one of the pilot seats - if he wants to crash the AC and picks his time during a critical phase of flight, he can because the other guy will not have the time to undo what he's done.

 

Ditto the autopilot I guess, but in the hacking scenario, it seems that's a little more complicated with the denial-of-service method being required and all that, than just cutting off the fuel to the engines and kicking out the spoilers and speedbrakes, or throwing the rudder full over or running the trim full down. In cruise or an over-water flight or over rough terrain, just cutting off the fuel would do the trick quite nicely.

 

John

[MartinW 0]

True enough, and all more or less in line with what I said about a rogue pilot in one of the pilot seats - if he wants to crash the AC and picks his time during a critical phase of flight, he can because the other guy will not have the time to undo what he's done.

 

Oh yes, there is no, and probably never will be a fool proof defence against a rogue pilot.

 

than just cutting off the fuel to the engines and kicking out the spoilers and speedbrakes, or throwing the rudder full over or running the trim full down. In cruise or an over-water flight or over rough terrain, just cutting off the fuel would do the trick quite nicely.

 

 

 

I doubt there is networked computer control over the engines in terms of the fuel shut off switches. FADEC [or similar] control yes, but again, I doubt it's a system that's connected to any network. Not in a 737, Airbus, doubt it. There would be no reason to connect them to any network, thus they are I would have thought isolated. After all, they are just switches, no computer control required for switches that the pilot throws rather than the automatic systems.

 

Without autopilot control, rudder hard over isn't something that a hacker could access either I wouldn't have thought, it's a mechanical system on the 737, Airbus is FBW, but I don't believe the FBW is connected to a networked system a hacker could control. And lets not forget, in terms of Airbus FBW, at least two of the flight control computers must agree before any action is taken. And all three of those flight control computers are by design independent and programmed  by different teams. With the hacker controlling the autopilot and thus the rudder... doubtful, as autopilots don't usually control rudders. Yaw damper, doubt it, yaw dampers don't offer full rudder deflection, just damping.

 

Triple channel systems for autopilot steering during an automatic rollout, but full deflection inhibited.

 

Spoilers and speed brakes... again, mechanical systems, not controlled by the autopilot. Airbus, FBW, but not on any kind of network I wouldn't have thought.

 

All we know so far, is that the hackers could access systems like FMC, autopilot.

 

 

[allardjd 1,853]

@ MartinW

That does not appear to be consistent with what the OP says...
 

Using their own software that they had coded, they could compromise the cabin pressure system, they could control the engines and shut them off, they could even control the flaps and other flight control systems.

 

 

[MyPC8MyBrain 273]

very interesting thread to follow

i believe we all reached the same conclusion; each from his own prospective has a cross reference why this claim is not viable

[MartinW 0]

 

@ MartinW

That does not appear to be consistent with what the OP says...

 

Using their own software that they had coded, they could compromise the cabin pressure system, they could control the engines and shut them off, they could even control the flaps and other flight control systems.

 

 

 

Fair enough.

 

Now it's time for Game of Thrones. That must take priority. It's the law!

[MartinW 0]

Just had a thought, that may lend some credence to the notion that a hacker could control flaps.

 

What about the flap relief system?

The Airbus system is based on airspeed I recall. When VFE is exceeded by a certain threshold the aircrafts computer automatically retracts the flaps. If the relevant system is on a network, the hacker may gain control.

This is an interesting article, by a 737 captain...

 

Am I particularly worried about my engines shutting down unexpectedly on my next flight? Not really. The 737s I fly have old school hydraulic flight controls, and while the engine controls are electronic, the fuel shutoff valves are not. But on the newest Boeings and Airbuses, you can pretty much count on everything being controlled by some sort of computer.

http://roboblog380.blogspot.co.uk/2015/04/could-hacker-shut-down-engines-using.html

I seem to be countering my own assumptions here, but it's just occurred to me that the spoilers are also computer controlled. The 777 for example automatically retracts the spoilers if a landing is rejected. The same almost certainly applies to Airbus.

If the manufactures are stupid enough to badly design the system, a hacker gaining control may be feasible.

[TomDangeroux 4]

I haven't reached that conclusion, I haven’t reached any conclusion. Only one attack vector has been discussed in any detail and it's been misinterpreted.

The Dos attack pertaining to the autopilot command switch has caused confusion, that's my fault for describing it that way. The hackers likened it to a Dos as they were "denying a service to the pilots", but they were using it as an analogy because the attack on the autopilot was exploited by leveraging the avionics bay attack vector. The attack using the maintenance laptop. This would be loaded with a specially crafted software 'crate' that is designed to inject code directly into the flight computers. Once you have access to this part of the aircrafts network with this level of penetration, you’ve already bypassed the safeguards, they've bypassed your firewalls and network protections by stepping around them and walked straight though a gaping hole in the fence, you’re pwned. While this vector may be feasible, I agree that it is hardly trivial and the hackers, while proposing possible ways to implement this attack, do agree it’s tricky. Not because of the fancy firewalls and network protections in place, it’s tricky because walking up to an aircraft at an airport and plugging a laptop into the avionics computer may raise a few eyebrows.

One group of consultants looking into this say there are multiple attack vectors. They have disclosed no information about access from the cabin entertainment system, so I've come to no conclusions about that. I do still believe however, that the latest FBI directives are highly suggestible and that things may not be 'at a good place' where that's concerned. A hacker wouldn’t Dos an aircrafts avionics system from the cabin anyway, what would that achieve? It’s not how I believe they would leverage the systems.

A different group of investigators pointed out, ‘what idiot hacks an aircraft when you’re sitting on it at 42,000 feet?” Mmm, good point. Unless your a terrorist of course.

They have identified other attack vectors; one they were particularly interested in was targeting aircraft through the Group Service Providers Infrastructure.

Disclaimer: I don’t have an opinion on this; I’m putting it out there as it may spark interesting discussion. So don’t go quoting me and dissecting every little thing I say, I am mealy a conduit for information Don’t assume that I believe this is exploitable 'real world.' I don’t know. I don’t have the skill set of a top hacker to decide either way.

So what is this Group Service Providers Infrastructure (GSPI)? Well, airlines own aircraft that come pre-installed with all this fancy software and systems from various manufactures. Patches are pushed out to operators for various on board systems and airlines can take advantage of something called the Airline Modifiable Information System (AMI). AMI allows operators to easily install upgrade packages (we can get into how they do this later). There is also LSP, or Loadable Software Parts. These are software customisations that airlines can tailor to their own requirements, like using an in-house MCDU system for example.

So, two major companies are vying for the GSPI space at the moment, SITA and ARINC. They provide IT and telecommunications infrastructure to airlines, binding all the IT solutions across the airlines business. From ticketing and boarding passes to patching and installing software into aircraft avionics and entertainment systems.

This all sounds pretty neat. What they are essentially allowing operators to do is upload and patch their fleet wherever they are in the world. They utilise a system called the Airborne Data Loader (ADL). Gone are the days of having to wait for an aircraft to land at your maintenance hangar and get engineers to pull and swap out boxes or replace circuit boards, that’s time consuming and very wasteful. No, they can utilise the ADL and upgrade far more easily. This was once done with USB keys, CD’s, DVD’s or laptops. But companies have taken this one step further; you now do it over the internet.

One such company offering this service is Teledyne Technologies, used by over 100 major airlines; they have taken this entire inbuilt infrastructure and come up with something called the AMI Wireless Data Loader, marketed as GroundLink. It uses their Enhanced ADL system called eADL.

Essentially what they do is this, via a simple web page interface, (Alarm bells ringing now ) operators can upload to Teledyne their own AMI code. Code configurations that can be altered include.

Flight Management Systems (FMS)

Integrated Display Systems (IDS)

Aircraft Condition Monitoring System (ACMS)

Advanced Cabin Entertainment and Service Systems

Central Management System (CMS)

Automated Flight Systems (AFS)

Centralised Fault Display Systems (CFDS)

Aircraft System Controller (ASC)

Flight Management Computer System (FMCS)

Electronic Display System (EDS)

Aircraft Data Acquisition System (ADAS)

How do Teledyne push these changes to aircraft? Well they streamlined that for you too. They will push updates to your fleet via Wi-Fi at an airport, they have 3G and 4G cellular transfer covered and can push information via the ACARS system, though bandwidth is limited to only 1Mb/second. They even have an iPad app and Bluetooth connectivity. Did you know all modern planes have their own IP address now? It’s essential when implementing this type of technology.

They cover all variants of 787, 747-800, A380 and A350 aircraft. They can also support legacy variants of the A320, A330, B737, B747, B777 and Embraer ERJ 170/190 aircraft.

So the consultant group, or ‘hackers', unable to contain their excitement saw this as an interesting challenge.

First they needed some modern hardware that could interact with ADL. They bought a second hand Honywell FMC for $400, an AS Air Land System SA-300 for $85, a Teledyne aircraft management box for an incredible knockdown price of just $10 and a Datalink simulation PC box to link it all together. They then needed to learn to code for the AMI. Thankfully if you pop over to the Rockwell Collins ARINCDirect website you can get them to send you the manuals and software on a disk for free, they even provide the software package on the disk that will test your code to make sure it’s accepted by the ADL system onboard the aircraft.

So they studied in their makeshift lab and realised that through this software, they had access via the AMI and LSP to the Flight Management Computer. They describe this as the Holy Grail. If they could leverage this system they had access to the code that manages - Air Data (altitude, speed and temperature), Navigation Receivers, Engine and Fuel management, Surveillance Systems, Flight Controls (roll, pitch and thrust axis commands), Cockpit Displays, MCDU/FMC, Data Link System, and the Internal Reference System.

They started to play with the code and realised it was running something called Wind River. This is a proprietary real time operating system (RTOS) called VxWorks. Despite the fantastic claims on the VxWorks corporate web site (Just type into Google “VxWorks Insecure” and count the hits), the researches described the OS as something from the 1980’s. Basic errors include all applications running as kernel threads, little memory protection running between processes (buffer overruns), every process runs with route privileges and no process is given any priority, a hacker’s playground.

They wrote their own AMI code that was accepted, verified and signed by the Rockwell Collins AMI testing package software. The requirement needed to upload any AMI revision code to Teledyne, and hence to your aircraft fleet. In reality the code was malicious. It could be crafted to simply crash systems and force a reboot. It could be crafted to relay incorrect data to the cockpit displays; it could be crafted to interact with the myriad of systems listed above. It could cut the engines, reprogram the Nav computer, and feed incorrect data to the Air Data systems. Once you gain this level of access your imagination is the only limit.

So they have their verified code, they know it will be accepted by the flight systems, they know what the new code can and will do if they can get it installed. Now for the tricky part (or is it that tricky?), getting it inside an aircrafts network.

Well remember Teledyne? They have a fantastic system in place. As a representative of the airline you can log into their website, upload your approved code, inform the system what aircraft you wish to have the code installed on, sit back and let them do all the work. So the hackers looked at the weakest link in the chain, the web site. Yes, they did what hackers do, leveraging a cross site scripting vulnerability in the sites implementation of JavaScript, they intercepted the logon credentials of eight airlines. This is where they stopped. This is the end of the attack. They did not press it any further, but this is what should happen next.

The Teledyne system checks the integrity of the file. Checks it’s properly signed (thank you ARINCDirect software) and produces what’s called a ‘crate’. This is then pushed onto the public internet! It travels over unsecured networks to the point of delivery. It is subject to all the vulnerabilities that brings. Once the correct IP of the aircraft is identified the GroundLink system simply uploads the software onto the plane. It can be installed over Wi-Fi, cellular, Bluetooth or the ACARS system mid flight. Yes, you read that right, mid flight. That’s it in a nutshell, easy and convenient for the operators. No encryption, no private network, just in the clear and straight to your plane.

Modern aircraft today have been described as “a bunch of Solaris boxes all networked together with some engines slapped on the side, then that all gets connected to the internet.” The sheer complexity of these systems makes them vulnerable, and the way the industry implements the technology and networks it all together makes them even more vulnerable. Well, I’m going to stop now, but I think you get the picture.

[MyPC8MyBrain 273]

that was very interesting Tom

the trail here starts in reverse; they first had the laptop with all the proprietary software they needed

from there it should be easy to collect the required information to carry such elaborate scheme

any mentioning how they got a hold of the laptop to begin with?

[TomDangeroux 4]

Hi Chris,

If your referring to the first part of my post, this is the very same attack I described in the opening post in this thread. This is the confusion. The posts earlier all refer to Chris Robert’s research using this direct access attack to the aircrafts avionics bay, never from the passenger cabin. He may have made progress lately, if his famous Tweet is to be believed, but as I haven’t seen his presentation at the RSA conference last week yet, I don’t know. They procured the laptop from the second hand open market for around $1000. From people who deal with second hand parts and spares.

The bulk of my latest post refers to a different team of researchers.

[MyPC8MyBrain 273]

here in the US (i believe its every 5 years) by law these computers must be recycled/destroyed

they cannot be resold for these same reasons

 

[TomDangeroux 4]

Yes, it would seem a prudent rule for very good reasons. But as I said in the opening post, they bought it from outside of the US, Africa if I remember correctly.

[allardjd 1,853]

Quote

A hacker wouldn’t Dos an aircrafts avionics system from the cabin anyway, what would that achieve? It’s not how I believe they would leverage the systems.

A different group of investigators pointed out, ‘what idiot hacks an aircraft when you’re sitting on it at 42,000 feet?” Mmm, good point. Unless your a terrorist of course.

 

I don't think I'd be so quick to write that off as implausible or impractical. It seems to me that the culprits most interested in trying to do this would be exactly that, terrorists, many of whom are eagerly suicidal and state-sponsored, so strongly motivated and potentially well-funded. If there's a plausible vulnerability to this, they'll try to make use of it if they can.

 

Other motives pretty much boil down to bragging rights or ransom/extortion kinds of things where they prove they can do it and demand payment not to. Try that one time and the airlines and the aircraft manufacturers will wake up and move as fast as humanly possible to close the door to it - cost be damned. The white-hat governments, i.e. those not on the short list of state sponsors of terrorism, will do everything they can to facilitate the efforts to close the holes and will pull out all the stops to find out who's doing it, including using all that Patriot Act and off the books NSA, CIA and FBI electronic snooping. The likes of Microsoft, Google, Twitter, Facebook, the ISPs and the other social media entities might also be pretty easily convinced to set aside their privacy standards and allow the investigators access to all the data that some of them routinely vacuum up and store. If they won't cooperate, getting court orders to force that should be pretty easy if there's already been an "event".

 

In a way, there's just a short window of opportunity for the black-hatters, whether terrorists or just crooks. Once it's undeniably in public that it has happened even once, the airlines, the AC manufacturers and the governments will close the door on it as quickly as they can and will not hesitate to throw mountains of money at it and won't balk for a millisecond to severely inconvenience the flying public. All electronics will be prohibited in the cabin and all IFE will be shut down, if not physically removed - bring a paperback book if you're bored.

 

Yeah, it will be expensive to ultimately back-fit the aircraft to make them completely invulnerable to this, if that's even possible, but they will get far down that road pretty quickly once they've suffered the first bite.

 

If you're a hacker interested in doing this for bragging rights and/or profit, I'd suggest it comes with a pretty high risk of eventually getting caught, even if you're successful once or twice. Their best move would be to somehow convince the airlines, the manufacturers and the governments that they have come up with a theoretical way to do it and entice the deep-pocket entities to pay for the information and the expertise, legally and above board. I think the guy who was arrested in upstate New York a few days ago was engaged in trying to do just that, but he was being closely watched and made an on-line joke that only he thought was funny - they came down on him like a ton of bricks.

 

John

[MyPC8MyBrain 273]

not using an open source platform should be mandatory

it is just too easy to hack a Solaris box its ridicules; if its old its not even a challenge 

[MartinW 0]

I don't think I'd be so quick to write that off as implausible or impractical. It seems to me that the culprits most interested in trying to do this would be exactly that, terrorists, many of whom are eagerly suicidal and state-sponsored, so strongly motivated and potentially well-funded. If there's a plausible vulnerability to this, they'll try to make use of it if they can.

Absolutely! A suicidal terrorist would be the most likely miscreant to capitalise on the vulnerabilities we've been debating.

 

In a way, there's just a short window of opportunity for the black-hatters, whether terrorists or just crooks. Once it's undeniably in public that it has happened even once, the airlines, the AC manufacturers and the governments will close the door on it as quickly as they can and will not hesitate to throw mountains of money at it and won't balk for a millisecond to severely inconvenience the flying public. All electronics will be prohibited in the cabin and all IFE will be shut down, if not physically removed - bring a paperback book if you're bored.

Yeah, it will be expensive to ultimately back-fit the aircraft to make them completely invulnerable to this, if that's even possible, but they will get far down that road pretty quickly once they've suffered the first bite.

 

 

 

 

Except that terrorists are quite happy with one-off catastrophes. One 9/11, one Lockerbie, a handful of packed aircraft hitting the dirt before the authorities fix the loopholes. Matters not to them, the body count per catastrophe is still high.

 

Forcing governments and manufacturers to "throw mountains of money at it" is exactly what terrorists want. Maximum cost incurred, maximum inconvenience to the flying public and a high body count.

 

And something tells me that "back fitting an aircraft to make them completely invulnerable" is but a short term fix. As the systems become more complex, more sophisticated, as new capabilities are introduced, new vulnerabilities will emerge. Thus, any measures to mitigate risk will be on-going, long term, a constant process of recognising vulnerabilities and finding new strategies to combat them.

 

Not as manic, but no different to Microsoft patching their operating systems.

 

 

 

[MartinW 0]

Gentlemen, you should read the following PDF. It covers everything Tom has been talking about...

http://www.casa.gov.au/wcmswr/_assets/main/download/caaps/ops/232_1.pdf

It's from the Civil Aviation Authority. Created in 2013.

 

6.3 Credible examples of potential misuse potentially include:

 Infection of an aircraft system from Malware (Malicious software).

 An attacker can use onboard wireless to access aircraft system interfaces.

 Denial of service of wireless interfaces.

 Denial of service of safety critical systems.

 Misuse of personal devices that could potentially access aircraft systems.

 Misuse of off-board network connections to access aircraft system interfaces.

6.4 A successfully executed attack can have an adverse effect on the aircraft and its occupants. A threat condition can lead to a failure condition. The difference is that a threat condition will occur through a willful action. Threats can cause a wide variety of failures see Table 1: Types of Failures.

[allardjd 1,853]

Wouldn't it turn out to be really interesting if Boeings were highly susceptible and Airbi were not, or vice versa? Talk about upsetting the apple cart.

 

John

[MyPC8MyBrain 273]

the second study brought up by Tom is very old; i suspect it is no longer viable these days to the extent it was originally carried

[MartinW 0]

the second study brought up by Tom is very old; i suspect it is no longer viable these days to the extent it was originally carried

Wasn't it 2012? How is that old? It's only 3 years. And my CAA report was from 2013, only 2 years.

The point though, is that it's on going.

[MyPC8MyBrain 273]

These holes should have been closed no more than 24 hours from disclosure;

and I mean air tight close or some big shoot would lose his cushioned seat,

hence why these were publicly disclosed today and not in 2012/13.

The flip side of these guys; is they will also tell you what you need to do immediately to defuse their steps one by one,

come to think of it now; there's one more definitive reason;

i am more than convinced it is why this was even made public in the first place, it actually makes perfect sense to me now

unfortunately I’m not in liberty to discuss this in public; but it very much has to do with RSA and its ongoing work!

[brett 2,314]

I wonder if they can hack the pilots iPad's.....

[allardjd 1,853]

I wonder if they can hack the pilots iPad's.....

 

 

Naaah, that could never happen.  Their operating systems are totally immune to malware.  

 

John

[TomDangeroux 4]

Yes Martin, nice PDF, it’s all there.

What a mighty fine mess they’ve got themselves into. Reading through the document, the authors can envisage attacks coming from all directions, it would be funny if it wasn’t so serious. You could apply a good chunk of the information given in the PDF to any organisation with an internet presence, like your bank for instance, and we all know what a sterling job they do.

All the work that’s gone into airline safety over the decades and then they go and migrate all the dangers associated with the internet and willingly open themselves up to it.

They can anticipate multiple attack vectors from many different groups. Hackers, bot nets, criminal gangs, terrorists, malware, foreign intelligence services (remember Stuxnet) and industrial espionage. They see the need to not only lock down the aircraft the best they can, but the vendors, the third party vendors and all of the service infrastructure that goes with it. They then have to repeat this task across all the airlines globally. Good luck with that.

@John. I totally see your point. But suffering an attack and then reacting to it isn’t much consolation to the victims families. Don’t accident investigators term this approach ‘tombstone technology?’ They should be throwing mountains of money at the problem now. Unfortunately good security is built in and not bolted on. If you rely on this tactic to secure your infrastructure, you’ve already failed. And how do you catch clever people attacking remotely. You could follow the trail back and just find some internet cafe in Islamabad.

As far as the iPad incident is concerned it sounds like it was a bad app. I thought the airlines where meant to be carefully validating all software used on aircraft as stipulated in the regulations. They can’t even get a simple app right, somebody in that highly complex vulnerable chain didn’t do their job.

[MartinW 0]

As far as the iPad incident is concerned it sounds like it was a bad app. I thought the airlines where meant to be carefully validating all software used on aircraft as stipulated in the regulations. They can’t even get a simple app right, somebody in that highly complex vulnerable chain didn’t do their job.

From what I understand, the issue arose because a duplicate copy of Reagan International was present. It sent the iPad app bonkers and crashed the pad.

Not a series issue, I believe there were 67 aircraft affected, so a small percmetage of AA's fleet. The aircraft affected taxied back to the gate and once in Wi-Fi range reinstalled the app. Or some pilots grabbed paper charts I believe.

What it doers do though, is highlight how new issues are occurring and will continue to occur as systems become more complex. Including the security issues we have mentioned in this thread.

Seems the airlines have rejected the KISS principle. [Keep It Simple Stupid] More complexity, more potential for failure.