Aircraft Hacking: Practical Aero Series

download Aircraft Hacking: Practical Aero Series

of 44

  • date post

    03-Apr-2018
  • Category

    Documents

  • view

    216
  • download

    0

Embed Size (px)

Transcript of Aircraft Hacking: Practical Aero Series

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    1/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    2/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Aero Serieswww.commandercat.com

    IT Security Commercial Pilot

    Huo Tso(@hteso)

    (@48bits)

    www.48bits.comOne and a hal architecture

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    3/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    Ada

    Disaim

    Pat 1: Th $PATH to th poit

    Pat 2: Th $PATH to poit

    Tim ostaits Too muh to pai

    Aircrats != Computers

    Sat asos Sti too muh to

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    4/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    5/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Th Tat

    I th bii th wasTh Qustio

    Would I be able to convert THIS... ...into THIS ?

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    6/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Th Asw

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    7/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Todas Asw

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    8/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Atta Oiw

    DIScOvery: ADS-B

    exPlOITATIOn: Via ACARS Against on-boardsystems vulns.

    POST-exPlOITATIOn: Party hard!

    InO gATHerIng: ACARS

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    9/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    ADS-B 101

    Automatic DependentSurveillance-Broadcast

    Radar substitute

    Position, velocity,identifcation, andother ATC/ATM-relatedinormation.

    ADS-B has a data rate

    o 1 Mbit/sec. Used or locating andplotting targets

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    10/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    ADS-B Suit

    None at all

    Attacks range rompassi attas(eavesdropping) to

    ati attas (messagejamming, replaying,injection).

    Target selection Public Data

    Local data (SDR*) Virtual Aircrats

    * Sotware Dened Radio

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    11/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    AcArS 101

    Aircrat CommunicationsAddressing and Reporting System

    Digital datalink ortasmissioo mssas btw aiat adoud statios

    Multiple data can be sent romthe ground to the A/C *

    Used or passive OS

    ngerprinting and plottingtargets

    * Aircrat

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    12/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    AcArS Suit

    None at all sometimes monoalphabetic ciphers

    Detailed fight and Aircrat inormation

    Public DB Local data (SDR) Virtual Aircrats

    Ground Service Providers Two main players Worldwide coverage

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    13/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    MS 101

    Flight Management Systemtypically consists o two units: A computer unit A control display unit

    Control Display Unit (CDU or

    MCDU) provides the primaryhuman/machine interace ordata entry and inormationdisplay.

    FMS provides: Navigation Flight planning Trajectory prediction Perormance computations Guidance

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    14/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    MS

    Goal: Exploit the FMS Using ACARS to upload FMSdata

    Many dierent data typesavailable

    Upload options:

    Sotware Dened Radio Ground Service Providers

    The path to the exploit: Audit aircrat code searchingor vulnerabilities

    We use a lab with virtualairplanes but real aircrat code and HW

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    15/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    Aiat Hadwa ad Sotwa

    The good old... eBay!!

    Russian scrapings You name it

    Loving salesman Value-added products

    Third party vendors /wp-admin... Sigh

    Resentul users orormer employees

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    16/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    17/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    18/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    19/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    20/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    21/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    22/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    23/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    24/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    25/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    26/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    27/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    A/C == Aircrat

    SDR == Sotware Dened Radio

    Th lab

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    28/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Th lab

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    29/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    Many dierent data types to upload

    Many FMS manuacturers, modelsand versions.

    Architectures: PPC (Lab x86)

    Language: mostly ADA (old ones)

    SO RTOS realm: DeOS VxWorks

    ACARS: ACARS datalink allows real time(avg o 11s delay) data transmission

    Size: Max 220 chars * 16 blocks :S

    MS uabiitis

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    30/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    http://www.sita.aero/fle/3744/Aircom Ekaterinburg - Oct 09 ENG.pd

    AcArS Mssas dui fiht

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    31/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    32/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    33/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    SITA/ArInc Socit Internationale de Tlcommunications Aronautiques (SITA)

    IT and telecommunication services to the air transport industry.

    90% o the world's airline business.

    Aeronautical Radio, Incorporated (ARINC) Major provider o transport communications and systems solutions: Aviation, airports, deense, government, healthcare, networks, security, andtransportation.

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    34/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    B m ust...

    What oud possib o WrOng?

    Ass mthods:

    E-Mail Clients SMTP / POP3

    Lotus Notes

    Desktop Apps, connectionover: X.25 TCP MQ Series (IBM WebSphere) MSMQ (Microsot queues) MS SQL Database ORACLE Database

    Web App

    Mobility Mobile App Pager/SMS Printer SDK Stations http://www.sita.aero/le/3744/Aircom Ekaterinburg - Oct 09 ENG.pd

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    35/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    Sotwa Ddradio 101

    A radio communication system wherecomponents that have been typicallyimplemented in hardware are insteadimplemented by means o sotware.

    HW: USRP1/USRP2 Universal Sotware Radio Peripheral USB or Gigabit Ethernet link

    SW: GNU Radio LabVIEW, MATLAB and Simulink

    SDK that provides signal processing blocksto implement sotware radios.

    Python/C++

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    36/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Post-epoitatio

    Consolidation Protection & Monitoring

    Communication Two wa