D1T1 - Hugo Teso - Aircraft Hacking - Practical Aero Series

download D1T1 - Hugo Teso - Aircraft Hacking - Practical Aero Series

of 44

  • date post

    22-Jun-2015
  • Category

    Documents

  • view

    31
  • download

    3

Embed Size (px)

Transcript of D1T1 - Hugo Teso - Aircraft Hacking - Practical Aero Series

Aircraft HackingPractical Aero Series

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

IT Security

Commercial Pilot

Hugo Teso(@hteso)

(@48bits)www.48bits.com

One and a half architecture

Aero Serieswww.commandercat.com 2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

AgendaPart 1: The $PATH to the exploitPart 2: The $PATH to exploit

DisclaimerTime constraints

Too much to explain Aircrafts != Computers

Safety reasons

Still too much to fix

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

Part 1

The $PATH to the exploit

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

The Target

In the beginning there wasThe QuestionWould I be able to convert THIS...

2013, n.runs Professionals - Security Research Team - April 2013

...into THIS ?

Hugo Teso

The Answer

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

Todays Answer

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

Attack OverviewDiscovery: ADS-B

Info gatherING: ACARS

Exploitation:

Via ACARS Against on-board

Post-Exploitation: Party hard!

systems vulns.

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

ADS-B 101Automatic DependentSurveillance-BroadcastRadar substitutePosition, velocity,identification, andother ATC/ATM-relatedinformation.ADS-B has a data rateof 1 Mbit/sec.Used for locating andplotting targets 2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

ADS-B SecurityNone at allAttacks range frompassive attacks(eavesdropping) toactive attacks (messagejamming, replaying,injection).

Target selection

Public Data Local data (SDR*) Virtual Aircrafts

* Software Defined Radio 2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

ACARS 101Aircraft CommunicationsAddressing and Reporting SystemDigital datalink for transmissionof messages between aircraft andground stationsMultiple data can be sent fromthe ground to the A/C *Used for passive OSfingerprinting and plottingtargets

* Aircraft 2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

ACARS SecurityNone at all

sometimes monoalphabetic ciphers

Detailed flight and Aircraft information Public DB Local data (SDR) Virtual Aircrafts

Ground Service Providers Two main players Worldwide coverage

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

FMS 101Flight Management Systemtypically consists of two units: A computer unit A control display unit

Control Display Unit (CDU orMCDU) provides the primaryhuman/machine interface fordata entry and informationdisplay.FMS provides:

Navigation Flight planning Trajectory prediction Performance computations Guidance

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

FMSGoal: Exploit the FMS

Using ACARS to upload FMSdata Many different data typesavailable

Upload options:

Software Defined Radio Ground Service Providers

The path to the exploit:

Audit aircraft code searchingfor vulnerabilities

We use a lab with virtualairplanes

but real aircraft code and HW

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

Aircraft Hardware and SoftwareThe good old... eBay!!

Russian scrapings You name it

Loving salesman

Value-added products

Third party vendors /wp-admin... Sigh

Resentful users orformer employees 2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

The Lab

A/C == AircraftSDR == Software Defined Radio 2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

The Lab

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

FMS vulnerabilitiesMany different data types to uploadMany FMS manufacturers, modelsand versions.Architectures: PPC (Lab x86)Language: mostly ADA (old ones)SO RTOS realm: DeOS VxWorks

ACARS:

ACARS datalink allows real time

(avg of 11s delay) data transmission Size: Max 220 chars * 16 blocks :S 2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

ACARS Messages during flight

http://www.sita.aero/file/3744/Aircom Ekaterinburg - Oct 09 ENG.pdf 2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

Demo

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

Part II

The $PATH to exploit

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

SITA/ARINCSocit Internationale de Tlcommunications Aronautiques (SITA) IT and telecommunication services to the air transport industry. 90% of the world's airline business.

Aeronautical Radio, Incorporated (ARINC)

Major provider of transport communications and systems solutions: Aviation, airports, defense, government, healthcare, networks, security, andtransportation.

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

Access methods:

Be my guest...

E-Mail Clients

What could possibly go WRONG?

SMTP / POP3 Lotus Notes

Desktop Apps, connectionover: X.25 TCP MQ Series (IBM WebSphere) MSMQ (Microsoft queues) MS SQL Database ORACLE Database

Web AppMobility

Mobile App Pager/SMS Printer SDK Stations

http://www.sita.aero/file/3744/Aircom Ekaterinburg - Oct 09 ENG.pdf

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

Software DefinedRadio 101

A radio communication system wherecomponents that have been typicallyimplemented in hardware are insteadimplemented by means of software.HW: USRP1/USRP2

Universal Software Radio Peripheral USB or Gigabit Ethernet link

SW: GNU Radio

LabVIEW, MATLAB and Simulink SDK that provides signal processing blocksto implement software radios. Python/C++

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

Post-Exploitation Smiths Aerospace chose WindRiver Systems' VxWorksConsolidation Protection & Monitoring653 RTOS for the B787'sCommunicationcommon core system (CCS), Two way communicationa cabinet that will host 80 toExpansion Other systems100 applications, including Back to DiscoveryHoneywell's FMS and healthmanagement software andCollins' crew alerting anddisplay management software 2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

Aircraft Post-ExploitationAircraft and Pilots

Predictables Checklists and procedures

Exploiting other command nav systems orprotocolsPlanning and timing!C&C

Two way communication Actions Limitations

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

SIMONWhy SIMON?Multi-stage payloadControl ADS-B/ACARS

Upload via ADS-B/ACARS

PersistenceStealthness (No Rootkit)Accept and inject: FP/DB Payloads (scripts) Plugins (code) Commands Two way comm

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

Demo

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

Conclusions

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

Remediation

Safety != SecurityWhere to start from?

NextGen Security On-board systems securityaudit

Who is affected?

Manufacturers Ground Service Providers Airlines

We are working with EASA toimprove the situation

2013, n.runs Professionals - Security Research Team - April 2013

Hugo Teso

Aviation 101

http://en.wikipedia.org/wiki/Portal:Aviation

ADS-B

http://en.wikipedia.org/wiki/Automatic_

dependent_surveillance-broadcast https://www.blackhat.com/html/bh-us-12/bh-us12-briefings.html#Costin

ACARS

References

http://en.wikipedia.org/wiki/Aircraft_

Communications_Addressing_and_Reporting_System http://spench.net/

FMS

http://en.wikipedia.org/wiki/Flight_management_system http: