Download - Aircraft Hacking: Practical Aero Series

Transcript

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    1/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    2/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Aero Serieswww.commandercat.com

    IT Security Commercial Pilot

    Huo Tso(@hteso)

    (@48bits)

    www.48bits.comOne and a hal architecture

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    3/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    Ada

    Disaim

    Pat 1: Th $PATH to th poit

    Pat 2: Th $PATH to poit

    Tim ostaits Too muh to pai

    Aircrats != Computers

    Sat asos Sti too muh to

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    4/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    5/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Th Tat

    I th bii th wasTh Qustio

    Would I be able to convert THIS... ...into THIS ?

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    6/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Th Asw

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    7/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Todas Asw

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    8/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Atta Oiw

    DIScOvery: ADS-B

    exPlOITATIOn: Via ACARS Against on-boardsystems vulns.

    POST-exPlOITATIOn: Party hard!

    InO gATHerIng: ACARS

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    9/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    ADS-B 101

    Automatic DependentSurveillance-Broadcast

    Radar substitute

    Position, velocity,identifcation, andother ATC/ATM-relatedinormation.

    ADS-B has a data rate

    o 1 Mbit/sec. Used or locating andplotting targets

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    10/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    ADS-B Suit

    None at all

    Attacks range rompassi attas(eavesdropping) to

    ati attas (messagejamming, replaying,injection).

    Target selection Public Data

    Local data (SDR*) Virtual Aircrats

    * Sotware Dened Radio

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    11/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    AcArS 101

    Aircrat CommunicationsAddressing and Reporting System

    Digital datalink ortasmissioo mssas btw aiat adoud statios

    Multiple data can be sent romthe ground to the A/C *

    Used or passive OS

    ngerprinting and plottingtargets

    * Aircrat

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    12/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    AcArS Suit

    None at all sometimes monoalphabetic ciphers

    Detailed fight and Aircrat inormation

    Public DB Local data (SDR) Virtual Aircrats

    Ground Service Providers Two main players Worldwide coverage

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    13/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    MS 101

    Flight Management Systemtypically consists o two units: A computer unit A control display unit

    Control Display Unit (CDU or

    MCDU) provides the primaryhuman/machine interace ordata entry and inormationdisplay.

    FMS provides: Navigation Flight planning Trajectory prediction Perormance computations Guidance

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    14/44 2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    MS

    Goal: Exploit the FMS Using ACARS to upload FMSdata

    Many dierent data typesavailable

    Upload options:

    Sotware Dened Radio Ground Service Providers

    The path to the exploit: Audit aircrat code searchingor vulnerabilities

    We use a lab with virtualairplanes but real aircrat code and HW

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    15/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    Aiat Hadwa ad Sotwa

    The good old... eBay!!

    Russian scrapings You name it

    Loving salesman Value-added products

    Third party vendors /wp-admin... Sigh

    Resentul users orormer employees

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    16/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    17/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    18/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    19/44 2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    20/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    21/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    22/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    23/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    24/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    25/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    26/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    27/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    A/C == Aircrat

    SDR == Sotware Dened Radio

    Th lab

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    28/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Th lab

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    29/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    Many dierent data types to upload

    Many FMS manuacturers, modelsand versions.

    Architectures: PPC (Lab x86)

    Language: mostly ADA (old ones)

    SO RTOS realm: DeOS VxWorks

    ACARS: ACARS datalink allows real time(avg o 11s delay) data transmission

    Size: Max 220 chars * 16 blocks :S

    MS uabiitis

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    30/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    http://www.sita.aero/fle/3744/Aircom Ekaterinburg - Oct 09 ENG.pd

    AcArS Mssas dui fiht

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    31/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    32/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    33/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    SITA/ArInc Socit Internationale de Tlcommunications Aronautiques (SITA)

    IT and telecommunication services to the air transport industry.

    90% o the world's airline business.

    Aeronautical Radio, Incorporated (ARINC) Major provider o transport communications and systems solutions: Aviation, airports, deense, government, healthcare, networks, security, andtransportation.

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    34/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    B m ust...

    What oud possib o WrOng?

    Ass mthods:

    E-Mail Clients SMTP / POP3

    Lotus Notes

    Desktop Apps, connectionover: X.25 TCP MQ Series (IBM WebSphere) MSMQ (Microsot queues) MS SQL Database ORACLE Database

    Web App

    Mobility Mobile App Pager/SMS Printer SDK Stations http://www.sita.aero/le/3744/Aircom Ekaterinburg - Oct 09 ENG.pd

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    35/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    Sotwa Ddradio 101

    A radio communication system wherecomponents that have been typicallyimplemented in hardware are insteadimplemented by means o sotware.

    HW: USRP1/USRP2 Universal Sotware Radio Peripheral USB or Gigabit Ethernet link

    SW: GNU Radio LabVIEW, MATLAB and Simulink

    SDK that provides signal processing blocksto implement sotware radios.

    Python/C++

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    36/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Post-epoitatio

    Consolidation Protection & Monitoring

    Communication Two way communication

    Expansion Other systems Back to Discovery

    Smiths Aerospace chose Wind

    River Systems' VxWorks653 RTOS for the B787's

    common core system (CCS),a cabinet that will host80 to100 applications, including

    Honeywell'sFMSandhealthmanagement software and

    Collins'crew alertinganddisplay management software

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    37/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    38/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    Aircrat and Pilots Predictables Checklists and procedures

    Exploiting other command nav systems or

    protocols

    Planning and timing!

    C&C Two way communication Actions

    Limitations

    Aiat Post-epoitatio

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    39/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    SIMOnWhy SIMON?

    Multi-stage payload

    Control ADS-B/ACARS Upload via ADS-B/ACARS

    Persistence

    Stealthness (No Rootkit)

    Accept and inject: FP/DB Payloads (scripts) Plugins (code)

    Commands Two way comm

    2013, n.runs Proessionals - Security Research Team - April 2013

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    40/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    41/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    42/44

    2013, n.runs Proessionals - Security Research Team - April 2013 Hugo Teso

    Where to start rom? NextGen Security On-board systems securityaudit

    Who is aected? Manuacturers Ground Service Providers Airlines

    We are working with EASA toimprove the situation

    rmdiatioSat != Suit

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    43/44

    2013, n.runs Professionals - Security Research Team - April 2013 Hugo Teso

    Aviation 101 http://en.wikipedia.org/wiki/Portal:Aviation

    ADS-B http://en.wikipedia.org/wiki/Automatic_dependent_surveillance-broadcast

    https://www.blackhat.com/html/bh-us-12/bh-us-12-briengs.html#Costin

    ACARS http://en.wikipedia.org/wiki/Aircrat_Communications_Addressing_and_Reporting_System

    http://spench.net/

    FMS http://en.wikipedia.org/wiki/Flight_management_system

    http://www.b737.org.uk/mc.htm

    SDR http://en.wikipedia.org/wiki/Sotware-dened_radio

    http://gnuradio.org

    rs

  • 7/28/2019 Aircraft Hacking: Practical Aero Series

    44/44

    Huo [email protected]://conerence.hitb.org/hitbseccon2013ams/materials/

    THAnkS TO:

    @d0tslash

    @vierito5

    @searchio

    @48bits

    @kuasar

    Many others


Top Related

Aero L-159A Czech Jet Combat Aircraft

Aero L-159A Czech Jet Combat Aircraft

Junkers Aircraft and Aero Engine Works, Dessau, Germany

Junkers Aircraft and Aero Engine Works, Dessau, Germany

D1T1 - Hugo Teso - Aircraft Hacking - Practical Aero Series

D1T1 - Hugo Teso - Aircraft Hacking - Practical Aero Series

Reliable Source of Aircraft Parts - ASAP Aero Supplies

Reliable Source of Aircraft Parts - ASAP Aero Supplies

Aero-thermodynamic design of JAXA’s hypersonic passenger aircraft

Aero-thermodynamic design of JAXA’s hypersonic passenger aircraft

ULTRASONIC FOR FAA AERO CENTER · ULTRASONIC FOR FAA AERO CENTER RECEIVED ... Principle of Ultrasonic Testing ... INTRODUCTION 1. GENERAL. Ultrasonic inspection of aircraft

ULTRASONIC FOR FAA AERO CENTER · ULTRASONIC FOR FAA AERO CENTER RECEIVED ... Principle of Ultrasonic Testing ... INTRODUCTION 1. GENERAL. Ultrasonic inspection of aircraft

SAE Aero Cargo aircraft Design Report - espora.orgmedia.espora.org/.../1774/AeroReport2011_Latex.pdf1 Introduction The SAE Aero design series aims to give a real world engineering

SAE Aero Cargo aircraft Design Report - espora.orgmedia.espora.org/.../1774/AeroReport2011_Latex.pdf1 Introduction The SAE Aero design series aims to give a real world engineering

MTU Aero Engines AG · © MTU Aero Engines AG. The information contained herein is proprietary to the MTU Aero Engines group companies. • >70 GTF powered aircraft delivered to 13

MTU Aero Engines AG · © MTU Aero Engines AG. The information contained herein is proprietary to the MTU Aero Engines group companies. • >70 GTF powered aircraft delivered to 13

Languages
Pages
Legal

Copyright © 2022 FDOCUMENTS