Planes, Tweets & Possible Hacks From Seats

  /     /     /  
Publicated : 22/11/2024   Category : security


Planes, Tweets & Possible Hacks From Seats


There are conflicting reports over whether security researcher Chris Roberts hacked into flight controls and manipulated a plane.



What started with a tweet from an airplane seat in flight has boiled over into a heated debate and serious concerns over taking security research too far when public safety is at risk.
The FBI has charged in an affidavit that security researcher Chris Roberts, managing director of One World Labs LLC in Denver, was able to hack into an aircrafts controls via the passenger WiFi network in midflight, causing the airplane to briefly climb and move sideways, or laterally.
But Roberts, who made headlines last month for a controversial tweet during a United Airlines flight on April 15 where he appeared to suggest that he would hack into the planes controls, maintains that the live-hacking allegation was overblown.
In an interview with Wired
late last week, Roberts said that the paragraph in the FBIs affidavit was taken out of context and basically a misunderstanding of what he told them:
That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about, he told Wired. It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others.
Roberts told Dark Reading yesterday that his legal team advised him to refrain from commenting at this time. He has maintained all along that the main motivation for his research has been to better the aircraft security.
After his tweet from the United Airlines flight, federal agents barred Roberts from boarding a United Airlines airplane and confiscated his laptop and other equipment; speculation ran high that the action was due to his bold and ill-advised tweet. The plot thickened several days ago when the FBI affidavit, which was filed on April 17, was obtained and published 
by APTN National News
and indicated that he had tampered with flight controls while a passenger. The filing also shows that the FBI in March had conversations with Roberts about vulnerabilities he had discovered in the in-flight entertainment systems (IFE) on the Boeing 737-800, 737-900, 757-200, and Airbus A-320 aircraft.
It was during those conversations that Roberts allegedly said he had compromised IFE systems with Thales and Panasonic video screens on seatbacks some 15-20 times between 2011 and 2014. He used an Ethernet cable to connect to the seat electronic box under the passenger seats.
Security expert Bruce Schneier says while its unclear whether the FBIs statements of Roberts tipping a plane in-flight are accurate, if Roberts indeed was hacking a plane while a passenger, it was a stupid thing to do, he wrote in a blog post yesterday.
The 
real issue
 is that the avionics and the entertainment system are on the same network. Thats an even stupider thing to do. Also last month, I 
wrote about
 the risks of hacking airplanes, and said that I wasnt all that worried about it. Now Im more worried, Schneier wrote.
Roberts isnt the only security researcher who has studied airplane network vulnerabilities. Ruben Santamarta, IOActive, on 
April of 2014 revealed critical design flaws he discovered in the firmware of popular satellite land equipment
that could allow attackers to hijack and disrupt communications links to ships, airplanes, military operations, industrial facilities, and emergency services.
At Black Hat USA in August of last year, he explained possible attack scenarios exploiting those vulns, including how the planes passenger WiFi network
running Cobham AVIATOR 700 satellite terminals could be abused if an attacker were to gain control over the Satellite Data Unit or the SwiftBroadband Unit interface by taking advantage of the weak password reset feature, hardcoded credentials or the insecure protocols in the AVIATOR 700.
An attacker could wrest control of the satellite link channel used by the Future Air Navigation System (FANS), Controller Pilot Data Link Communications (CPDLC) or Aircraft Communications Addressing and Reporting System (ACARS), according to Santamartas findings.
Santamarta says if Roberts experimented with a live flight, he crossed a serious line. Roberts claims need be carefully examined. Putting hundreds of lives at risk has nothing to do with security research, Santamarta told Dark Reading.
So are airplanes truly hackable from your seat? Experts say in some cases its physically impossible, but in other cases, its possible in theory.
The ability to cross the red line between passenger entertainment and owned domains and the aircraft control domain heavily relies on the specific devices, software and configuration deployed on the target aircraft, Santamarta says. Under my point of view, one of the main concerns are the SATCOM devices which are shared between different data domains. Therefore, this equipment might be used to pivot from IFE [in-flight entertainment] to certain avionics.
Santamarta says the planes in-flight WiFi is not a problem per se and can be securely deployed such that the actual avionics network is safe.
There are four different domains on an airplanes network, he explains:  the  passenger entertainment and owned-devices domain, airline information services, and the aircraft control domain. The SATCOM equipment is usually shared between different domains. It has to provide internet access for passengers but also air-to-ground communications for avionics, he says.
Santamarta says the avionics controls should be housed in the aircraft control domain and physically isolated from the passenger network domain. Unfortunately, that is not always the case on planes, he says. Therefore, as long as there is a physical path that connects both domains, we cant discard a potential attack.
[Every security topic we research, everything we hack, every joke we make on Twitter, now, more than ever, has a quantifiable cost, researcher says. Read
Hacking Airplanes: No One Benefits When Lives Are Risked To Prove A Point
.]
Whether Roberts indeed was able to pivot from the infotainment network to the airplane controls is moot, says security researcher Don Bailey. The real issue is that increasingly networked systems, if tampered with, have public safety ramifications [and] are vulnerable.
This industry has seen Windows XP systems controlling critical water dams, life-critical medical devices with unencrypted remote radio protocols, and automotive security systems directly connected to the Internet. The real issue isnt whether Chris accomplished this attack, its the knowledge that the FAA, TSA, and other agencies arent enforcing engineering companies to adhere to stringent security standards, Bailey says. Because we all know, eventually, a breach of the entertainment system
will
result in a pivot to control systems. Its not
if
Chris made it happen, its
when
someone else will.
So what now?
Airlines cannot not rely on reactive solutions to detect attacks. The best way to avoid live attacks during a flight is analyze the security posture of the aircraft on the ground, Santamarta says.
He says the newest air-to-ground technology is a security challenge. Its best to be proactive about securing it, he says.
Even so, theres no reason to panic: We should not be thinking airplanes are going to start falling down the sky if someone just presses a key in their laptop, Santamarta says. Aircraft rely on redundancy to operate safely, [and] … pilots are well-trained professionals. Its not that easy.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Planes, Tweets & Possible Hacks From Seats