To be honest this is both unsurprising and IMO very irrelevant.
Spoofing a CAN or ARINC429 bus requires physical access. At that point an attacker has access to the physical systems of the plane, at which point the plane is compromised anyway. What he uses to take over the plane is essentially arbitrary and there is absolutely nothing that would give any protection.
>>Spoofing a CAN or ARINC429 bus requires physical access. At that point an attacker has access to the physical systems of the plane, at which point the plane is compromised anyway.
I gather a perp only has to access the right piece of equipment in any phase of the logistics.
These buses are employed mostly in the avionics industry, but they are also utilized in ground vehicles, weapons systems, and other commercial and military equipment industries.[1]
That sounds like saying that one could potentially launch a nuke by walking into an operational nuclear submarine and pressing buttons in the right order.
> Spoofing a CAN or ARINC429 bus requires physical access.
I worked for ages in the automotive industry. Here is the thing: They don't have just one CAN bus, but multiple, connected via gateways that function both as message router and also firewall between these busses. At least that is the idea, the reality is ... commercial software development with all the issues that come with it (see various hacks where they broke through these gateways).
Someone posted a story as part of this subthread here, i.e. if a passenger is able to access an airplane bus and issue engine control commands that actually do something, the overall security setup is utterly broken. The infotainment units in the passenger cabin requiring access to some internal bus is actually ok, but issuing flight control commands from these should be (silently?) ignored, and this can only happen if you partition the busses via such gateways, for example.
Funnily enough, in this case it also helps safety, because you can be more relaxed about the overall (software) quality of these infotainment units (decomposition effect in safety systems).
A wirecutter would presumably cause an issue which would manifest itself prior to takeoff.
Either that, or you must make your way into the bay while in flight with said wirecutters.
Now, a dongle quietly manipulating enough variables to make the plane uncontrollable in flight, on the other hand... (No idea if that is even possible given access to this bus, but I will read this paper with some interest tomorrow (As I fly AMS-EWR... :)
Manipulating actual flight controls is probably hard.
Manipulating sensors is probably comparably easy, and, if you can adjust the AOA sensors to make the plane think its in level flight while spoofing altitude data, you can probably manipulate the pilots (auto or not) into a CFIT.
It's happened on other flights where pilots became confused by conflicting information (AF447 and many others) so giving them consistently wrong data is going to cause a consistently bad output.
Anyway though I deeply agree that once you have physical access all bets are off. Sure, you can put a bug in which causes a complicated aircraft failure but you could also just put a time-delayed container of thermite or tannerite in the right place.
I'd be much more worried about a software update causing a major issue, either intentionally or even more likely and more worrying, accidentally ALA 737Max.
>Manipulating actual flight controls is probably hard.
Why? The flight sticks have an ADC, just control current/resistance there to get the desired digital values. Of course assuming fly by wire an symmetrical input on both sticks.
Probably far easier than manipulating the digital data downstream, which is subject to lots of checks.
There was a somewhat recent event of someone proving he could control an airplane from the passenger compartment. They went into the logs and he made minor course adjustments.
They seized his equipment but it didn’t say he spent any time in jail.
>I think it's better to take away options, rather than throw up your hands.
No, wasting time, resources and money while increasing the inherent complexity and risk of a system to gain absolutely no benefit is a very bad idea.
>Just because someone can load up my car on a flat bed tow truck doesn't mean it's pointless for me to have locks on the doors and ignition.
Idiotic comparison, which makes me think you are just totally disingenuous. The point I made was that with the same amount of effort a plane is compromised, with or without a secure bus. This is fake security, it doesn't protect anything.
Just tell me an attack on the bus of an airplane which couldn't have just as easily been performed outside of the bus.
Imagine a scenario where a plane is carrying a person who is enemy to a certain nation state. A nation state who is not above, say, using umbrella air dart guns to poison their enemies with radioactive compounds - just to make it clear that we're solidly in the realm of using James Bond style bullshit to secure national interests in our particular scenario. If this nation state were to plant a device on the avionics bus that would spoof the airspeed readout and cause the pilot to nose up on takeoff before the plane has reached critical velocity, it would be very difficult to find this device in the aftermath of the fiery crash, and also very difficult to not blame this on a faulty sensor or pilot error. I say fiery, because there would likely be a full tank of fuel, further reducing survivability in this scenario. A scary thought.
Maybe if it crashed in the ocean. If it crashed on land, then they would almost certainly find the device in the wreckage as in the Pan Am 103 bombing [1] where they found even scraps of disintegrated clothing in the suitcase carrying the bomb. The flight recorder would also almost certainly show the nonsensical inputs and outputs and the pilot confusion. And, unlike other industries, aviation does real root cause analysis to identify every factor involved in a crash so it would be exceedingly unlikely they would throw their hands up into the air and just blame the pilot or something as stupid like that.
The chances of a attack like this being undetectable are exceedingly low. You would likely need to compromise nearly every aspect of the plane to make sure you have suppressed every available cross-checking mechanism. Does not stop it from happening, but it would not, in any way, be some sort of magic assassin weapon.
A bit OT: The little remembered thing with Lockerbie is that they knew something was really weird before the debris hit the ground.
It wasn't the super deep check of the debris that pointed them to a bomb,it was a process that started with watching debris on primary radars fall away from a point where a moment before a transponder was squawking, it was finding the pressure spike on VCR and FDR, it was finding explicit explosion-affected parts, which guided which parts to reconstruct in 3D (very rare thing to do), and to finally find remains of the bomb itself.
Depending on who the attacker is, the attack being undetectable might not matter. Russia has assassinated multiple people using polonium, and what was the response? Crickets. They could easily do the same thing to assassinate other people they don't like (along with plane-loads of other passengers), and the only result will be angry words and "condemnation".
I doubt those Russian assassinations were ever meant to be undetectable. Rather they were intentional spectacles, where there's no doubt in who was behind it. The goal is to make it obvious, but also deny it officially, while knowing that everybody knows they're lying, just to mock their opponents.
Exactly. I can see them doing the exact same thing with an exploit like this. The point wouldn't be to be undetectable, but rather to be sure the assassination attempt will actually work as intended, and to cause a big spectacle (few things generate news headlines like big airplane crashes).
Both Poland and Iran have lost regionally inconvenient heads of state to crashes in fog.
I think there is concern there with undiagnosable crashes, but also a more pronounced concern with hijacking. If you have access to the plane you can just plant a bomb. With this you could capture the plane for hostage or turn it into a missile.
Presumably because he was surrounded by troops reasonably loyal to him, making any assassination difficult.
That he was killed by manipulating the data bus seems entirely speculative and exceedingly unlikely. If you have that kind of access to the plane you can plant a bomb or if you just want to down the plane Russia has potent anti-air weapons which trivially can take down a sub sonic passenger jet.
This can be accomplished just as easily by targeting the analog input for the actuators or the analog input of the stick. Or attack one of the other myriads safety critical systems outside of the bus.
And... attacking manually gives more plausibility to it being an accident rather than having a dongle attached to the plane, or code potentially surviving on the system.
> This paper investigates cyber-physical attacks on avionics data buses, specifically focusing on the ARINC 429 protocol. The objective is to demonstrate how message injection, modification, and deletion attacks can be executed, enabling an attacker to gain full control over the transmitted data.
I wish that vehicular systems all had air-gap level separation of messages, rendering it physically impossible to disrupt messages to critical systems like flight controls. I suppose that's a naive perspective, but in the long run it's hard to believe that we won't have to resort to provably correct systems to thwart attacks.
> To accomplish this, we propose a method that involves modifying messages on the data bus without segmenting it.
Can we really live with avionics platforms as a setting for the same kind of perpetual arms race against attackers that we have for general operating systems?
The problem described in the paper is not what you think it is. The paper effectively says: "Assume we control the wire to the flight controls, then we have complete control over whatever is sent to the flight controls." Not to belittle the technical work in constructing a implant that can manipulate the electrical signals in the wire in realtime, but the consequence of such access is as obvious as it is uninteresting.
Not to say that physical compromise of the wire is unbeatable; encryption makes it effectively impossible to spoof or rewrite messages, but the wires and communication protocol are already only intended for communication between trusted components (if you are communicating to untrusted components then you have to use something else like a data diode). The only really interesting part of the highlighted attack vector is that the "trusted wires" are likely not particularly physically separated from "non-trusted wires" or easy access which makes physical compromise at least plausible to achieve for a external malicious actor as compared to physically modifying one of the actual critical flight computers.
ARINC 429 definitely one way to do it. It has a fixed baud rate - there is no feedback to the transmitter. Typically, each "bus" contains a single or small subset of messages (called labels) over it.
> I wish that vehicular systems all had air-gap level separation of messages
From what I'm reading, ARINC 429 is as air-gapped as you can get. It is a one-way serial protocol (separate wires for transmit and receive). Only the wires that need to be connected are. Messages go from->to where they need to be.
Unless by air gapped you literally mean "don't connect anything together" at which point you no longer have a functioning vehicle.
Another question would be: "Can we create systems intended to be permanently disconnected from the Internet?". Unfortunately, the answer seems to be no. You can see indications in the way that small water purification systems connect to the net just to save engineers from going in a weekends.
There are other means of remote access besides internet. POTS (i.e. dial-up modems), cellular wireless, and other forms of radio are several that come to mind.
Internet is almost certainly the cheapest and easiest thing, which is why it's used.
Not permanently, which is the conjecture laid out by OP. At some point, there will need to be nav data updates, updates to the aircraft's required systems, updates to IFE systems, etc. Modern jets do all of that wirelessly. Additionally, every single modern jet uploads all recorded engine parameters from the flight to the engine manufacturer after it arrives at the gate. Do I know what I am talking about? Ref. username.
Sure, I have worked on multiple plane systems which were connected wirelessly, even to the internet. (Although that is something which I am extremely glad I have left behind me and would never brag about in my profile name)
Even though, a modern jet is still able to function without internet.
Yes but my point is whether the system can be "never on the Internet" (hence never subject to constantly evolving hacks) and it doesn't seem like the systems you describe are necessarily that.
If it requires physical access an attacker can also attack the analog systems which are controlled by the software.
>I wish that vehicular systems all had air-gap level separation of messages, rendering it physically impossible to disrupt messages to critical systems like flight controls.
This is just false. There is nothing in the world which makes physically separating two airplane systems impossible.
>Can we really live with avionics platforms as a setting for the same kind of perpetual arms race against attackers that we have for general operating systems?
The comparison is false. OSs are exposed to the entire world. Airplane systems require physical access.
... to potentially only one of the components within the system, at any point in its lifetime, across the entire supply chain and all build, test/verify, operations and maintenance processes.
(Edit in reply to child: Yes, obviously "the components within the system" means those actually connected, not a number 3 sprocket in seat 63E's incline mechanism. You have re-iterated my point.)
False. Most components are not connected to any of the relevant busses.
And if you had control over the specific component you need the plane is already compromised, whether the bus is open to spoofing or not is an irrelevant question.
Not physically disconnecting AFDX network from IFE network was one of the reasons 787 got delayed, because even with various Bush cuts to enforcement Boeing was told to go pound sand and redo the wiring until non-avionics bits were physically separated from avionics.
TL;DR it's already a standard and has been ever since possiblity of sharing the networks came to be
The observation that ARINC 429 can be tapped, and that an active wiretap can alter data on the bus is of little surprise. The technological challenge is not high, the bus is comparable to a serialport at ~115200 baud. Considering that the technology surfaced in the 1970s, it is of no surprise that physical access restriction is the only means of security.
More interesting IMHO would be what can be done to accelerate the adoption of new technologies (especially w/r/t cryptography) in avionics. This is more than anything a cultural problem; How to convince regulative bodies, how to satisfy processes, how to re-balance the proven-in-use argument (where stuff gets more favorable safety assessments when it has been used long enough) vs crypto-agility (where the same thing from today just tomorrow becomes insecure without changing itself, because of some external discovery).
The technology is there, but the aviation community is not yet. Another nice read in this domain is "Economy Class Crypto: Exploring Weak Cipher: Usage in Avionic Communications via ACARS"[1, 2]. I only say mono-alphabetic substitution cipher.
An interesting connection of Blockchain-tech, safety and security can be found in "Verifiable Computing in Avionics for Assuring Computer-Integrity without Replication" [3]. Here the authors leverages zero-knowledge proofs to prove to a downstream actuator that its commands are indeed correct results yielded by the application of the appropriate control law on the provided sensor inputs. However, this work is probably at least a decade away from being applicable in actual certified aircraft.
I don't want the cockpit to lose contact with the engines during a flight because a certificate just expired. And even if this particular example isn't realistic, adding security to a system will necessarily add lots of new failure modes. It seems likely that it will be really hard to do this without making the system as a whole less reliable.
I know yoh mean this in a general sense, but I just whish to point out for everyone that in this scenario you don't actually need certificates: a MAC to prove authenticity is enough.
I think the point that 'masfuerte' was making is that simplicity and redundancy are _the_ bedrock of reliability.
Even if all the new hardware and software to implement this new security model on avionics busses is 100% open and audited by every laudable computer science / security specialist, it's just _more_ to possibly go wrong. That tends to change how people think about risk (weather rationally or not!)
Not really, you still need some system to distribute the shared key.
The paper's method suppresses original message then generates btand-new one, so if the key is easy to find out, then the spoofed message will have a correct MAC. Which means you need a cryptographically secure method to distribute the key, but you also have multiple consumers and you want to be able to replace broken devices too. This sounds like a non-trivial cryptosystem, and assymetric crypto + certificates is one possible solution.
Key distribution can be done manually at the factory where the plane is built. Which can also keep a keystore holding the key used for each plane. But we don't need to delve deep in this scenario, as ultimately op's point was that, by introducing crypto, you risk adding failure modes to the plane.
Why is the security of attacks against a data bus a relevant topic? An attacker who has access to the data bus can attack the plane in arbitrary ways, whatever he wants to do it is easy to imagine a way for him to accomplish what he wants, even if the bus were secure.
For a local databus it has been relatively unimportant. However, there are radio data links in/out of the aircraft. The scope of data for these links is quite limited today, but likely to grow significantly in the future. There cryptographic properties become important, and a currently missing. An example would be ACARS.
Also in some aircraft types these data buses are unfortunately not so very hard to access (i.e. accessible from the cabin, with undetected access being even plausible in some cases). So some resilience might not hurt in these cases.
It's important that failure of critical systems is far less threatening than systems providing plausible, yet incorrect data. Redundancy and monitoring catches most of the former but not the latter.
But why? To what end? And where would all the passengers be?
That theory is outlandish, not because of the technical considerations, but the seeming lack of motivation for doing that. A cursory Google search shows that Jeff Wise doesn't have a plausible theory of motivation either.
I don't buy that hijacking a plane and disappearing it and covering it all up, in the process generating extreme publicity, is anywhere near a practical method of kidnapping a person or acquiring a "ghost airliner", and it would be an incredibly risky and brazen 'real-world test of the capability'.
Right, but you can test this real-world with much lower stakes. Airliner aircraft are relatively cheap and easy to acquire.
SCUBA gear is for diving underwater where pressure increases, not for breathing high in the atmosphere where air pressure is lower. There are plenty of suitable breathing apparatuses made for breathing at altitude. SCUBA gear and knowledge is irrelevant to this situation.
There are a multitude of ways to target an individual or a particular piece of cargo without killing so many people in such public fashion.
The attempt to use abductive reasoning here falls short because you're choosing the least likely explanations when far simpler and more plausible explanations exist.
Conspiracy theories like this often, at their heart, rely on an assumption that governments are either irrational or have hidden motivations, but both of these assumptions require a heavy amount of evidence to outweigh all of the evidence to the contrary.
> I don't know enough to judge whether it is likely or not, but it's a pretty fascinating idea.
The fact that some debris of MH370 has been washed ashore means it crashed into the ocean. The plane just hasn't been found (yet). Mentour pilot has a good video on the subject: https://youtube.com/watch?v=MvmfyO8GvTE
Summary: Captain likely hijacked the plane, depressurized the cabin, used his knowledge to avoid detection and crashed the plane into the ocean.
Spoofing a CAN or ARINC429 bus requires physical access. At that point an attacker has access to the physical systems of the plane, at which point the plane is compromised anyway. What he uses to take over the plane is essentially arbitrary and there is absolutely nothing that would give any protection.