ACARS and ADS-b has nothing do to with aircraft control systems. You don't need an android app to intercept satellite communication and even if you 'root' the ACARS computer, it is not connected to the systems that could control the airplane.
Also: to pass DO-254 at level A you must have physical switches for flight/computer functionality, that said, no software can engage autopilot or change AP behavior, you need physical switches to do that. They are NOT similar to keyboard buttons, those switches actually interfere at the hardware level.
1. The specific details of this (admittedly movie-plot-threat) are wonky and not believed by reasonable people in the industry
2. The digital security of most systems when looked at by Internet-hardened veterans is somewhere between vulnerable and laughable, so why should planes be different (ie gas and water control pumps with ethernet ports and factory set default passwords like admin)
2. seems to be most peoples default response - "hey look, another thing thats been connected to the internet, its probably wide open"
That is a good response to have as a) anecdotally it seems to be right 9 times out of 10, and b) its the right side of caution anyway.
The fact that 1. is much harder to do than perhaps shown is indicative that things in the FAA arent as bad as say, sewage treatment industry.
But, even so, all our systems are now connected and so much more vulnerable. And even if this guy cannot down planes with his android phone, he has gotten a hell of a lot closer than anyone not totally paranoid would assume.
I think the correct response would be
This specific setup does not apparently live up to the
media hype. However, all digital security is undergoing a
period of massively increased attack, and we should never
be complacent. He has gotten further than we expected
feasible and will be looking at a program of fixing attack
vectors run under the same rules as air-crash
investigation. Any known bug is investigated, understood
and a comprehensive solution made transparently available
to the industry.
UCSD and UW researchers have demonstrated the ability for an attacker to take full control of many modern cars just by dialing the car's 3G modem.
By "full control", I mean everything from "unlock the doors and start the engine" to "engage/disable the brakes and stop the engine"
Over a range of experiments, both in the lab and in road tests, we
demonstrate the ability to adversarially control a wide range of
automotive functions and completely ignore driver input — including
disabling the brakes, selectively braking individual wheels on demand,
stopping the engine, and so on. We find that it is possible to bypass
rudimentary network security protections within the car, such as
maliciously bridging between our car’s two internal subnets.
Edit: No, they really did demonstrate these vulnerabilities on real cars, it's not a theoretical analysis. Here's a link to their full research talk: http://www.youtube.com/watch?v=bHfOziIwXic
In this paper we intentionally and explicitly skirt the question
of a “threat model.” Instead, we focus primarily on what an attacker
could do to a car if she was able to maliciously communicate on the
car’s internal network. That said, this does beg the question of how
she might be able to gain such access.
While we leave a full analysis of the modern automobile’s attack
surface to future research, we briefly describe here the two “kinds”
of vectors by which one might gain access to a car’s internal networks.
I've been to both the UW and UCSD security labs and have seen their videos. It's real.
This is ongoing work and honestly I cited the first article I could find.
1) background reading:
RTCA DO-219, if anyone can find it.
2) The slides don't provide enough details, I haven't had time to listen to the talk to see if it fills in more info - the critical part is how/if he's managed to convince the FMS to accept ACARS uplinks other than the 'harmless' three defined uplink messages that are automatically accepted by the FMS without pilot acknowledgement. My guess is that by having access to a FMS code/simulator, he figured out a buffer overflow or other hack that lets him inject FMS command messages without pilot acknowledgment, which is normally required of all other uplink messages.
3) In my admittedly tiny amount of experience, the designers of avionics communications protocols aren't dumb. They tend to be very old-school looking formats (low level, fixed fields, etc) because they were often designed when avionics equipment had little processing power, but at the same time this means that the format spec has a small surface area. Also sometimes it's possible that there's not 'security' as we think of it in terms of encrypted links, but there is often a lot of thought put into the messaging sequence (send/ack/etc), including pilot confirmation, to ensure that garbage isn't accepted.
I used to work on interfaces to all the computers on the latest 747 and the 787 and there is no wireless way to talk to any of the computers or sensors that have any input to controlling the airplane.
I am not making this up.
On the 747-400 I was on a group whose computer got input from all the 70+ computers on the airplane. It was all wired.
On the 787 I worked on a database during the development of the airplane that tracked all the information that flowed between computers. Nothing came to any computer that controlled the airplane that was not by wire or fiber optics.
I also dealt with ACARS. It is a read-only system on the airplane. It gets information from other computers and transmits it via satellite to the ground.
(I'm not trying to imply anything, just curious.)
Don't they get weather data from somewhere? And if the pilot thought there was a thunderstorm or heavy turbulence in some direction, wouldn't they fly the plane through what appeared to be the clearest route on their own? (And does the autopilot not take weather into account?)
Yes, most (if not all) modern airliners have a radar dish in the nose of the aircraft. If you wanted to mess with this, you'd have to spoof radar echoes. Not something you can do from an android phone for sure.
"And does the autopilot not take weather into account?"
No, not in the slightest. Pilots adjust autopilot settings to account for weather. It is not automatic.
this may be the same as someone that sets up a SCADA to the local city water&power and believe the intranet is isolated, until a month later another contract requires for a public server in the office and they just connect the entire thing to the internet.
i can't vouche for FAA, but hospital equipment manufacturer have even stricter regulation and there i can vouche for way worse 'upgrades'.
Equipment went through stringent certification, passed all tests, deployed in hospitals, etc. All well and good, right? Did I mention, that I was 13, when I wrote that piece of software ;) And I guess you can imagine the quality of that code :)
So no, it actually was not that bad. No kids were harmed, and no QA teams in India were involved.
Seems like auto-pilot is required to be on already. A wild guess, but maybe his exploit feeds the auto-pilot incorrect information, causing it to make counteracting decisions that effectively give him control.
Perhaps also there is stuff you could do with the weight/balance info stored in the FMS?
ACARS -> FMS -> A/P
Sensors 'broadcast' the information across the systems in a very simple way (electronic but not hackable). Everyone get its data directly from sensors.
The FMC is like a pilot without hands. It is a client of the flight control system (another computer) like the pilot itself. When the pilot connects it (this is physically controlled) it can change the parameters of the AP, but it stills not controlling the airplane.
Hypothesis (this is wild): you physically get to the FMC and hack it. The only thing you will be able to do is to change the route (only if) it is engaged. But under a class A/B airspace, this will be immediately be noticed by air controllers that will notify the pilots. Anyway, the pilot should notice it right away. The FMC functionality is very restricted, really.
(Apologies for taking the thread OT, I'm just getting my pilot's license now and have always been fascinated by avionics.)
Being able to control the flight management system, which as you probably know controls much of the automation in a plane including the flight path and position sounds pretty dire. Also sending false data to a plane/pilots poses a security threat in of itself without taking over the FMS.
The spoofed messages is easy to believe, but these message systems (ADS-B and ACARS) do not interface with the FMS and thus an attacker should not be able to take over the FMS in this way. So some critical piece of information is missing.
Something as simple as a bad from the six-pack of a small plane could be bad news (note: these are usually 100% mechanical systems). As a pilot of small aircraft, goofing up my instruments might help me tie the world record for "lowest flight ever". Something as simple as coordinating my turns with a bad indicator might make me go into a spin (I'm fairly inexperienced).
I can only imagine what would happen to a big jet.
Please don't take any (more?) solo flights until you've remedied this. It should be possible for a pilot to safely fly a small aircraft with no instruments whatsoever in VMC. Instruments do fail, and you must be ready. If you'll spin just because your turn coordinator is wonky, you're not safe.
I've lost airspeed, altitude, and turn coordination. (Not at the same time.) The airspeed one got very interesting due to several confounding factors all hitting at once, and the other two were non-events. I would not sit in a cockpit without an instructor if I wasn't confident that I could safely return to the ground even if the entire instrument panel went away.
Large aircraft are different, but please, get better training on no-instrument flying in your small craft.
That said, bad instrumentation can certainly take down a plane; Air France 447 was a combination of iced up pitot tubes (no air speed indicator) and bad piloting (incompetent stall recovery).
HOWEVER, as a few other people have pointed out, this guy is only interfering with ADS-B and ACARS. Both of those are situational awareness tools, not flight instruments. I am aware of no commercial flight that has gone down due to a failure of situational awareness instruments.
Taking out ADS-B and ACARS is no worse than taking out ground-based radar and VHF radios. People have known how to mess with radar and radios since their inception, but that hasn't posed a security risk for aviation. I expect ADS_B, ACARS and GPS vulnerabilities to be the same.
"Instrument-related pilot error" may (citation needed) cause "most accidents". There are still vanishingly few instrument-related pilot error accidents.
(And in any case, ACARS isn't really an instrument, it's a datalink standard for communication with the outside world -- instruments internal to the aircraft don't use it.)
Step 1) What's something important? (SCADA / Smart Grid / Air Traffic Control)
Step 2) How likely is someone to catch me on the details? (Low)
Step 3) How dramatic can I make this sound?
Step 4) Press Release / Slide Show / Simulation
Step 5) Enjoy sugar hit of popularity.
Step 6) Get asked about vuln / exploit / PoC
Step 7) Fffuuuuuuuuu... Look! Jazz hands!
Step 8) Go to Step 1.
If you work for a boutique security consultancy, interleave elements of panhandling to various customers, clueless managers beating their chests and claiming expertise, and the occasional Congresscritter / Talking Head interview.
It is frustrating that this kind of noise drowns out the signal of actual, thoughtful research or reasonable disclosure. It is the hacker equivalent of security theater where Sensational New Discoveries (TM) distract from hard work and serious issues.
* Some of these talks are real. For instance, bodega ATMs could in fact be jackpotted. You really could open up most of the hotel room locks.
* Some of these talks involve genuinely interesting technical challenges. For instance, anything involving custom RF work. Or the tolling systems, which also had hardware cryptography. You can appreciate these talks just for technical walkthrough.
* In almost every instance, talks like these target industry verticals where there is little to no attention given to software security. A different kind of software developer works on the firmware for a utility smart meter. There is value in forcibly plugging them in to software security.
As an owner/operator of an established boutique security company, I'd push back a little on the panhandling dig. First, the giant security companies are just as bad about that. Second, not every boutique firm traffics in "look at this debug port debugging" talks. I don't see a lot of BS Stach and Liu talks either. For that matter, n runs has a good reputation too.
I think it is fair to say not all boutiques play the sensationalist card. The ones that actually refuse to do this presentation clown cycle suffer some damage and have to work harder, because the showy ones grab mindshare while.
I also agree, the big ones do it, too, but it is harder to pick out against the slow lumbering noises as they rumble from one puppy mill PCIDSS gig to the next.
I think there's room every year for 1-2 theatrical security presentations --- not that I want to give them! --- and that demonstrating that it's easy to jackpot an ATM or pop open a hotel room door is a perfectly valid bit of theater.
I also think some topics become theatrical without sacrificing technical value. For instance, Nate Lawson, Peter Ferrie and I picked a fight with Joanna Rutkowska a few years ago. There was a lot of drama. But the drama was about the accuracy of HPET timers, the AGP GART, and whether we could probe the branch translation buffers to detect hypercalls. I don't think it should have mattered if we got on stage in clown suits and shot nerf guns at the audience; if you're giving a talk about address remapping chipsets, I think it's all fair game. (In fairness: Rutkowska did not agree about the value of the drama.)
I agree that the theater gets tiresome, and, in particular, I think if you're going to shoot for theater, you'd better be right. Your exploit should work. It should work in the real world. It should be repeatable. The problem with the hype cycle here isn't that "taking an airplane down with an Android app" is a bogus topic. It's that you don't believe it's actually possible.
Many years ago a group of folks tried to move the industry away from the "find a bug, win a prize" model that the industry had settled into, seeing it as a local maximum. They didn't seem to have much success.
ADS-B, this is just automating a couple of things, firstly the classic mode-c transponder. Secondly things like weather information and other such, which is often read out on good old analogue radio such as AWOS.
Messing around with that wouldn't be any different from people just SQUARKing fake data.
I suppose there could be opportunity for security exploits on the digital device listening, but the airline industry is very legally enforced at applying updates.
With regards to ACARS I have no idea, as a PPL my rust bucket has nothing that fancy. I suppose there could be buffer overflow type things, or a flaw in the encryption.
However I still feel that this is a little bit sensationalist, as it stands you could create chaos as it just VHF radio and voices.
ADS-B is a simple broadcast of coordinates. Spoofing a position there is just a matter of broadcasting coordinates that aren't where you actually are.
They are looking for a vector. It would be theoretically possible to create a ghost, give it a speed and heading to make people avoid it. But I'm not sure what it would achieve. Maybe I'm not being creative enough.
Thing is though, why would that be any different to "FY holding London NDB UFY 60 descending 40." on the radio. If you then dropped off the radio completely a massive poostorm would happen as ATC tried to figure out who that transmission came from. Whilst ATC have to try and find the plane that thinks it's got full service in class-a space (non pilots this is the busy bits of sky where you have to get permission from guys on the ground) they would divert away from that area.
I'm not aware of a TCAS system which doesn't alert the pilot to the fact it is changing the autopilot heading. If this happened in busy controlled airspace, it would have to be with acknowledgement from ATC or the pilot would at worse do a near miss to avoid a phantom that wasn't there, he certainly wouldn't hit one that was to avoid a ghost which ground wasn't warning him of.
If you're over the north atlantic and the TCAS wants to change heading or attitude, it will alert the meatbag AFAIK.
As for twiddling the autopilot and acknowledgement with ATC, I'm not aware that either is the case. TCAS simply informs the pilot, and current systems never advise any horizontal maneuvers, only climb/descend, because their ability to detect horizontal position is fairly crap. A TCAS advisory takes precedence over ATC commands and is expected to be obeyed immediately unless there's an obvious immediate danger to doing so. You never inform ATC of the TCAS alert and ask what to do, you always obey the machine, then tell ATC what's going on when you have time. If ATC notices the impending collision and gives you instructions that contradict the TCAS's instructions, you follow TCAS and ignore ATC.
I have a very, very low opinion of the TSA.
The only other option is, as another commenter mentioned, a buffer overflow, or similar, that would allow the ACARS receiver to load a program in the FMS. In normal operation, FMS programs are not controllable remotely.
This is the clear implication in the article - compromising the ACARS receiver, then using that access to further compromise another element like the FMS. The article states that the pilot can regain control by disconnecting the AP.
The vulnerability of ADS-B, as I understand it, is the ability to mimic that there is a collision with another aircraft, since it is trivial, as far as I can tell, to send a message impersonating another aircraft.
There is no cryptography of authentication whatsoever in ADS-B, you just write the aircraft ICAO address into a field.
So if I simulate aircrafts in collision route, I think the system will tell the pilot to climb or the reverse, depending on the condition. Maybe this can be used to create troubles...
The same thing happens with sudden changes in GPS messages that are completely out of alignment with the inertial system, they will be ignored. (unless you somehow are capable of knowing exactly where the plane is and gradually hack the GPS messages)
ILS systems are maybe the most dangerous and prone to hacking, but keep in mind that those frequencies are under surveillance and police is dispatched within seconds of a clandestine transmission on those frequencies. Again, here the gps and inertial is also used to guarantee nothing completely wrong is accepted as valid ILS sources.
ACAS is responsible for determining the vectors for the aircraft and the local targets. If there is a collision path calculated, ACAS then communicates with the target's ACAS to determine which way each aircraft is going to move. The pilot is then responsible for executing this action.
Video of spoofing ADS-B: http://www.youtube.com/watch?feature=player_embedded&v=N...
(I believe if you spoof ADS-B it means you can generate TCAS warnings, which pilots are trained to prioritize over ATC commands due to earlier incidents where TCAS was correct and ATC was wrong: http://en.wikipedia.org/wiki/%C3%9Cberlingen_mid-air_collisi... )
Realistically the idea of putting encryption on ADS is one of the stupider ideas ever. I mean can you imagine a crash caused because someone didn't update their CA list, and thus it rejected a the signature of another plane?
Anyways, you could just jam the whole ADS-B system for your region. The system is protected by aggressive action against rogue transmitters.
Also the "with an android phone" part is disingenuous, as you'll need a fair amount of equipment.
There is no exploit here.
If you want more detail about why this would never land, I've wrote about it here: http://zapistan.net/blog/2013/4/11/fear-mongering-the-friend...
It seems to me that the article has a lot of "in real life" caveats. Theres a lot of elements that have to be in place in order for an attack like this to work, beginning with the fact that the attacker would need a powerful, very specific transmitter for the ACARS frequencies.
The way I see it this look more of a publicity stunt than anything else.
36K feet is 6NM vertical. I have an antenna in my car, and enough power with the car running to reach a large aircraft audience. This doesn't even take into account if I have the transmitter and a lithium ion battery in my luggage (I've travelled across the world with Pelican cases loaded with AV and IT kit; no one asks, and they've only been opened by the TSA twice).
TL;DR Unauthenticated, unencrypted radio protocols are vulnerable, that's all.
Rough back of the envelope calculations give a range of about 300nm for an aircraft at 37000ft
The idea here is that it is a possible exploit. Sure the media are a bunch of morons who just bounce from one headline to another, but not to treat this as a real possibility would be foolhardy. It needs to be tried in an controlled environment and mitigated if necessary (after real life testing)and feasible.
I'm rather doubtful that the actions presented in this article can be done in that manner.
By now just tell you that both systems are capable of creating great troubles if they can be accessed as easily as he claims (and I think they are).
If you can access the wiring in the aircraft, especially with the new fly-by-wire stuff, you could cause problems. None of the communications are encrypted (as far as I know), because it's pretty much assumed you can trust what's on the a/c buses. Also, redundancy helps get rid of erroneous data when it only shows up on one bus.
I don't know much about ACARS and ADS-B. While it wouldn't surprise me if there were problems, we also tend to notice rogue transmissions in our spectrum. Much more quickly than people realize.
This sounds more like spoofing an SMS from the airline's dispatch.
Sort of makes sense simulator would have ability to load scenarios without pilot acknowledgement, has no bearing on whether it would work in an Boeing or Airbus.
The ATC system is pretty vulnerable to DOS though.
* Shall respond immediately and manoeuver as indicated, unless doing so would jeopardize the safety of the airplane
* Shall follow the RA even if there is a conflict between the RA and an Air Traffic Control (ATC) instruction to manoeuver
(Also, despite procedures, airline pilots are not automatons. They may be able to insert their brain into the loop to avoid disaster, despite the opposite happening from time to time.)
To to create a "fake aircraft", one would have to "fake the primary" also.
Civilian Air Traffic Controllers in the US, Australia and numerous other countries only have Secondary Radar.
It used to be the running joke when I learnt to fly.
"How is a Cessna 150 like a Stealth Fighter?"
"With the transponder turned off.. neither will show on secondary radar"
The US Air Force, NORAD and NATO still maintain primary Air Defense radar. Especially in the US, a business jet or airliner without a functioning and active transponder is likely to get intercepted by a F-16 and escorted to land at the nearest suitable airport.
I think talks like these are the absolute best way to light a fire under vendors (or an industry) to get these issues addressed. In this case we're no doubt talking about a very expensive remediation process. It also makes you wonder how bad the security will be for the next-gen GPS based systems.
I do worry the protections are not strong enough for researchers who give these talks, especially in areas like national security. It's a brave thing that Teso did going public with these vulnerabilities, and I sincerely hope we aren't reading about harassment coming his way in the future.
I worked on the 787 and a derivative of the 747. They use protocols defined by ARINC (google it) that are only used in the airplane industry. Stuff like telnet need not apply.
How about a simple hardware device covertly attached to the plane's flaps and rudders... Then using a smart phone to control that hardware device, thus mechanically overriding the onboard aircraft control system and giving an attacker a degree of control over the plane.
How hard is it to get access to a plane to install something like this? Is it possible for a plane to pass an inspection with this device installed?
I imagine the motors that control the flaps are powerful, but even being able to lock them up would be useful. Lets say the plane rolls 10 degrees. We can then trigger the device that physically jams the motor, locking the flap in that position.
This could be like some small gel that expands and hardens.
You are only as secure as your weakest point.
That's not something most people have access to, and in most places someone would notice that you put up a 30 foot parabolic with auto-aligning mounts on your house.
You also don't need to be on the plane. A typical ADS-B transmitter can be picked up pretty easily from over 100 miles away--I can broadcast to every aircraft over Los Angeles from my backyard if I want.
I don't know about ACARS, but I would imagine it's similar.
"has not shared" but then what is the security and methods by which he keeps the info private within his own computing environment? A motivated attacker could certainly take the initiative to get the info from him. Either by physical break in, phishing or some other devious method.
Also you think somebody doing something illegal like this is going to listen to any rule that involves turning your phone off? If anything they'll just be discreet about it.