Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]

Going DeeperAVIATION SECURITY

on

2014

Safety

IS NOT

Security

2014

Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March

Part I Prev iously on ...

Part II Faster, Stronger and Higher

Agenda

2014


PART I Previously on...

2014


Attack Review

Info Gather ✈ ACARS

Exploit ✈ SYSTEM S

D iscovery ✈ AD S-B

http://blog.nruns.com/blog/2013/10/14/Aviation-Security-Hugo/

2014


ADS-B In/Out

Aircraft Position

Speed, Altitude

...

D iscovery

Target discovery/mapping

GSP and/or SDR

Passive monitoring

2014


ACARS

Flight Plan, DB

Systems updates

...

Gather

System enumeration

011010101001010100101011101111100000

010101010101001001010101000101010101

010101100000010101010000011110111000

Passive monitoring

2014


Info

ACARS

MALFORMED

DATA

...

Exploit

System exploitation

011010101001010100101011101111

010101010101001001010101000101

010101100000010101010000011110

GSP and/or SDR

2014


Complexity++

2014


ATTACK++

2014


Worldwide targetingFewer requirements

Standard technologies

The “glue” of the aviation ecosystem

Worldwide targetingFewer requirements

Standard technologies

✈✈✈

2014


[URL] + "></span></td></table></form>

<script>alert('XSS')</script><"

2014


[GDC ID] = meow" id="gdc_id" /><br/><script>alert('XSS')</script><"

2014


» Send messages

» View position reports

» Advanced search

» Activity logs

» Export data

» ...

2014


Complexity--

Not from a phone they said...2014


DEMO TIME!

How Is that useful?

2014


PART II FasterStrongerHigher!

2014


The Internet

2014


Send me two!

No Credit card?2014


Erm... I... nop :'(

Do you have an aircraft poor lad...?

2014


2014


Thanks ARINC! :D

Next day on my mailbox...2014


Who cares... ¡it's FREE!

2014


AMI (Airline Modifiable Information)

Modifying system functionality with new software instead of with new hardware...● All Boeing● All Airbus● Etc ...

2014


LSP (Loadable Software Parts)

O PC * ✈ Confg

A M I ✈ A irline

O PS* ✈ Softw are

* Operational Program Software/Confguration

2014


LSP (Loadable Software Parts) ● Operational program software (OPS)

● The operating system of a Line Replaceable Unit (LRU)● Operational program confguration (OPC)

● Specialized DB that determines the LRU confguration● Database

● FMC NDB, Engine, Performance, takeofs, ACARS, etc.● Airline modifable information (AMI)

● Supplies information to the OPS● Include logic units, which are high-level program code

2014


LSP (Loadable Software Parts)

Attack vector?

(...) Digital storage media (typically 3.5-in disks)

2014


2014


Stubborn as I am...

AMI Wireless data loader

2014


TELEDYNE TECHNOLOGIES

2014


TELEDYNE TECHNOLOGIESTeledyne LoadStar Server Enterprise

Eliminate media (foppy disks, CDs)

Web-based distribution instantly transfers Software Parts to data loaders and directly to the aircraft via wireless links

This integrated solution makes it possible to electronically distribute Software Parts from desktop to data loaders across the feet with a single press of a button

2014



A reliable and cost efective way to move data on and of the aircraft

Simultaneous use of 3G/4G cellular radios using enhanced HSPA

Requires a Wireless Access Point in or near the cockpit.

2014



Supported Aircrafts

Boeing 787, 747-8, A380 and A350Airbus EFB and Boeing EFBsAll legacy aircraft A320, A330, B737, B747, etc.Boeing 777 and Embraer ERJ 170/190

Targets! Targets! Targets!

In use at over 40 airlines worldwide

2014


TELEDYNE TECHNOLOGIESLoad Confgurations

Fight Management Systems (FMS) Integrated Display System (IDS) Aircraft Condition Monitoring System (ACMS) Advanced Cabin Entertainment and Service System (ACESS) Central Management System (CMS) Automatic Flight System (AFS) Centralized Fault Display System (CFDS) Aircraft System Controller (ASC) Flight Management Computer System (FMCS) Electronic Display System (EDS) Aircraft Data Acquisition System (ADAS)

FMS: NZ 2000 / Mark III CMU?

2014


2014


NewAttack

WiFi, 3G/4G

WiFi/3G/4G

MALFORMED

LSP/AMI/NAV DB

...System exploitation

Fleet deployment

2014


Delivery

Used by over 100 operators

2014


Delivery

Finding targets... Help me?

2014


My two cents

Airlines Maintenance

How to get the code? Either...

Or...

2014


Source Code

Training SW System SW

¿Simulator?

2014


Source Code

Training SW

Compile

2014


Source Code

Training SW

System

System

System

System

EmulatedCompile

2014


Emulated

Source Code

Training SW

System

System

System

System

RCECompile

2014


Emulated

SAMESource Code

Real SW

Compile

2014


Emulated

SAMESource Code

Real SW

System

System

System

System

EmulatedCompile

2014


VxWorks

An embedded, RTOS developed by Wind River Systems

● Multitasking kernel ● Preemptive and round-robin scheduling● Fast interrupt response

● User-mode applications ("Real-Time Processes", or RTP)● Isolated from other user-mode applications as well as the kernel via memory

protection mechanisms.● SMP and AMP support● Error handling framework● Binary, counting, and mutual exclusion semaphores with priority inheritance● Local and distributed message queues● POSIX certifed

2014


VxWorks

Really...?● All “applications”

run as kernel threads● Little memory protection

between apps● Everything runs with the

highest privileges● ...but not necessarily

the highest priority.

Fun with VxWorks (H D Moore)

2014


DEMO TIME!

2014


Catenstein!

Project... 2014


Catenstein

2014


Airplane

I can't haz...

Aircraft sensors AutopilotFMS

2014


Drone

I can haz...

Aircraft sensors AutopilotFMS

2014


Catenstein

SensorsTelemetry

REAL CODE

Brain transplant

2014


DEMO TIME!

2014


[email protected]

since 2009

@hteso http://www.commandercat.com

http://blog.nruns.com

Hacking Aircrafts

2014

http://www.commandercat.com/

Technology

Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]