Embed Size (px)
Citation preview
Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts
Marko Wolf, ESCRYPT GmbH – Embedded Security
AVIONICS Europe 2012, 22.03.2012, Munich, Germany
The Stuxnet Incident (2010)
Large scale sabotage of nuclear facilities in Iran by
malicious manipulation*) of centrifuges control software
US/Israel intelligence services as suspected attacker
Sophisticated attack via PLC programming device, which
is regularly connected to Internet-enabled, even
Windows®-operated and very vulnerable desktop PCs
22.03.2012 Marko Wolf – Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts 2
PLC system Program device Desktop PC Vulnerability, USB.. LAN, USB..
Images (some): http://commons.wikimedia.org. *) N. Falliere et al.: W32.Stuxnet Dossier. Symantec Corp Whitepaper, 2011.
Connecting weakly protected Internet-
enabled devices to unsecured IT systems
The Stuxnet Incident (2010)
Stuxnet incident alarmingly demonstrated at least that:
1. Cyberwar is no science-fiction anymore. Concerted IT
security attacks are real – they are already strong
political, economical, and even military weapons.
2. Ongoing computerization and increasing digital
interconnections make most of today’s IT systems
susceptible to attacks, also systems which were
thought to be immune against serious security
threats such as industry automation, medical devices,
cars …
... and modern computerized aircrafts?
22.03.2012 Marko Wolf – Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts 3
Intercepting U.S. Predator drone’s live video feeds (2009)
US drones remotely operated using bidirectional comm.
2009*) – US military personnel in Iraq discovered copies
of Predator drone video feeds on a Iraqi militant’s laptop
Intercepted communication links with commercially
available software (“SkyGrabber”) and cheap off-the-shelf
equipment
22.03.2012 Marko Wolf – Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts 4
Enemies could use the data/video
“kindly provided” by the drone to
monitor and evade military actions
Unprotected, this
means, no confidentiality for
outgoing communication links
*) The Wall Street Journal: Insurgents Hack U.S. Drones. December, 2009. Image: http://commons.wikimedia.org/wiki/File:081131-F-7734Q-001.jpg.
Spoofing U.S. RQ-170 Sentinel drone’s GPS navigation (2011)
US drones act automatically on certain comm. inputs
2011 – US Sentinel drone “logically downed” by Iran w/o damage and failing automatic return or self-destruction
Presumably1) (US: “spectacular malfunction” vs. Iran: “electronic warfare”) by spoofing drone's GPS navigation system causing it to land automatically
22.03.2012 Marko Wolf – Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts 5
Enemies could acquire secret
technology and embarrass US
No matter what happened exactly,
GPS spoofing is exemplary, but
realistic 2)
for unauthenticated ingoing
communication links
Images: Iran´s Revolutionary Guard Websi Handout (top), Humphreys et al. (bottom). 1) D. Majumdar : Iran’s captured RQ-170: How bad is the damage? AirforceTimes, 12/2011.
2) Humphreys et al.: Assessing the Spoofing Threat: Development of a Portable GPS Civilian Spoofer. ION GNSS, 2008.
Spoofing phantom aircrafts w/ faked ADS-B message beacons
Broadcasted with 1 Hz on 1090 MHz
to make aircrafts visible in real-time
for nearby aircrafts, ground control,
air traffic control, collision avoidance…
ADS-B used by most commercial
aircrafts and foreseen to replace radar
ADS-B specs
have no authenticity or integrity
protection against manipulations or
spoofing2)
22.03.2012 Marko Wolf – Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts 6
ADS-B1) digital aircraft beacons containing the aircraft’s
unique identity, position, speed, heading and other data
Image: http://en.wikipedia.org/wiki/File:Adsbhome2.jpg. 1) Automatic Dependent Surveillance-Broadcast.
2) K. Sampigethaya et al.: Secure Operation, Control and Maintenance of Future eEnabled Airplanes. IEEE Special issue on Aviation Information Systems, 2008.
Spoofing phantom aircrafts w/ faked ADS-B message beacons
22.03.2012 Marko Wolf – Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts 7
Misuse freely available,
portable ADS-B transponder Spoofed phantom
aircraft
Interference of phantom
aircraft, for instance, w/
TCAS collision avoidance
Images: http://commons.wikimedia.org/wiki/File:NAV_Geräte_im_Cockpit_einer_C172_1212_VOR_Transponder_ADF.JPG,Airzena_Boeing_737-500_Nikiforov.jpg,Tcas_EU-Flysafe.jpg
*) J. Epik. Phantom Controller. Beach Mountain Press, 2012. In 1993 one was impersonating an air traffic controller while spoofing bogus ATC messages to pilots via analogue radio for 6 weeks.
Just imagine, a new, digital “Roanoake Phantom”*)…
Potentially vulnerable on-board networks connected with IFE
In-flight entertainment systems (IFE) are insecure1) legacy systems
With Boeing 787 and others, Internet-enabled IFE systems have “somehow” 2) become connected to critical aircraft domains, which are neither designed nor FAA regulated to thwart any security threats
Mission-critical systems are potentially susceptible to security attacks via IFE3)
Potential 3) Risk for unauthorized access due to insufficient separation of aircraft on-board IT domains
22.03.2012 Marko Wolf – Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts 8
1) H. Thompson. How to crash an in-flight entertainment system. blogs.csoonline.com, 2009. 2) K. Zetter. FAA Responds to Boeing Security Story. wired.com, 2008.
3) FAA Special Conditions No. 25-356-SC: Boeing Model 787-8 Airplane. Systems and Data Networks Security – Isolation or Protection From Unauthorized Passenger Domain Systems Access.
Images: commons.wikimedia.org/wiki/File:Flight_entertainment_system_uses_Linux.jpg.
Integrating COTS-based Electronic Flight Bags
Electronic flight bags (EFB) for flight crew cockpit data management
tasks (e.g., manuals, dynamic maps, live weather, takeoff or flight
calculations, night vision [military]) digitally connected to airplane
onboard data network and airport infrastructure (for content updates)
22.03.2012 Marko Wolf – Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts 9
Images: Own sketch of an actual navAero EFB connection system. More details cf. www.navaero.com/?page=products&subpage=tablet.
(Cockpit) http://commons.wikimedia.org/wiki/File:C130_cockpit.jpg.
For class 1 & 2 realized by WiFi and
Internet-enabled COTS devices (e.g.,
iPads, Android or XP tablets) with
known vulnerable legacy operating
systems (e.g., Microsoft Windows)
Current EFB approvals (e.g., TGL 36
JAA EFB) consider mainly (IT) safety
(e.g., battery) but merely IT security
Potential
from EFB denial of service attacks up
to malicious onboard encroachments
Modern Computerized Aircrafts
22.03.2012 Marko Wolf – Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts 10
Several dozens digitally interconnected, complex IT systems, being highly
integrated, sharing HW resources/periphery/interfaces, & running GBs of SW
Various (wireless) interfaces, there some are connected to Internet-enabled
devices (e.g., EFB) for data exchange (airport, airline), diagnosis, maintenance..
Built up from million components from sub-sub-suppliers from all over the
world, which makes it impossible to track complete supply chain
Standardized, homogeneous modular architecture approach, and hence
Increasing deployment of off-the-shelf hardware and software components Cf. M. Olive et al.: AEEC Communications Security Activities. International CNS Conference, 2007.
Aircraft Comm. Security Threats
22.03.2012 Marko Wolf – Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts 11
Enforcement of confidentiality and authenticity for military aircraft-
to-X communication is still difficult and rare*)
Civil aircraft comm. generally in clear using open, shared links w/o
measures to verify the integrity of the communication, authenticity
of the comm. endpoints, or to enforce access control to comm. link *) J. Keller: Military crypto modernization leads to applications like smartphones, tablet computers on the battlefield. Military & Aerospace Electronics, 11/2011.
Further Aircraft Security Threats I
“The future of digital systems is complexity, and
complexity is the worst enemy of security.” (B.Schneier)
since complex systems:
– have more lines of code more security bugs
– have more interactions more security bugs
– are harder to test more likely to have untested portions
– are harder to design, implement, configure, and use securely
Increasing sharing of resources and interfaces together
with inter-domain connections (i) create new attack
paths and (ii) multiply security vulnerabilities through
complexity
22.03.2012 Marko Wolf – Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts 12
Further Aircraft Security Threats II
Counterfeits from “dubious” sources1) or even malicious
“Trojan” hardware2) or software components that may
already include malware
Standardized, homogeneous IMA*) architectures and
increasing deployment of COTS*) hardware & software
increases “coverage” and power of attacks and malware
Aircraft components undergo a strong safety evaluation,
but they are usually not evaluated regarding their IT
security properties, since there are no or only little,
very slow evolving regulations regarding IT security3)
22.03.2012 Marko Wolf – Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts 13
1) C.E. Schumer: Counterfeiting of Military Technology, Press Release, July, 2011. 2) M. Tehranipoor et al.: A Survey of Hardware Trojan Taxonomy and Detection. IEEE Design & Test of Computers (27), 2010.
3) Cf. DO-178B from 1993!, ARINC 666, ARINC 823, ARINC 653, or ARINC 811. *) Integrated Modular Avionics (IMA), Commercially available Off-The-Shelf (COTS).
Potential Aircraft Attackers
Potential attackers could be: – Enemy Cyberwar units to repel, interfere, mislead, or destroy a
particular aircraft (cf. drone incidents)
– Adversarial intelligence services for sabotage (cf. Stuxnet incident) or for political/economical related espionage
– Terrorist (groups) to sabotage a particular aircraft or aircraft control system for political motivated extortion or intimidation
– Business competitors for industrial espionage or even limited sabotage to attack others costs or reputation
– Autonomous, unidentified hackers or hacking groups for fun, fame, politics, revenge, or profit
Attack potential can be high based on: – Financial resources
– Attack expertise
– Target knowledge
– Technical equipment
– Access perimeters
– Time frame
22.03.2012 Marko Wolf – Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts 14
?
Quick Summary
Cyber attacks already have reached avionics domain.
Presented four of rare publicly known military and civil
security examples, but assume much higher dark figure.
Potential attackers range from “hacking passenger” up to
million dollar, multiple expert electronic warfare units.
Aircraft security threats from increasing: computerization,
homogenization, integration, complexity, resources
sharing, inter-domain and wireless connections …
In contrast to IT safety, aircraft IT security has only very
recently started to emerge, but effective & efficient
protection mechanisms already exist (cf. automotive).
For first practical recommendations, please have a look
at our article or visit next year’s ESCRYPT presentation ;)
22.03.2012 Marko Wolf – Airborne Stuxnet? IT Security Threats for Modern Computerized Aircrafts 15
