Hacked! Airplanes face risk of cyber-attacks, warns security researcher

For travelers with a fear of flying, here is unfortunately one more reason to get panicky at the thought of boarding an airplane.

Security researcher Ruben Santamarta, a consultant for security firm IOActive, says he figured out a method of hacking into the plane's satellite communications system using the plane's in-flight Wi-Fi and entertainment systems. Santamarta will present the details of his research at Thursday's Black Hat hackers' conference in Las Vegas, an annual convention that provides a venue for researchers to present breakthrough findings in cybersecurity.

"IOActive found that 100% of the devices could be abused," says a summary of Santamarta's presentation on the Black Hat website. "The vulnerabilities we uncovered included multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols or weak encryption algorithms."

Santamarta discovered the vulnerabilities by decoding special software called firmware used to operate avionics equipment manufactured by companies such as Cobham, Harris, Hughes Network Systems, Iridium Communications and Japan Radio. He was then able to hack into Cobham's Aviation 700 satellite communications system by simply using Wi-Fi and entertainment systems onboard.

"These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products," continues Santamarta in his summary. "In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it."

One particular vulnerability that Santamarta found in equipment made by all five manufacturers is the use of hardcoded credentials, which allows multiple persons to access a plane's communications system using a single username and password. By reverse engineering the equipment's firmware, hackers can obtain login credentials and penetrate the system.

But while Santamarta says that equipment manufactured by all five companies are not exempt from the threat, he acknowledges that he has only been able to launch the attacks in controlled environments devised in IOActive's laboratory and hackers may have difficulty putting the hacks into practice. However, if real-world attackers prove to be able to replicate Santamarta's results, it could pose a real threat not only to the aviation and aerospace industry but also in other industries using similar satellite communications systems, such as military vehicles, ships, oil rigs, wind turbines and gas pipes.

And while the five companies named in Santamarta's research have confirmed some of his findings, spokespersons for all of them said there is not much to worry about. Greg Caires, spokesperson for Cobham, says hackers need to have physical access to Cobham's avionics equipment for them to interfere with the communications and navigation system.

"In the aviation and maritime markets we serve, there are strict requirements restricting such access to authorized personnel only," Caires says.

Judy Blake, spokesperson for Hughes, says customer services requires the use of hardcoded credentials and that hackers will only be able to do so much as disable communications. Iridium spokesperson Diane Hockenberry, meanwhile, says the company is taking precautionary measures to ensure security, although the risk to Iridium customers is "minimal."

Santamarta says he will address these comments from the avionics industry in his presentation on Thursday.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics