Feds Say Researcher Commandeered a UA IFE
 

FBI: researcher admitted to hacking plane in-flight, causing it to “climb”
 

FBI: researcher admitted to hacking plane in-flight, causing it to ?climb? | Ars Technica

Chris Roberts, told the FBI that he:

"connected to other systems on the airplane network after he exploited/gained access to, or "hacked" the [in-flight entertainment] system. He stated that he then overwrote code on the airplane’s Thrust Management Computer while aboard a flight. He stated that he successfully commanded the system he had accessed to issue the climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. He also stated that he used Vortex software after compromising/exploiting or "hacking" the airplane’s networks. He used the software to monitor traffic from the cockpit system.":ugh:

Hacker turns a/c
 

Someone tell me that these a/c have physically separate networks for flight systems vs entertainment. Did the bean counters save a few $$$'s by using only one network device instead of 2?

This guy is a white hat. Probably formally requested a fix before demonstrating vulnerabilities as a last resort.

I'm sure the military would be very interested in an aircraft that can fly "sideways" :)

Complete nonsense there is no connection from the IFE system to the EEC utter rubbish

Utter tosh on the 737/757...

Amazed the IFE was working though...

Old news. This bloke made headlines last month after United blacklisted him following a (hopefully) tongue-in-cheek tweet about Deploying the oxy masks in flight.


That being said, I have no doubt it would be possible for someone sufficiently talented to view data on board, and perhaps even modify it. External systems are even easier. Howabout a TCAS RA based on a series of non-existent ADS-B transmissions? A false "Beware, pax in 14D is a hijacker" ACARS message to the crew?


How long it'll be before someone uses these vulnerabilities remains to be seen.

Afaik TCAS gets range/distance from radio interrogation roundtrip time and extrapolates from differences to determine whether an a/c is getting closer. Angle/bearing from directional antennas. Both pretty hard to spoof... (unlike ADS-B altitude, heading and position). Most of these reported "hackers" seem to be attention whores who peddle hot air to journalists.

FWIW- the FEDS seem to believe him
 

Feds Say That Banned Researcher Commandeered a Plane | WIRED

and the search warrant is at

http://aptn.ca/news/wp-content/uploa...lectronics.pdf

IF- big IF true- then there is a bit of splainin to do by the so called ex- spurts ! :8:ooh:

But be sure to read the whole article !!

How does IFE display the position, altitude, speed, OAT, wind ?

How does IFE display the outside camera ?

How does IFE have channel 9 (cockpit and ATC transmissions) ?

While I know its not the EEC, I would think there is an ARINC data bus between the IFE and the aircraft. Given that many of these busses contain bridges and gateways, direct control over an engine may not be required. With FADEC aircraft that connect to an autothrottle, I would think providing false sensor information onto the bus (e.g. change in one TAT input by 20 degrees), and then letting the engine through the autothrottle adjust performance may be a way to get this result.

Certainly convective clouds can have similar asymmetrical effects on TAT readings.

Every time I looked into such "hackers" claims as reported in the media it turned out to be yet another movie plot. For various reasons "providing false sensor information" on an AFDX network/ARINC bus would require physical access to something else than IFE. To give just one example of an obstacle I see to the "hacker commandeers a/c via IFE" scenario is that all devices connected to an AFDX network are known and addressing is based on a fixed table of MAC addresses, and switches do some form of traffic policing. The aim is to lower latency and ensure bandwidth but a side effect is that it hardens the network. While there may be a physical wire between IFE and other devices (this is what inspires the movie plots), from the perspective of an IFE terminal communication between avionics components pretty much happens on a secure channel. If I see a "hacker" with an AFDX analyzer in an avionics compartment I'd be a bit concerned, but a "hacker" with an Android phone or a laptop in his seat, not really.

ADFX is only on the A380, 787, and A350.

The FBI claim to have evidence that indicates physical tampering with the under seat box and the connection of a cable to those boxes.

As for a MAC address itself, it is very easy to change on most devices in software. Often devices like IFE boot from the server, and have their MAC address displayed on the seat back screen during boot.

<<How does IFE have channel 9 (cockpit and ATC transmissions) ?>>

Well, they do - that's for sure!

I don't know about TCAS deriving information from directional antennas? Where did this come from?

swh - I'm thinking out loud. Let's assume you connected your device X to an under the seat box. Yes you can easily change your device's MAC address in software. Now you want to change the MAC address of your device X, to spoof the MAC address of sensor Y. But how do you sniff the MAC address of sensor Y if there is no packet from or to Y on the segment of the network you're listening to? It also doesn't introduce itself to you with ARP broadcasts. You also can't alter the hardcoded table of MAC addresses that every device except yours has. Assuming you figured out a way, now how do you insert your spoofed packets to go beyond a switch that discards your packets?

I agree, it does repay reading.

"Based on the investigation described above [principally an interview with Roberts and his Twitter claims], probable cause exists to believe that inside the Devices(s) described in Attachment A [iPad, MacBook, various hard drives and thumb drives, etc] will be found evidence, fruits and instrumentalities of a violation of Title 18, United States Code sections 1030(a)(2), 1030(a)(5)."

The relevant USC sections:

"1030(a)(2) Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;

1030(a)(5) Whoever-
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

shall be punished as provided in subsection (c) of this section."

Heathrow Director: as I understand it, a directional antenna with four slightly overlapping 90+ degree segments, is used to reduce overlapping transmissions/garble, multipath interference and/or other interesting things I know little about. TCAS II (current) uses a directional antenna on top of the a/c and most installations also a directional option at the bottom. Very neat and well engineered. A side effect is that there is some directional information which can't be spoofed easily...

see Introduction to TCAS II V 7.1 from the FAA, p 11, 12, 18, 19, much more details

cue "a firm grasp of the non-essential" for checkers.

Edit: TCAS doesn't derive angle/bearing from directional antennas (this was intented in TCAS III, but precision isn't good enough), yet the directional antennas could be an obstacle to a "hacker" :)

And there we have it - the attitude responsible for every successful computer security breach ever.

The so-called evidence of someone tampering with the Ethernet port near the "hacker's" seat is a slightly damaged housing and some slightly backed-out screws. Coincidentally this is the same damage the housing would receive if bumped a few hundred/thousand times by passenger feet and/or luggage.

Remember the first rule of aviation journalism is it's nearly certain the story has something to do with an aircraft, all other details are highly questionable. The reporters and editors in general interest "journalism" wouldn't notice the difference between a C-152 and B-747 carrying the Space Shuttle. If the hacker claimed to have hacked the microwave ovens in the crew-rest area of a Piper Cub to communicate with Mars they wouldn't spot anything fishy.

The MAC comments were in relation to ADFX which was developed for the A380, and then adopted by industry. Earlier aircraft like the one this person targeted use a different ARINC bus, my understanding these are linear buses where any device on the bus can listen to the bus. The bus design itself can be centrally controlled, or as in ARINC 629, control over the bus is distributed. Those buses are normally segregated/partitioned according to their function, and gateways/bridges connect different partitions.

Actually, you might be surprised at the aviation mayhem you could generate with a hacked microwave oven with the door open, but I will not be the one to provide the details.

swh - Arinc 629 is B777 (and A330/340)? and yes it's linked to a standard TCP/IP network (this is where the "hacker" is), but it's one way communication.

which is why all stories about "hacking" of aircraft so far have been fictitious. Each path on the gateway must be programmed.

My summary of a/c hacking stories so far is this: There is a wire from the headphone socket on seat 29C which is connected to [insert something here] which again is connected to a wire via [insert box here], and through various other devices, I have now, very ingeniously, traced physical wires/"connections" from the headphone socket to the FMS. They're physically connected, it must mean something can be hacked, because it's computers! Yet if I plug my [insert evil hacking tool here] into the headphone socket I have no control over the FMS, despite the "physical connection".

Good post deptrai. Let's hope your post puts an end to the drivel that's being posted within this thread.

That would be entirely consistent with Roberts' statement that, despite his provocative Tweets, he had made no attempt to access the SEB on the flight in question.

Not sure what that does or doesn't prove.

As a security consultant, part of my job involves ethical hacking and supervised penetration attacks on client sites. I've only ever done this in financial institutions; I've never tried to hack a plane, and, to be honest, my hardware and software experience aren't up to that task. I often need the assistance of a hacker of systems at the desktop layer in order to then penetrate the underlying systems.

A couple of observations:

Professional hacking is, of course, done in a very heavily supervised manner, with every step documented for subsequent analysis and mitigation.

Professional hackers never ever attempt to hack systems without invitation and without an appropriate contract in place.

Professional hackers never disclose their findings to anyone other than the client. Any findings are the sole property of the client. To successfully penetrate a system and to broadcast the fact would directly compromise the client's security - and our job is in the opposite direction.

There are a lot of idiots out there making wild claims in an effort to gain some notoriety. There are also dedicated professionals who quietly and without fanfare are paid to expose vulnerabilities in order that these can be eliminated.

I doubt that he has hacked a plane's systems. I wouldn't be certain that it can't be done, though.

Hacking an aircraft may be possible by a disgruntled LRU manufacturer employee, or a government.

The 'hacker' will have been able to read items such as the ARINC data provided for moving map / flight info features from a secondary bus. It's not that hard to read - a little bit harder than 'hacking' someone's Facebook page (when they leave it open...).

As mentioned, currently, IFE systems are fed by secondary busses, connected on a 'read only' basis.

If you have any understanding of typical aircraft architecture, you will understand why claims to have "taken control" of an aircraft are extremely improbable.

Additionally, if you understand the ARINC standards (there will be very, very few people on this board that have the knowledge I'm alluding to - it's detailed system design level depth of knowledge), and the aircraft systems logic, you'll find the claims even more improbable.

There are not many aircraft types with integrated networks. These have special conditions relating to security attached to them.

So-called "experts" may scoff, but i know what I know, and one of the things i know is that using my iPad I can turn the chemtrail dispenser on whenever the aircraft I'm in is over France. It annoys the hell out of them.

Hullo, here we are in JB....there's a surprise.

I guess this is obvious, but hacking into the IFE would violate the criminal statute, whether it's connected to anything else or not.

Not only obvious, but already stated.

See the post with the link to the FBI search warrant application, which quotes the relevant statutes.

I was waiting for the chemtrail connection, Capot :ok:

In all of this there also needs to be clarification on what constitutes a hack.

I am subscribed to a lot of sources on hacking as part of my job, and it really is telling how many people show a failed logon attempt to a banking system as evidence of a "hack". No. What is happening there is that the system is protecting itself as designed.

I was once booked to speak on mainframe security at a conference and decided to research the other speakers. Two of them had speeches on the subject of mainframe vulnerabilities on YouTube. Their perception was laughable. On reflection, I decided not to speak. To do so would have involved rebutting their naive assumptions and thereby drive them into efforts which were potentially more fruitful than the culs de sac they were describing.

Hacking an aircraft would probably suggest one the following aims:

Claiming complete control of the aircraft systems;
Inputting false data to those systems;
Completely disabling those systems.

A more benign aim would be merely to eavesdrop on what was happening on the systems.

I would imagine that the software engineers have incorporated penetration testing in the development cycle and continue to do so as they enhance their systems.

In the meantime, those systems have a very effective backstop in that the systems are very real-time and any anomalies should be noticed and over-ridden by the people at the front end of the machine.

Regarding the guy mentioned in this thread, if he had any ethics as a hacker he has a very simple avenue open to him if he found a vulnerability and if he warned the airlines and if his warnings were ignored.

His option is to demonstrate it to officials from any flight regulatory authority that will listen to him. It doesn't need to be his own domestic authority. Record the outcome and use registered post to keep the whole thing a matter of record. Give them 6 months to have the issue addressed, with a subsequent paid PenTest to verify that the opening is now closed with immediate revelation to the Press if the systems are still proven to be vulnerable.

In the meantime utter confidentiality is maintained out of a healthy respect for self-survival. Hell, if I found that I could hack aircraft systems the last thing I'd do is go public. I wouldn't fancy being forced to spill the details while looking down the barrel of a terrorist's Uzi, or, worse, being forced to prove my technique on a real flight while my family cower and whimper under the cover of same Uzi.

tl;dr version: I'd guess that the systems have possible weaknesses but I'm sure that stringent penetration testing is ongoing. Aircrafts have pilots who should be able to override any system anomalies. Any hacker who would advertise a claimed hack of these systems is an idiot who is putting his life and that of others at risk.

Our guys in engineering say this is highly unlikely - Flight Certified is a phrase with at least a little meaning and proof of concept behind it. What's more, Mr. Roberts fails to follow ethical hacking guidelines as a "white hat" gent. Seems to many that in matters commercial aviation computer security, he is a publicity seeking hound and nothing more.

That is one of the legal issues which is foremost when people pay me to hack their systems. For the purposes of the exercise my access to their systems is considered to be authorised by them, but there are obvious and severe curtailments on what I can do when I break through. Once I get in, the design of the system architecture will normally reveal just what I can or can not do without my having to actually transfer funds from the client to my numbered Swiss account.

On occasion once a penetration has been made and I've reported it I'll then be given a legitimate logon to a test system where I can really do some destructive stuff in a quarantined environment.

I'm not sure how layered or embedded aircraft systems are, but in the world of commercial systems the application layer is often riddled with holes. I'd imagine that on an aircraft the systems are very embedded.

Sorry about going on about this at such length, but these celebrity hackers tick me off no end. Those that go public in an effort to show how clever they are are no better than those thugs who mark the backs of people at ATMs in order to allow confederates to mug them down the street.

An illustration suffices: an unnamed client had an exposure which I discovered in an application which allowed userids with a certain level of access (the IDs were defined within the application and were easy to identify and clone) to move massive amounts of money to be transferred. I'm speaking massive amounts. A couple of userids could be created for the purpose of moving the money and then deleted. There was no audit trail showing who had created and deleted the IDs. The only control was that an ID had initiated the transaction and another had authorised it. The police would have issued an APB for a Mr Mickey Mouse and his partner-in-crime Ms Minnie Mouse.

When I demonstrated this in their test environment there were pale faces around the room. A couple of hours later I was presented with a very binding NDA and told that I was to be escorted off the premises until such time as the problem was remediated. Until then I would be on my full daily rate, forfeited if I made any attempt to log on again and with the most severe financial penalties if they suspected that I had leaked the information. I was perfectly happy with this arrangement and have worked for them many times since.

Security researcher claims he hacked aircraft systems
 

Anyone else see this titbit?

FBI: Security researcher claimed to hack, control plane in flight

Seems a little far-fetched. Never seen an Ethernet port on the IFE kit on my type, maybe some latest-gen experts would care to comment?

Please read the whole article
 

AND the Warrant at

http://aptn.ca/news/wp-content/uploa...lectronics.pdf

Case 5:15-mj-00154-ATB Document 1 Filed 04/17/15 Page 1 of 22

and also

Hacker told F.B.I. he made plane fly sideways after cracking entertainment system | APTN National NewsAPTN National News

and 1) he did hack the IFE in flight

2) That is a big NO NO

3) He claims no hack to change controls in flight but on a virtual simulator

4) His company got clobbered as a result

5) Even the GAO issued a warning

IMHO anyone who tells you their system cannot be hacked is living in a fools paradise. The question is how much damage/control can be done.

IMHO Absolute physical separation ( air gap ) AND EMP protection of critical systems is a must. :8

And for the non believers- even a fiber optics system/cable can be tapped/hacked. This was known over 20 years ago. AS was reading the output/screens of CRT display remotely via cheap electronic receivers. While CRTs have essentially disappeared and current screens **may** not be read remotely with no physical- video link- anyone care to bet ??

Yes it is 777/A330/A340. It is not Ethernet, it is not simplex, it is time division multiplex (multiple source, multiple sink), with a limit of 128 devices per bus. Inductive coupling is also used by design.

He is talking about connecting his PC to the IFE network by cable.

The boxes under the seats are essentially disk-less single board computers running windows or linux connected to a windows/linux server. They boot off the server with bootp or similar. The kernel versions I have seen boot are very old.

Lots of these under seat boxes are available, even complete IFE racks. Many of these early generation IFE systems and seats have already been scrapped by airlines, and anyone can buy a seat, IFE rack, or even a full fuselage from a scrapper for the right price.

The going rate for a used 747 SEB (Rockwell Collins) on Ebay is around US$35.

He hacked the plane in flight? Are you sure? What was the extent of that "hack"? What capabilities did it give him?

Let me be very explicit about this: I am deeply involved as a professional IT consultant in the area of system security. If I penetrate a system my job is to push my chair back from by desk and not to touch the keyboard under any circumstances. I will reach for the phone and tell my client that I am in and will tell them under which ID I have gained access. They in turn will kill my access.

If I were to gain access - whether through deliberate or accidental means - to a plane's system (and I'm speaking of someone who is paid to hack on occasion) I would immediately recoil in horror and hand my unpowered laptop to the cabin crew with a full account passed to the captain.

It's that simple.

There would be no guarantee that an inadvertent keystroke might confound the systems.

I also would not need to be told that the carrier is no longer prepared to have me as a passenger; I would simply not wish to fly with that airline or on that type ever again.

I'm a reasonably proficient hacker, but there are some better than I am out there, and they tend to be of the bragadaccio mindset which says "Now that I'm in the system, let's see what I can do. The guys will be really p1ssed when they see this at the next convention *alt-PrntScr*.

No system is perfect; that's why I have made a reasonably lucrative career analysing these imperfections. However, It is my job to reveal these issues to the client and their auditors and not to a hacking community who are all too happy to exploit these imperfections.

There's another issue. I'd like to know how a pilot would react if a passenger on his flight reported that he or she had got into the flight systems. Voluntary admission accompanied by a willingness to remain under restraints and separated from the device used to get in to the systems. Would the captain deem this to be a compromise to the plane's safety and land at the nearest?

It's a genuine question; I have no idea what the protocols would be. Other applications such as banking are less immediate and have the luxury of mitigating the threat while taking steps to eliminate it. At 35k feet the same luxury isn't available. Would vulnerability to the flight control systems be considered in the same way as a hull breach or an engine loss?

Well it has been a concern in the not too distant past...
 

From 2013:

https://www.federalregister.gov/arti...nic-system#h-9

REGARDING HACK
 

PUUUHHLESE read the FBI warrant request posted several times

http://aptn.ca/news/wp-content/uploa...lectronics.pdf

granted these are allegations- but he ( hacker ) was specific about the In flight entertainment systems ( IFE). The ongoing argument is that such could not impact flight/cockpit controls. Even so hacking the IFE is a federal crime.

One could ask - then why- since he admitted it - isn't he in Jail now ?:mad:

his conversations with the FBI lasted for hours, and he later claimed the statements in the warrant were taken out of context. Years ago he built a small "lab" with some IFE parts bought off ebay etc which he then "hacked". As far as I understand the "hacking" of his lab setup (not an aircraft) was limited to some eavesdropping. My guess is his recent references to IFE hacking referred to his lab setup on the ground, and he didnt touch anything on the flight in question. The FBI warrant is probably useless to understand what happened, it was written only to provide a reason for searching his electronics, not for anything else. For some reason he made a stupid "joke" on twitter about his hacking, the equivalent of the equally stupid "I have a bomb". This alone suggests to me he is a nutcase. That's all there is to see here.