Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Spy vs SPI: Hacking the Stratus ADS-B Transponder

901 Aufrufe

Veröffentlicht am

Hacking the Stratus ADS-B Transponder

Veröffentlicht in: Wissenschaft
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Spy vs SPI: Hacking the Stratus ADS-B Transponder

  1. 1. Spy vs. SPI Hacking the Stratus ADS-B Transponder Mayank Dhiman Brown Farinholt Edward Sullivan March 13, 2014
  2. 2. Old school technology: Real-time Air Traffic Surveillance ● Radar-based ● Since the 1970s ● Provides location information ● Many disadvantages ○ Not very accurate for the altitude ○ Airplanes have to send their altitude to the ATC ○ Not real-time, sends information after a delay ○ Pilots don’t get much benefit e.g., which planes are nearby
  3. 3. ADS-B Augments Pilot’s view of nearby traffic
  4. 4. The Future: ADS-B ADS-B = Automatic Dependent Surveillance-Broadcast ADS-B Out: Your plane broadcasts its GPS coordinates (determined with a GPS device) to ground stations and other planes ADS-B In: Your plane receives broadcasted messages from other planes (about their locations) and from ADS-B towers (about weather, etc.) 1090 MHz
  5. 5. The Stratus and the Foreflight App GPS Satellite Broadcast ADS-B Towers Other ADS-B Equipped Planes ADS-BBroadcasts: iPad joins the unprotected wifi network created by the Stratus Your plane Stratus sits on dashboard of your plane Foreflight app on iPad displays cool interface for GPS, weather, maps, and locations of nearby planesLocationinfo Weatherinfo,otherplanes
  6. 6. How ADS-B packets are sent ● Plain-text ● No time-stamp ● Error-code “protected” ● Broadcast ● Contain “trivial” information like altitude, precise location and unique identifier of the airplane
  7. 7. Which means... ● No message authentication ● No message secrecy ● No message integrity ● Basically, anybody with a device which can talk ADS-B OUT can pose as any airplane
  8. 8. ADS-B is the WORST!
  9. 9. The Good ● Almost anybody can track airplanes in real-time via ADS-B IN ● Community efforts already underway e.g. www.flightradar24.com
  10. 10. Source: http://www.flightradar24.com/data/flights/mh370#2d81a27
  11. 11. The Ugly ● Trivial to make the MH370 plane reappear ● Attacker needs a device which can talk at the 1090 MHz frequency ● Attacker knows ADS-B packet format ● Attacker knows the airplane unique ID ● Attacker is located at a little bit above the ground level ● Can start broadcasting ADS-B OUT packets
  12. 12. ADS-B is literally the WORST!
  13. 13. Let’s Pwn the Transponder
  14. 14. The Firmware Update Process 2. iPad joins the unprotected wifi network created by the Stratus 1. Stratus sets up an unprotected wifi network 5. Foreflight App fetches a firmware update for the Stratus (usually via satellite link). 3. Foreflight App asks the Stratus about it’s current version 4. Stratus replies back with current version number 6. Foreflight App pushes the firmware update
  15. 15. Huge Attack Surface
  16. 16. Potential Attacks ● Our focus: - Replace legitimate firmware with malicious firmware ● Other attacks: - Spoof GPS data to Stratus traffic - Spoof ADS-B IN to Stratus traffic - Spoof Stratus to iPad traffic - Fuzzing the ADS-B device with bad GPS/ADS-B IN data - Physical Attacks (Swap iPad/Stratus) - Jamming/DoS (Throw noise at Stratus at 1090 MHz) - Bricking the device (Send bad data as part of firmware update process)
  17. 17. Threat Model (for Firmware Attacks) ● Attacker has reverse engineered the firmware update process ● Attacker is able to construct a malicious firmware ● Attacker is within the wifi-range of the Stratus to push a firmware update
  18. 18. Proposed Malicious Firmware ● Gets activated after a certain amount of time ● Sends out bad/in-correct GPS location and altitude to nearby planes via ADS-B OUT ● Shows in-correct locations and altitudes of nearby planes to the pilot via ADS-B IN ● End Goal: Cause Mid-Air Collision
  19. 19. Initial Firmware Analysis - Ripped from the Foreflight app (iPad) - Two chunks of data, packaged (encrypted..?) - Where might it be unpackaged?
  20. 20. Flash Dump: Active Reading - Micron Serial NOR Flash Memory - ARM and Flash speak SPI
  21. 21. SPI (Serial Peripheral Interface) - Simple data transfer protocol - Master (ARM) and slave (Flash) Chip Select MISO Clock MOSI
  22. 22. Bus Pirate - data protocol interpreter (can speak SPI) - replace ARM with Bus Pirate - READ commands
  23. 23. Issues with Active Reading - Resetting the ARM entirely disables board - Providing external power to Flash - Desoldering Flash from Stratus
  24. 24. Flash Dump v2: Passive Sniffing - Remember the firmware update? Firmware
  25. 25. Tools of the Trade Tektronix Oscope vs. Saleae Logic Analyzer
  26. 26. Triggering an Update ● All about firmware version number ● Version number difference triggers update ● Spoof lower version number packet to app
  27. 27. Captured Data ● Both machines return CSV, row per sample ● Tektronics = voltage at sample time ● Saleae = high or low at sample time
  28. 28. Let’s write some Parsers
  29. 29. Toolchain
  30. 30. Analyzing the Binaries ● Captured two binaries: boot-up and update ● Boot-up: - FPGA image - Possibly containing ARM instructions
  31. 31. Analyzing the Binaries (cont.) ● Firmware update: Two writes... packaged
  32. 32. Good News First? ● Good understanding of what happens internally during a firmware update ● Several reads during update after writing, possibly containing clues (read: keys)
  33. 33. Future Work aka More To Do!! ● All firmware on 512 MB flash encrypted? ○ Look for keys in short messages ○ Examine code in ARM chip’s 1 MB onboard flash ○ JTAG debugging protocol ○ Onboard flash might be read/write protected ○ Electron microscopy ● Once we get the unencrypted firmware … ○ Ready, set, IDA! ● Continue work on other potential attacks
  34. 34. Acknowledgements ● Devin Lundberg (esp. for Triggering Update) ● Kirill Levchenko ● Keaton Mowery ● David Kohlbrenner ● Hovav Shacham
  35. 35. Q & A
  36. 36. NextGen ● FAA (Federal Aviation Administration) Initiative to improve on Air-Traffic Control ● Shorten routes ● Reduce Traffic Delays ● Avoid Grid-Locks ● Save fuel and time ● Implementation in various steps by 2020
  37. 37. ADS-B Implementation Status Source: https://www.faa.gov/nextgen/implementation/