Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]

Going Deeper
AVIATION SECURITY
on
2014

Safety
IS NOT
Security
2014
Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March

Part I
Previously on...
Part II
Faster, Stronger and Higher
Agenda
2014

PART I
Previously on...
2014

Attack Review
Info Gather
✈ ACARS
Exploit
✈ SYSTEMS
Discovery
✈ADS-B
http://blog.nruns.com/blog/2013/10/14/Aviation-Security-Hugo/
2014

ADS-B In/Out
Aircraft Position
Speed, Altitude
...
Discovery
Target discovery/mapping
GSP
and/or SDR
Passive
m
onitoring
2014

ACARS
Flight Plan, DB
Systems updates
...
Gather
System enumeration
011010101001010100101011101111100000
010101010101001001010101000101010101
010101100000010101010000011110111000
Passive
m
onitoring
2014
Info

ACARS
MALFORMED
DATA
...
Exploit
System exploitation
011010101001010100101011101111
010101010101001001010101000101
010101100000010101010000011110
GSP
and/or SDR
2014

Complexity++
2014

ATTACK++
2014

Worldwide targeting
Fewer requirements
Standard technologies
The “glue” of the aviation ecosystem
Worldwide targeting
Fewer requirements
Standard technologies
✈
✈
✈
2014

[URL] +
"></span></td></table></form>
<script>alert('XSS')</script><"
2014

[GDC ID] = meow" id="gdc_id"
/><br/><script>alert('XSS')</script><"
2014

» Send messages
» View position reports
» Advanced search
» Activity logs
» Export data
» ...
2014

Complexity--
Not from a phone they said...
2014

DEMO TIME!
How Is that useful?
2014

PART II
Faster
Stronger
Higher!
2014

The Internet
2014

Send me two!
No Credit card?
2014

Erm... I... nop :'(
Do you have an aircraft
poor lad...?
2014

2014

Thanks ARINC! :D
Next day on my mailbox...
2014

Who cares... ¡it's FREE!
2014

AMI (Airline Modifiable Information)
Modifying system
functionality with new
software instead of
with new hardware...
● All Boeing
● All Airbus
● Etc ...
2014

LSP (Loadable Software Parts)
OPC*
✈ Confg
AMI
✈Airline
OPS*
✈Software
* Operational Program Software/Confguration
2014

● Operational program software (OPS)
● The operating system of a Line Replaceable Unit (LRU)
● Operational program confguration (OPC)
● Specialized DB that determines the LRU confguration
● Database
● FMC NDB, Engine, Performance, takeofs, ACARS, etc.
● Airline modifable information (AMI)
● Supplies information to the OPS
● Include logic units, which are high-level program code
2014

Attack vector?
(...) Digital storage media (typically 3.5-in disks)
2014

Stubborn as I am...
AMI Wireless data loader
2014

TELEDYNE TECHNOLOGIES
2014

Teledyne LoadStar Server Enterprise
Eliminate media (foppy disks, CDs)
Web-based distribution instantly transfers Software Parts to data loaders and
directly to the aircraft via wireless links
This integrated solution makes it possible to electronically distribute Software
Parts from desktop to data loaders across the feet with a single press of a button
2014

A reliable and cost efective way to move data on and of the aircraft
Simultaneous use of 3G/4G cellular radios using enhanced HSPA
Requires a Wireless Access Point in or near the cockpit.
2014

Supported Aircrafts
Boeing 787, 747-8, A380 and A350
Airbus EFB and Boeing EFBs
All legacy aircraft A320, A330, B737, B747, etc.
Boeing 777 and Embraer ERJ 170/190
Targets! Targets! Targets!
In use at over 40 airlines worldwide
2014

Load Confgurations
Fight Management Systems (FMS)
Integrated Display System (IDS)
Aircraft Condition Monitoring System (ACMS)
Advanced Cabin Entertainment and Service System (ACESS)
Central Management System (CMS)
Automatic Flight System (AFS)
Centralized Fault Display System (CFDS)
Aircraft System Controller (ASC)
Flight Management Computer System (FMCS)
Electronic Display System (EDS)
Aircraft Data Acquisition System (ADAS)
FMS: NZ 2000 / Mark III CMU?
2014

New
Attack
WiFi, 3G/4G
WiFi/3G/4G
MALFORMED
LSP/AMI/NAV DB
...
System exploitation
Fleetdeploym
ent
2014

Delivery
Used by over 100 operators
2014

Delivery
Finding targets... Help me?
2014

My two cents
Airlines Maintenance
How to get the code?
Either...
Or...
2014

Source Code
Training SW System SW
¿Simulator?
2014

Source Code
Training SW
Compile
2014

Source Code
Training SW
System
System
System
System
Emulated
Compile
2014

Emulated
Source Code
Training SW
System
System
System
System
RCE
Compile
2014

Emulated
SAME
Source Code
Real SW
Compile
2014

Emulated
SAME
Source Code
Real SW
System
System
System
System
Emulated
Compile
2014

VxWorks
An embedded, RTOS developed by Wind River Systems
● Multitasking kernel
● Preemptive and round-robin scheduling
● Fast interrupt response
● User-mode applications ("Real-Time Processes", or RTP)
● Isolated from other user-mode applications as well as the kernel via memory
protection mechanisms.
● SMP and AMP support
● Error handling framework
● Binary, counting, and mutual exclusion semaphores with priority inheritance
● Local and distributed message queues
● POSIX certifed
2014

VxWorks
Really...?
● All “applications”
run as kernel threads
● Little memory protection
between apps
● Everything runs with the
highest privileges
● ...but not necessarily
the highest priority.
Fun with VxWorks (H D Moore)
2014

DEMO TIME!
2014

Catenstein!
Project...
2014

Catenstein
2014

Airplane
I can't haz...
Aircraft sensors AutopilotFMS
2014

Drone
I can haz...
Aircraft sensors AutopilotFMS
2014

Catenstein
Sensors
Telemetry
REAL CODE
Brain transplant
2014

hugo.teso@nruns.com
since 2009
@hteso
http://www.commandercat.com
http://blog.nruns.com
Hacking Aircrafts
2014

Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]

Ähnlich wie Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014] (20)

Mehr von RootedCON

Mehr von RootedCON (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]