Grey hats and blue skies, dealing with airline security

Since Sept. 11, 2001, the airline industry has been one of the fastest industries to upgrade their security procedures and protocols against various threats, both present and perceived.

Threats from possible terrorist bombs and improvised explosive devices have been curbed, and not one American plane has been hijacked since the tragic events of that fateful day.

However, hackers don’t need to board an airplane to gain control of the systems set in place to control it.

Though cybersecurity breaches can cause devastating financial losses, losses to reputation, and threaten passenger safety; hacking the internal flight control systems of a passenger airplane or a fighter jet isn’t something independent hackers would do for personal financial gain, rather it’s something they would utilize for warfare.

A brief history

Prior to 9/11, the vast majority of attacks on the aviation industry were focused on infrastructure: forged security badges from various fictitious law enforcement agencies, spear phishing employee information at multiple levels in order to gain access to passwords, code words and access codes.

Usually the furthest aim was mafia-related robbery, as it was with the Lufthansa heist at John F Kennedy International Airport in December of 1978. At its worst: terrorist hijacking. At DEF CON in 2004, hacker Jeremy Hammond stated, “If you’ve got your eye on Boeing, go for it. Download the code, modify the code just a little bit. I’d love to see those [expletive] go down.”

During a hearing for the House subcommittee on National Security, Chairman Rep. Jason Chaffetz (R-Utah) stated in July of 2011 that the Transportation Security Administration suffered more than 25,000 security breaches in U.S. airports since 2001. This number goes up significantly when airports around the United States are taken into the equation.

The UK’s split from the EU through Brexit brings about major issues in cooperation between agencies in the United Kingdom and various agencies spread across the 27 countries in the European Union.

On June 21, 2015, LOT, the Polish national airline brought to light that an IT attack was responsible for 20 flight cancellations and delays after a hack prevented the creation of flight plans for planes departing Warsaw Chopin Airport.

More recently, in May of 2016, Egypt Air flight MS804 from Paris to Cairo disappeared off the coast of Alexandria, Egypt. The only wreckage recovered was two possible modules and a black box flight recorder, from which officials have yet to recover information.

In the United States, the number of airport security breaches since 2011 has gone down significantly, which would make the case that inter-agency cooperation and the changes implemented in aviation IT security have been working, but what has worked in the past and what works today does not promise tomorrow.

Today

Whether hacks are correlated between individuals and foreign government agencies is difficult to determine without transparency, but future hacks on airlines and government aircraft security systems is guaranteed.

Nathan Wenzler, principal security architect at AsTech Consulting

Airport security screening, which has been discussed at length for the past several years, is still flawed and does not truly bring a significant level of security to the table, explained Nathan Wenzler, principal security architect at AsTech Consulting. He’s also concerned about the security posture and the resiliency of the air traffic control systems being used today.

[ RELATED: Airport breach a sign for IT industry to think security, not money ]

“There are, of course, efforts underway to bring the entire system into a new, next generation platform, but initial looks at what the government is proposing reveal that much of the technology will still be outdated and insufficient to not just handle the projected traffic increases in the next 20 years, but do not address a number of security concerns I would have about that system. There are too many single points of failure, and ways of ensuring continuity of service for aircraft in flight are not as easy to solve as even the proposed system would provide.”

Lessons from the past and promises for the future

Along each new advancement in aviation security, comes new advancements in black hat technologies and techniques. While Wi-Fi is currently being implemented across commercial airliners by way of network connected nodes, cloud based systems are almost never used on-board airplanes due to concerns over cloud-based vulnerabilities.

Instead, current technologies throughout commercial and governmental aircraft alike rely on satellite communications, VHF shortwave communications systems, Vertical Fin antennas, as well as varied radio frequencies to relay information to and from air traffic control towers on the ground.

Flight controls rely on analog, Actuator Control Electronics (ACE), and the Primary Flight Computer (PFC), which utilizes digital technology. Fly-By-Wire (FBW)  systems rely on electronic computers to communicate with the airplanes hydraulics and move the rudders, wing flaps and elevator; all these systems are extremely difficult to hack without installing a secondary device to access their Local Area Networks.

That being said, on April 15, 2015, while on-board a commercial flight, Chris Roberts, a security expert and chief security architect at Acalvio Technologies tweeted:

“Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ?  Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)”

“Roberts later claimed in a statement to the FBI he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” The FBI stated in their warrant application.

“He also stated that he used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system.”

Roberts cannot currently comment on this issue, but has asserted on Twitter that his “only interest has been to improve aircraft security. Given the current situation I’ve been advised against saying much.”

The biggest threats to aviation security systems and airlines from cyber-terrorism and hackers in general are evolving with the implementations of new technologies within their systems.

“A cyberattack which is successful against air traffic control systems would be absolutely devastating and could easily result in the loss of lives, depending on what a hacker or cyber-terrorist was able to compromise and control,” said Wenzler.

“There are also a lot of concerns around the increased use of in-flight wireless networks, both for internet access and for delivering entertainment to passengers at their seats. In some cases, it’s been discovered that these systems are not isolated from the aircraft’s controls and operation networks, which means a hacker could potentially take control of an aircraft or affect its flight operation.”

Daniel Miessler, director of advisory services at IOActive, said that from a cyber-terrorism perspective, the biggest threats are likely in the form of disrupting active operation of aircraft, and of preventing air travel altogether in order to harm the economy.

“The first scenario is most dangerous but requires knowledge of potential aircraft vulnerabilities that can affect, disrupt or disable operation of an aircraft. These vulnerabilities, if they exist, would  require high skill levels to discover, keep secret, and then to exploit,” he said.

The other scenario, which is likely far easier to carry out, is to find flaws in the lattice of IT systems that make up a modern airline system, including bookings, payment systems, flight management, etc.

“Gaining the ability to stop airlines from ensuring planes are safe, from ensuring that all safety procedures have been followed for all staff and crew, for one or more major airlines could potentially stop, disrupt air travel for hours, days, or even weeks. While this may result in no human casualties, the damage to the global economy could be catastrophic,” says Meissler.

When asked about what specific issues he’d like to be brought to attention? Meissler explained that, as with any critical infrastructure, “the risk is that someone may be able to cause human loss of life or cause damage to perception of the safety and security of key public activities.”

With air travel, he added, the application of these principles is clear, since humans are almost always involved and so much of the global economy is based on the belief that air travel is safe.

“My main concerns around air travel center around the delta between security and security theater, meaning that the controls put in place by security organizations in the United States and other countries seem to largely be a matter of display or presentation, and are not actually effective at stopping determined attackers from bringing weapons onto an airplane. This has been discussed and demonstrated hundreds of times over the last few years, yet little change has been affected to address the problem,” Meissler said.

For example, several reports have noted how it’s possible, trivial even, to get weapons past TSA checkpoints.

In addition, Meissler said, “gaining access to bags within the airport, by being or impersonating an airport employee, has proved far too easy over the years. Once given access to the bags all manner of harm can be done.”

“There are also significant soft spots in the front of airports where people are gathered yet no filtering has yet occurred. The use of explosive devices before security in the midst of massive groups of travelers would have an extremely similar effect to travel as if a plane were to be attacked and destroyed in flight, i.e. people being terrified of, and reluctant to, go to airports and fly.”

Another thing Meissler mentions during his interview for CSO Online, is that the requirements for gaining special airport security access as an employee are notoriously low.

“Nearly anyone can, and does, become an airport employee who then has trusted access to enter various areas of the airport and its secure infrastructure. Attackers targeting such employees through bribery, blackmail, or extortion, or impersonating those employees outright is likely to be an extremely easy way to gain access to, and compromise, the security of the airport or airplanes.”

Meissler said that in order to see the difference between security and security theater, the public should start by evaluating the filtering techniques employed at Israel’s airports and compare them to those employed at U.S. airports.

“They differ greatly both in what is done as well as the amount of training required to perform the evaluations,” he added.

There is no obvious answer for commercial airlines looking to beef up security across the board, but restructuring their security operations to deal with perceived threats as new as the growing technologies around us, cross referencing the massive amounts of data on previous cyber attacks, and implementing new technologies after thorough testing and checks is a good start.

It would also help if they paid more attention to InfoSec experts and security consultants, more than to bottom lines and overheads.