Ruben Santamarta, consultant for IOActive, will speak at the 2014 Black Hat Conference (BHC) in Las Vegas and present his research into how commercial airliners are prone to and could easily become a victim of a cybersecurity attack or a hack at any time.
Santamarta said to the press: “These devices are wide open. The goal of this talk is to help change that situation.”
By reverse-engineering the firmware used to facilitate communications on commercial planes, Santamarta uncovered “that an attacker could leverage a plane’s onboard Wi-Fi signal or inflight entertainment system to hack into its avionics equipment. This could allow them to disrupt or modify the plane’s satellite communications, potentially interfering with the aircraft’s navigation and safety systems.”
Because of the gravity of his discovery, Santamarta said he was making his research public so that manufactuers such as Cobham Plc, Harris Corp, EchoStar Corp’s Hughes Network Systems, Iridium Communications Inc and Japan Radio Co Ltd could “fix” the “dangerous security flaws” that currently exist.
According to the BHC website: “IOActive found that 100% of the devices could be abused. The vulnerabilities we uncovered included multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols or weak encryption algorithms. These vulnerabilities allow remote, unauthenticated attackers to fully compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it.”
Greg Caires, spokesperson for Cobham replied to Santamarta’s research, downplaying the severity of its potential: “For instance, Cobham, whose Aviation 700 aircraft satellite communications equipment was the focus of Santamarta’s research, said it is not possible for hackers to use WiFi signals to interfere with critical systems that rely on satellite communications for navigation and safety. The hackers must have physical access to Cobham’s equipment. In the aviation and maritime markets we serve, there are strict requirements restricting such access to authorized personnel only.”
Santamarta explains : “The core point is the type of vulnerabilities he discovered are pretty scary just because they involve very basic security things that vendors should already be aware of. These devices are wide open. The goal of this talk is to help change that situation.”