Can a hacker take over a passenger jet by sneaking in through its WiFi or in-flight entertainment system?
The possibility of that occurring, as suggested by cybersecurity firm IOActive, has security experts hot under the collar.
Ruben Santamarta, principal security consultant at IOActive, led a team that discovered insecure and undocumented protocols, backdoors, hard-coded credentials, and other high-risk vulnerabilities in the most widely deployed terminals for the Inmarsat and Iridium satellite communications systems.
Santamarta is scheduled to present the team’s findings Thursday at the Black Hat security conference under way in Las Vegas.
“The vulnerability that concerns me the most as a security professional and traveler is the use of hardcoded log-in credentials to enable service technicians the ability to access any piece of equipment they are responsible for with the same login and password,” Kyle Kennedy, CTO at STEALTHbits Technology, told TechNewsWorld.
“If a hacker can retrieve these hard-coded credentials by hacking the equipment’s firmware, any preventative controls on sensitive systems could be circumvented,” he continued.
“Think of how many thousands of current and former technicians already know [them]. Anyone who says this is a minor vulnerability is downplaying what someone can do with a known valid credential on thousands of end-points,” Kennedy insisted.
Who Are Inmarsat and Iridium?
In addition to providing voice, data and Internet access services, Inmarsat provides the Global Maritime Distress and Safety System free to ships and aircraft as a public service.
Iridium provides voice and data coverage to satellite phones, pagers and integrated transceivers around the globe.
Taking Over a Plane
Compromising in-cabin entertainment and WiFi systems is “possible and probable,” Philip Lieberman, president of Lieberman Software, told TechNewsWorld. “Passengers have been able to screw with other passengers on shared communication systems since the beginning.”
However, in-cabin systems are not physically connected to flight control or air-to-ground systems, so there is “zero probability” of incursion, he said.
On the other hand, “such vulnerabilities are dangerous if actually exploitable, and could present problems to a plane in flight,” Robert Coleridge, CTO of Secure Channels, told TechNewsWorld.
Ships, aircraft, military personnel, emergency services, media services, and critical infrastructure such as oil rigs, gas pipelines, water treatment plans, and wind turbines could be impacted by the vulnerabilities, IOActive suggested.
Hackers must have access to the physical hardware or older copies of it, because systems of this nature generally do not virtually expose firmware microcoding, Secure Channels’ Coleridge said. Without verification of the vulnerabilities reported, the IOActive report “could simply be a case of ‘crying wolf,’ so travelers need not be too concerned yet.”
IOActive looked at popular satellite communications technologies manufactured and marketed by Harris, Hughes, Cobham, Thuraya, JRC and Iridium.
IOActive did not have access to the hardware, but it has a set of procedures that makes up for this.
First, the company gathered information about the targets through open source intelligence gathering — looking at datasheets; implementation and support guides; case studies; manuals; public procurements; press releases; videos, presentations and photos; and software or firmware.
It looks at how the target system is designed, what its components are, how it is deployed in real-world scenarios, and what its main features are.
IOActive then estimates the attack surface, builds a map of its features, and draws up a detailed list of functionalities.
It also reverse-engineers and analyzes configuration software and firmware. The firmware updates for the technologies studied are freely and publicly available, IOActive said.
Dealing With the Problem
IOActive has notified the vendors concerned, and is working with government CERT coordination centers to help remediate the vulnerabilities it has found so far.
The company recommends that satellite communications manufacturers and resellers remove all publicly accessible copies of device firmware updates from their websites, if possible, and strictly control access to updates in the future.
This is not a remediation strategy, but it will prevent other organizations or people from discovering vulnerabilities.