IOActive’s researcher Ruben Santamarta is the sort of person anyone interested in computer security would probably enjoy sitting next to on a long flight.
Take the journey he made last November between Madrid and Copenhagen on Norwegian during which (naturally) he decided to use Wireshark to study the aircraft’s in-flight Wi-Fi.
As well as finding that Telnet, FTP and web were available for certain IPs, it turned out that an interface page for a Hughes aircraft satellite communication (SATCOM) router could also be accessed without authentication.
This is the system used by Norwegian that connects a plane to the ground to provide internet connectivity. (Icelandair and Southwest are customers too.)
In a Black Hat show paper last week, Last call for SATCOM Security, Santamarta and his colleagues published details of how this simple discovery put them on the trail of a string of larger security flaws that build on IOActive SATCOM vulnerability research dating back to 2014.
His pre-show claim was a startling one – he was, he believed, the first researcher to figure out how, in some cases, to access in-plane systems without having to be on a plane at the time.
The vulnerabilities have not been explained in detail for security reasons but included a disturbing mix of backdoors, the interception and manipulation of data traffic to and from aircraft (i.e. monitoring passenger web visits), using Telnet to execute code, and potentially interfering with firmware.
It might even be possible to launch attacks against individual devices belonging to passengers or crew connected via the SATCOM router.
Extraordinarily, the team discovered that an IoT botnet had attempted brute-force attacks against SATCOM equipment without necessarily targeting aircraft systems specifically. Although not deliberate…
The astonishing fact is that this botnet was, inadvertently, performing brute-force attacks against SATCOM modems located onboard an in-flight aircraft.
Because SATCOM systems are used on maritime vessels, as well as by the military and space industry, they too might be vulnerable to some of the issues, said Santamarta.
None of the vulnerabilities researched would have given an attacker access to avionics systems used by pilots but celebrating this might be to miss the point that the state of SATCOM router security is not what it should be.
All the flaws have been passed on to the manufacturers concerned as well as aviation security body, the Aviation Information Sharing and Analysis Center (A-ISAC), although Santamarta said that the level of collaboration hadn’t been what might have been expected in some cases given the security implications.
The in-plane flaws had, however, been closed:
We can confirm that the affected airlines are no longer exposing their fleets to the internet.
This will be reassuring news for anyone who plans to take a flight on an airline using one of these SATCOM systems and might find themselves using the onboard Wi-Fi.
Luckily – this time at least – a researcher boarded one of those planes last year and decided for all our sakes not to take the communications security on offer at face value.