12.-13.Sept 2013 Hugo Teso: Aviation Security - Ground Service Providers
Friday, 13th of September, 2013, Hugo Teso, a security researcher who works with n.runs professionals, the consulting part of n.runs AG, presented new findings regarding the aviation security research he has been conducting during the last years.
Following the research presented on April this year at HITB Amsterdam, Teso exposed during SEC-T conference in Stockholm an update on this topic focusing on the security vulnerabilities he found affecting the Ground Service Providers (GSP) that would allow him to establish two way communication with aircrafts worldwide, either in flight or on ground.
The GSP are companies that offer, among others, data link communication services to airlines and any other aviation industry related companies. Companies such as ARINC, SITA or Honeywell sell different data link services that can be accessed via all kind of modern interfaces. Web and mobile applications, desktops clients, servers or even cloud services are offered in order to gain customers and make their daily work easier.
Although those new technologies, when applied to aviation communications, can greatly enhance those companies workflow, they also expose all kinds of aviation technologies to a broad new range of attacks by connecting them to an inherent insecure environment such as Internet.
Teso highlighted those vulnerabilities during the SEC-T conference by analyzing some of the data link products of the main GSP. Vulnerabilities affecting those products were demonstrated and tools were used to illustrate how it is possible to exploit them in order to harvest valid credentials and use them to be able to contact airplanes worldwide.
The results of this new research, when applied to the previous findings, drastically decrease the complexity of a theoretical attack scenario against aircrafts. Previously to this work, a complex hardware and software environment was necessary in order to be able to establish communication with the airplanes. After applying the new vulnerabilities found to the existing framework, this environment is simplified by using common standard technologies such as web applications and mobile applications.
The addition of new, modern internet and mobile based technologies to the aviation industry can greatly increase efficiency and speed to aviation management processes, but those new technologies come with a new range of security issues that have to be carefully considered and secured prior to its deployment on production environments. Safety is not security, and although those new technologies can increase aviation safety, they dramatically increase insecurity if not implemented and handled in a responsible manner.