HITB Kuala Lumpur, Malaysia
n.runs professionals, Hugo Teso: Digging Deeper into Aviation Security
Thursday, 17th of October, 2013, Hugo Teso, a security researcher who works with n.runs professionals, the consulting business unit of n.runs AG, presented new security issues affecting the aviation industry continuing the research he presented at the HITB Amsterdam.
A follow-up to the presentation at the conference “Hack in the Box”, held in Amsterdam on April this year, was shown at the Kuala Lumpur edition of this same event. New and improved attack vectors and system vulnerabilities were exposed in an effort to further highlight the long way that is still to go in order to improve security in the Aviation Industry.
After reviewing the vulnerabilities presented on previous conferences, additional material was explained related to the Ground Service Providers (GSP) vulnerabilities already shown at SEC-T in Stockholm; this new development on the GSP related research further lays out the ease of exploiting those vulnerabilities.
The second part of the presentation was dedicated to release a new attack vector that could allow remote exploitation of many on-board systems by using every day technologies such as Wi-Fi and 3G/4G. This new attack affects almost every airliner in use by exploiting insecurities on a technology employed by many of the most important airlines.
The list of affected systems include, among others, the already know Flight Management System (FMS) and also other crucial systems such as the Aircraft Condition Monitoring System (ACMS), the Central Management System (CMS) or the Automatic Flight System (AFS).
The final research improvement shown during the conference is related to the testing environment. Unlike previous presentations, this time the demonstration of the vulnerabilities was conducted by using real aircraft code running on the same platform as it does on the real environment on-board the airplane.
The aviation industry keeps adding new technologies just about every day to their products in order to improve their effectiveness and help their customers to offer better services. Unfortunately those new technologies, traditionally avoided by aviation, suffer from a new range of security issues that expose previously isolated systems to a wide range of remote attacks that this industry had never had to face before.
It is for this reason that we keep researching and publishing on this topic, with the aim of helping by creating awareness, discovering, evaluating and fixing the new threats that the Aviation Industry is being forced to face by the introduction and use of these new technologies and application. As always with company presentations, no vulnerability details or exploit code was released in order to prevent possible irresponsible usage of this work. Our motivation is to help the affected industry to improve the security of their products. We strongly believe in responsible disclosure and we have and always will act accordingly.