At last week’s Black Hat USA 2014 conference, Ruben Santamarta, the principal security consultant at IOActive Security Services, raised the issue of whether satellite communications systems have security vulnerabilities that might allow hackers to gain access to aircraft systems. Santamarta and IOActive published a white paper that discusses security vulnerabilities in air, sea and land satcom systems. “Today we are disclosing details to help people verify those findings,” Santamarta explained.
Basically, Santamarta claimed to show how he was able to gain access to satellite data units (SDU) through so-called back doors and hard-coded credentials in firmware. (He did not have access to actual satcom hardware.) “If we can compromise the SDU,” he added, “we can access the MCDU [multipurpose control display unit] through the Arinc 429 bus. Then we can finally reach a critical device in the cockpit.”
Santamarta did not demonstrate a real attack on the MCDU and admitted, “That doesn’t mean you can crash an aircraft.” While everyone in aviation should take security seriously, this particular situation isn’t a concern, according to Ken Bantoft, vice president of satcom technology and development at Satcom Direct. A satcom connected to the 429 bus has read-only access to the bus, he explained, to provide position information to steer the satcom antenna. “You cannot inject data. Transmit and receive [functions] are on independent buses. At worst they know where you are.”