Satellite communications systems have security vulnerabilities that may allow hackers to gain access to aircraft systems, according to cyber security expert Ruben Santamarta, principal security consultant at IOActive Security Services, speaking at the Black Hat USA conference early last month. Santamarta and IOActive published a white paper that discusses security vulnerabilities in air, sea and land satcom systems, including systems made by Cobham (formerly Thrane & Thrane) and Iridium. “Today we are disclosing those details to help people verify those findings,” Santamarta explained.
Santamarta showed how he was able to gain access to satellite data units (SDU) and Inmarsat SwiftBroadband satcoms through so-called backdoors and hard-coded credentials in firmware. “If we can compromise the SDU,” he said, “we can access the MCDU [multipurpose control display unit] through the Arinc 429 bus. We can finally reach a critical device in the cockpit.”
While everyone in aviation should take security seriously, this particular situation isn’t a concern, according to Ken Bantoft, v-p of satcom technology and development at service provider Satcom Direct. A satcom connected to the 429 bus has read-only access to the bus, to provide position information to steer the satcom antenna. “You cannot inject data,” he said. “Transmit and receive [functions] are on independent buses. At worst you know where you are.
“There are two parts to security,” he added. “There’s the security of the equipment. We make recommendations. We educate our customers and make sure they’re informed about good security practices. But they’re ultimately responsible. Second, we are responsible for our infrastructure. We take that extremely seriously. There is stuff people aren’t aware of, but like any Internet provider we manage communications for our customers in a safe and secure manner. Security isn’t a thing you do once when you set it up; it’s something you practice and do all the time. It’s an ongoing process; it’s an evolution and the threat model changes daily. This is not new. Business aviation is not on the forefront, but there are other requirements at play in terms of the limitations of hardware. [For example], it’s hard to get access unless [the hacker] is on the airplane or in the surrounding area.”
“We’ve had these questions from customers,” said TrueNorth Avionics chief technology officer Terry Markovich. TrueNorth manufactures airborne telecom systems that work with most aviation satcom systems. “A lot of the things [Santamarta] pointed out are potentially real problems,” he said. “He demonstrated some things on land mobile and ship-based systems and implied these vulnerabilities may be existing.”
However, Markovich noted, “I don’t think he actually demonstrated [capability to access the 429 bus]. The SwiftBroadband systems don’t transmit any Arinc 429 data to any sensitive systems.” While systems that TrueNorth and other companies are building will transmit safety services data for Future Air Navigation System (Fans) and other NextGen capabilities via SwiftBroadband, “manufacturers are going to have to show there is a security separation before that data will go over SwiftBroadband,” he said. Iridium satcom is already approved for safety services such as Fans. “There is no IP [Internet protocol] link from our LAN [local area network] to an actual Iridium module,” he added.
Nonetheless, he concluded, “We’re very concerned about it and always want to make sure our products are secure and don’t have any vulnerabilities. It is always a good idea to have a WPA-2-protected Wi-Fi network and change [personal] passwords and network passwords regularly. These are the same security steps that a corporate organization would take.”
With regard to how satcom systems are connected to and interact with aircraft buses, Inmarsat emailed this response to AIN: “This is really a question that should be directed to the airframe manufacturers. Cyber security on the internal aircraft network/buses is something that the airframe manufacturers take very seriously and they are the design authority for the data networks inside their aircraft. They have their own stringent cyber-security requirements so that the bus design and avionics connected are implemented in such a way that makes the breaches like the one outlined by IOActive an impossibility.”
Airborne telecom provider Aircell offers Iridium satcom systems that can be used for safety services such as Fans, and security is an important consideration. Although Aircell provides a single-box solution for cockpit and cabin communications systems, inside that box there are two separate radios isolated from each other, according to Dave Sherrington, senior v-p of engineering. “We dedicate one to datalink, with a connection to the cockpit. The other is dedicated to voice [for use by passengers].” Whatever happens on the passengers’ voice channel will never impact the cockpit datalink channel, he explained.
Regarding airborne security in general, Sherrington added, “The design standards at the moment provide a significant level of security appropriate to the criticality of the piece of equipment or function. And there is work in regulatory circles to review the appropriateness of that.”
Cobham Satcom, having been singled out in Santamarta’s IOActive research, provided a detailed response to AIN and indicated that “Cobham, including Cobham Satcom, takes the security of its products very seriously, so we welcome any research that shows potential issues and will act quickly to address any vulnerabilities.”
Although Santamarta claims to be able to hack into satcom systems wirelessly, Cobham explained, “Potential exploitation of the vulnerabilities presented in the paper requires either physical access to the equipment or connectivity to the maintenance part of the network, which also requires a physical presence at the terminal. With respect to the Aviator SwiftBroadband product, without physical access to the maintenance port of the system in the avionics bay of an aircraft, the scenarios described in the report are not possible.
“Cobham Satcom will continue to evaluate any potential vulnerabilities with its equipment and implement increased security measures if required.”
Asked about airborne cyber security, Rockwell Collins provided this statement to AIN: “Today’s certified avionics systems are designed and built with very high levels of redundancy and security. Simulating these systems in a lab or virtual environment is not analogous to certified aircraft and systems operating in regulated airspace. The security of these systems is a top priority that we are addressing through collaboration with industry regulators, customers and suppliers. In addition to meeting today’s security needs, we have ongoing research in enhanced security features to respond to evolving security threats. We are working with industry partners to develop new standards to ensure the highest levels of protection are maintained.”
Garmin principal engineer Clay Barber summarized the issues facing avionics manufacturers, pointing out that the problem isn’t just cyber security but also misinformed regulators imposing new requirements that aren’t based in fact. In one case, during a certification program for a Garmin G1000 flight deck, the regulator (not the FAA) required that datalinked weather and ADS-B in features be disabled because of security concerns. Garmin was able to turn these features back on eventually, after spending money and resources proving that there was no security issue.
“The datalink standard is a one-way protocol from the weather provider,” Barber explained. “We can’t do anything other than validate the data, the same as with ADS-B in, [which is] a harmonized protocol worldwide. It’s not like we can make changes to that; somebody would have to be able to hack into the protocol to broadcast bad data.” In any case, he added, if bad data were somehow injected into the datalink or ADS-B in stream, “pilots could potentially recognize the bad information.”
The Human Element
Garmin software engineer Mitch Trope added, “From a safety standpoint, the ability to upload flight plans from the ground to the cockpit requires the flight crew to look at [the message] and approve the change. We don’t want anything going straight to the FMS and making changes to the flight path directly. The human element is acting as a double-check, even if someone were able to get something into the communications channel into the airplane.” And, of course, pilots can shut off the autopilot if necessary. “Hackers don’t think about these things, the checks and balances on airplanes from a safety perspective,” he said.
Garmin has to deal with regulators and, said Barber, “We are spending a fair amount of resources just trying to get reasonable certification authority application of these types of concern. Until these things settle out, there’s still overhead for us that we think is excessive.”
Various regulators are at different stages of addressing cyber-security issues, he said, and “they aren’t at all harmonized on their positions. We get requests from the EASA that are different from those we get from the FAA and Transport Canada.” To help address these issues, Trope participates in RTCA special committee 216, an industry-led group that was formed in 2007. A standard for airborne security, DO-326, was released in 2010.
As for IOActive researcher Santamarta, he admits that what he has discovered might allow for some disruption. “We can possibly modify [information] at the satellite data terminal, but,” he concedes, “that doesn’t mean you can completely control an aircraft.”