For the last 4 years I have devoted most of my personal research time to study the security of aircraft's navigation and communication systems, both on land and onboard. After all this time I think I've come to interesting conclusions and have done many discoveries that can now be published.
So, with this first post I intend to initiate a series of articles that will gradually expose the process I followed, the problems and solutions I've encountered and the results and conclusions I achieved.
Yes, yes, you read correctly, all this goes about AIRPLANES; it is really about aircrafts but we're not going to get technical so soon. The most common question at this point is: what kind of disturbed mind can come up with something like this?. It is true that this is not common but it has an explanation, let's see a little history.
It all started one day I was looking for new systems to find vulnerabilities on. At that time I used to study SCADA systems security but, as apart from being a security researcher I am a commercial pilot, suddenly a question arose me: is there any system aboard an aircraft complex enough to have vulnerabilities? And so it all began...
To an affirmative answer to that question new questions arose and... here we are years later :)
Now that time has gone, and I have made great progress on this research, I will not follow the same steps in these articles that I followed during my research; instead I will try to follow a more orderly approach, even more considering that I'll need to introduce many aeronautical concepts in case you don't know them.
Now that I can focus the study using a more classical approach, something I did not think possible when I started, I'll try to follow the same steps (approximately) that we would follow with more common attack scenarios:
Broadly speaking, I will try to follow the above diagram, inserting all the explanations of new concepts as necessary, and considering that this is a research of a new system rather than a conventional attack, there will be a lot of research and development. Let's see each of the phases in more detail:
After some initial entries devoted to present introductory concepts we will study those navigation and communication systems that will allow us to list and identify specific aircrafts and their subsequent monitoring. The necessary hardware as well as the tools used will be discussed and, in some cases, developed.
Once having seen how to list and locate specific objectives we will see different options to extract all the possible information from the selected targets. The objective of this phase is the same as in conventional attacks: get all the possible information to use in the exploitation phase. If necessary, more hardware will be introduced and previous tools improved, for this phase of the study.
This phase will explore a variety of systems, both airborne and ground based, looking for potentially exploitable vulnerabilities (both local and remote) to take control of vulnerable systems. While the goal is not to exploit insecure protocols with attacks like MitM, spoofing, etc, such attacks will also be included in the study.
Finally we will consider both usual concepts: to compromise other systems from the exploited system and the peculiarities of exploiting an environment as new as can be an aircraft. We all know what to do with a compromised web server but... what about an airplane?
As for a classic attack, these phases are part of a cyclical process, so after a phase of exploitation or post-exploitation the whole cycle can be repeated several times.
As you can understand this is a very sensitive study, so I will not release exploits or vulnerabilities that can be used against aircraft irresponsibly. That is not the goal of this series, it is intended to illustrate the process to study an unusual system, display the status of its safety and learn as much as possible in the process.