 Hey guys! Hope you're doing great and safe. I'm thrilled to give a lecture at Aerospace Village this year and that's an honor for me and I appreciate it. I hope you will enjoy my presentation. In fact, today I'm not going to talk about ordinary topics regarding aviation, something like that. Actually, I'm going to talk about a novel topic, something more practical and different from anything you've heard before. Because we are at DEFGAN, so we must talk about something possible which makes sense. This presentation covers radio-based and signaling vulnerabilities which impact passengers, airplane and other avionics components. Also, I will give you a deep and clear perspective like a malicious passenger malfactor in a radio field and a hacker who has an access to the mobile network. Hello my friends and welcome to my talk. I'm Ali Abdelahi, a cyber security engineer with over eight years of experience in variety of fields. I love to share my experience and little knowledge with others and also love back hunting to make our world a safer place for everyone. And I'm a regular speaker and trainer at famous cyber security and hacking conferences like Cocon Besides, TyphoonCon, CyberJungle, OVASP Absac Days, Confidence and this year except Aerospace Village, DEFGAN Red Team and Absac Village. So please consider all avionic components as well as airplane as weak team while I am presenting my research. This is because each components like passenger entertainment, navigation systems etc. are subscribers when using mobile communications. So the purpose of this talk is to deep dive into this communication which called air-to-ground or A2G and I'm going to show you possible attack vectors from radio and signaling points of view which freedom the nodes. What is A2G system? A2G stands for air-to-ground system which is based on mobile or cellular technologies like GSM, UMTS and LTE. Aircrafts, UAVs etc. and the main usage of this system is to brings high speed connections when you are flying on the ground. However when you are on the sea airplane can take advantage from satellite communications but there are some big differences between A2G and satellites like low latency, ease of use, low cost implementation and more flexibility. The first and foremost usage of air-to-ground is to bring mobile broadband connectivity for passengers when flying. Other avionics components in airplane like EFB and IFE could take advantage from this network. Improving onboard cabin services, real-time monitoring, easy and flexible management or other advantages of air-to-ground systems. So here is the whole architecture of the system. As you can see an airplane in this picture connected to the ground via direct air-to-ground system or using satellite communications. So there are some basis stations of radio towers which call BTS, Node-B in 3G or E-Node-B in 4G. Some of this network called radio access network or RAN and the second part is the mobile core network which handles signal and communications and connected to the RAN and other networks. In this picture EPC, STAP or Evolve Packet Core or Circuit Switch in LTE technology. Well now I'm going to talk about possible offensive scenarios in radio access networks. Whenever an attacker has unauthorized access to the base station by breaking defense or maybe as an insider attacker can intercept the connections and manipulate it between airplane and the ground. So in this case our malfactor located on the ground. This one is a hot topic in-flight fake BTS or IMZcatcher. You may hear it many many times about a fake BTS or fake base stations and IMZcatchers in the news. But this time it's different because the vector is something else and this is our first part of the tackle chain. To do this, malicious passenger or malfactor jamming the current signals in the field using jammers and after that will run an IMZcatcher or fake BTS to perform a man in the middle to retrieve one of the most valuable value called IMZ. In this case an attacker will gather all passengers and components IMZ numbers to perform further exploitation. Again another hot topic. In flight sniffing to perform it we need to have a RTL-SDR or BladeRF HACRF, USRP or Osmocom and Motorola C-115 or 1-18 and in this scenario while an attacker uses these equipment he or she can sniff all intransit data. As you can see all packets sent and received like voice data and networking food have captured here. You can see all LT-RRC protocol packets here and signal connection release packets captured here and all paging requests captured and you can see in this picture. Here is another proof of concept which points to an IMZ number. So in this picture you can see all SIM card details which an attacker retrieved via Osmocom BB. In other scenario an attacker can take advantage from an open source script called teamsy sniffer to sniff all teamsy numbers on board. What is teamsy actually? As I told you before because IMZ number is a unique value for each subscriber it is very important to less exchange the actual IMZ number in radio networks. Components use teamsy which is a random number based on the actual IMZ value to reduce the risk of IMZ disclosure and here you can see the attacker sniffing all teamsy number on board or in the field. If GSM technology works or an attacker can jam the LTE or UMTS frequencies to force the network to downgrade to GSM the attacker can review the network encryption level to analyze the security level or maybe if there is no sufficient encryption and this is a very good news for a hacker. Well well well this is time to clone passengers in court. It's interesting. To do this malicious scenario we need just to some basic info regarding the targeted SIM card which gathered from previous states and a SIM card reader or even our Osmocom environments. Okay dear passengers I have all your mobile device teamsy number and we are going to perform denial of service. Okay so this is our first DOS scenario and in this case we will take advantage from IMZ detach request to disrupt mobile node availability in radio network. So here is another way. So passengers please don't worry because we are going to DOS again. In this case the attacker will abuse paging requests and will respond to it instead of the real mobile node. So most of mobile network operators or MNOs and service providers all around the world are still using traditional and vulnerable mobile technologies like GSM and UMTS. So in this case all mobile core network vulnerabilities like SS7 and SIGTRAIN are possible because the attacker also has passengers IMZ number. These attack categories in approximately four classes fraud spoofing denial of service and privacy violation. For example sending a purge query which is a map or mobile application part message to the core network will purge a subscriber information from the database or even DOS the passengers using update location message or cause impersonating. So now I'm gonna talk about other attack vectors inside the core network and that is exploiting the onboard mobile nodes using packet data. The picture illustrates the connection between the airplane and the core network specifically packet data by using air to ground the airplane connected to the base station. After that using S1U interface the data will reach to serving gateway and the next node is packet gateway which is connected to the internet or any PLMN. Okay so in this scenario attacker will cause data or packet manipulation availability disruption or even fraud by performing a brute force attack on TID or tunneling endpoint identifier. Actually TID specifies GTP or GPRS tunneling protocol endpoints to transmitting the data. So in this case a packet data request sent to the core network from for example a passenger. However during the procedures of transmitting the data between mobile node and SGWPGWU and an attacker brute-forcing TID to exploit it. So the connection disrupts and the attacker can perform denial of service fraud etc. Hey folks that's awesome because again we are going to perform denial of service manipulation and fraud this time by abusing GTP or GPRS tunneling protocol which is playing a vital role in packet core. These are going to dawn because the attacker has passengers information. In this case like the previous one the attacker will abuse GTP delete session request to cause DOS or even impersonation as well as create PDB context request. After these procedures the attacker could take advantage from inflight passengers data session to perform fraud. Terminate passengers data flow or even intercepting the data. Thank you my dear friends for your attention. You can stay in touch with me on Twitter and LinkedIn and many thanks aerospace knowledge organizers and sponsors to deliver such great events. I will come back soon with my new research and hope to see you soon. Stay safe.