 Welcome, DEF CON travelers! You found ticketing to take off an airport hacking Choose Your Own Adventure brought to you by the Aerospace Village at DEF CON. I'm Liz Wharton, Chief of Staff at Scythe, but today I will merely be your narrator, your guide, helping you through the decisions that have already been made because you've made and created and voted on this adventure. When we talk about airports and airport cybersecurity, and particularly when we talk about the aviation, industry, cybersecurity in general, what we're forgetting is how far airlines and airports have come. That is, we've become more digitized as everything is connected, as air travel has grown, so has the threat landscape. And so has, well, the tax vulnerabilities and the pieces that make up this adventure. Decisions that you've made from the time you leave your home to transportation to the airport, departures, decisions made during flight, arrival, transit to your destination all provide, well, additional players and pieces, but additional threats and opportunities for bad actors. As the GAO noted in a recent report that airlines and their IT infrastructure and their systems also provide opportunities for potential IT outage effects from planning the trip, reservations, flyer, frequent flyer systems to check in, to boarding, to at the airport with the Airlines mobile app, the airport kiosk, the check in, the boarding, the baggage, the planes, the flight planning, the dispatch, all of these come together and have potential outage effects on, in some cases, systems that were not built nor designed for the amount of impact that they have. But when we look at the playing field for our adventure today, the tax surface, it's not bounded like you find in most, in fact, it's quite expansive. As you'll be traveling through our fictitious airport, you'll notice that, well, not everything is in the same place, not every airport is designed differently. So to create and craft policies, procedures, all the different pieces that will go into what I hope you gain from today's conversation. And well, future conversations is that airports and securing airports, be it the physical, the systems, the software, all of the pieces that come into play reports is not easy. In fact, we may not even get through or scratch the surface of all the different parts. Because well, who knows, between cyber squirrels and different choices that are made, you may not even get past well ticketing. Because within the airport attack surface, you also have a lot of players. You have from air traffic control to the many cities that airports truly are to security to your gate. It's a minefield protected and controlled by airlines themselves, each of the airlines plays a part in this. Other authorities, be it the local governments or other authorities to the different, well, local law enforcement to the FAA, DHS, security, concessions, vendors, the electricity, all the different telecommunications services that flow into each airport. Well, those are a different provider. For example, at the Atlanta airport powers provided by Georgia power under different agreements that have been put into place. So whether those provide opportunities for protection or vulnerabilities is open. Also, you have to look at the third party providers, the multi use software and systems. And so Garmin recently provided a great example of, well, when we think of Garmin, what do we really think of, do we think of the watch the directions, you know, are tracking our steps, etc. To the fact that Garmin provides aviation services from flight planning to mapping, and that when a ransomware attack hits Garmin that it's also impacting the avionics, the airports, and a shameless plug for a breakdown of the recent Garmin ransomware attack and attack factors, check out size threat Thursday in the news. And when we're talking and weaving our narrative, our narrative story today, also have to look at what is the intent that when we have incidents such as glitches, breaches and well, agent cyber squirrel hitting airports that the intent and the result matter, but what we sometimes don't are is chaos criminal carnage, or really is it just an oopsie that results in chaos, criminal activities or carnage. And further, what are the incident impacts that a power outage at Delta's operations center in August of 2016 $150 million and two days worth of cancellations that a software glitch at with one vendor provided worldwide check in and booking issues that a data breach results and finds at one airport that a software Southwest computer outage led to $177 million of damages and three days of outages and flight disruptions. All of these potentially could have been worse and all of them. Well, potential threats. So from ticketing to take off. It's going to be quite an adventure. Shall we begin and beware and warning, because this talk is different from other talks other technical talks and other talks in the aerospace village for in this talk, you and you alone. The things you voted in the Twitter polls are in charge of what happens. The mission was to see if you and your data can make it safely to your flight from ticketing to take off. You have to dodge the delays and the data breaches. So shall we begin. It's time to pack your things and head to the airport. And our first decision point. Do you decide to pack it all check it back. I mean, you're going to Vegas for a week for Def Con, and all of the other villages, or do you bring a carry on, put it back and see what happens. Well, you chose a carry on wise move, because airline baggage check in and tracking has the potential for delays, not to mention data breaches. So now that you've got your backpack on, and you're about to head out. It's a digital and app world, who even has a printer at home these days. Do you have your boarding pass in your ticket. Do you print it at home. Do you use the airlines app boarding pass, or like me, I do a combination. I also take a screenshot of my boarding pass should something go wrong. It's almost evenly split. But did you choose wisely you chose to print your boarding pass at home. Well, well done, because ticketing frequently leads frequently leads to well delays and data breaches. Now that you have your bags packed, your tickets in hand, and you're heading into the airport. You know that sometimes there are long lines at ticketing and check in. And what if you want to switch your seat before you actually board the flight depending on what you see around you. So Def Con safe mode, secure aerospace travelers. What do you decide to do. For the overwhelming majority, you chose to check in online with the 24 hour advanced window, avoiding the kiosks, and well the airline app, because you know the check ins are well the threat there are delays. So much so that when a third party provider covers well most of the airlines, you see a 30 minute outage of their software can lead to three airlines going down. A couple days later, a different airport provides service provider covered five airlines in 40 minutes. Saver was added again on April 29. Just less than a month later, 90 minutes, three airlines. You've checked in online, you've shown up at the airport, and you're a seasoned road warrior. Even if it seems like forever since, well, our last flight, cutting it close to departure time, and it's a big airport, flying on a weekday morning, bold move. How are you feeling lucky. So for decision for the fourth decision point, Def Con safe mode, secure aerospace travelers. What did you decide to do TSA pre check clear or regular TSA security lines. Most of you seem to be, well, hesitant with the facial recognition that comes with clear, but you're okay with providing some data and information because you're TSA pre check. Well, what seems like a safe mood move could lead to delays and a data breach. Well, here's what happens. Is it security theater where you have moving parts and multiple players, because when you have nationwide us customs computer outages, causing gigantic lines at airports. You had JFK LA X F SFO Philadelphia O'Hare Midway CTAC and other airports, all confirming delays. Our airport is probably hit by those. So, not only do you have a delay with pre check. But one of the recent trends has been for one provider to provide some of the software and systems support for TSA. In this case, facial recognition software provider and systems writer in EC. Well, pretty much covers European airports and mostly airports across the US. And while they take a long time to admit it, they've had a breach. The facial recognition data collected by US airline US citizens is stored for 12 hours for between 12 hours and two weeks and 75 years for non US citizens. And that data is stored in several government databases, which border officials can pull up when you're arriving or leaving the US, including at airports. And well, any seat is not very good at confirming their security breaches are giving a lot of detail. So in this case, you didn't avoid the delays, and you didn't avoid avoid the data breach, but you made it through security. Because when you have these data breaches, well, quite frankly, what are you going to do. Well, worrying about that check in and their security lines can be a headache. And of course, you forgot to pack your headphones. It's a long flight ahead of us to Vegas. So Defcon safe mode, secure aerospace travelers and do you. Stop what you're doing because you've got to have your headphones noise canceling headphones and knowing your luck so far. There's probably going to be a screaming child or disruptive. I don't know people. So do you stop and buy them now, or maybe we'll wait a little bit if there's a place to buy some closer to the gate. We'll go with that or quite frankly, you're feeling lucky, you're going to go for a roll the dice and well, who cares. Well, a slight, slight, slight majority went with who cares. You'll figure something out and you'll find a way to entertain yourself without your headphones, which when it comes to airport vendors and the threats of data breaches probably wasn't a bad idea. So now you've made it to decision point number six. Your departure gate is farther from the main terminal than you originally thought. It's time to move and get in those steps, but quite frankly, who wants to carry our bags afar. I mean, keeping in mind, we've got to carry on and a backpack. And while, while we've got our traveling shoes on, we haven't been exercising quite as much during COVID so Defconn Safe Mode, secure aerospace travelers, what do you want to do? Do you want to take the people mover, take the airport train? Or one two step, let's walk there. And you chose to walk there, which while we're going to get in the steps and we're going to walk this way, we had a double whammy, both delays, as well as the dreaded agent cyber squirrel. Well, in this case, just an agent squirrel, because lax on Thanksgiving Day 2015 had cyber squirrel reports, a squirrel plus a transformer, which in this case, while the power outages weren't severe in the surrounding area. At the airport, you had the moving walkways, the elevators, the escalators, the screening equipment, the baggage screening equipment that just stopped. So while none of the outages completely shut down the airport, well, for those of us trying to get our bags from security checkpoint to terminal, it's going to be a little bit of a long hike. All those speedy ways to get there are no longer at our advantage, thanks to Captain Chaos cyber squirrel. But we finally made it to the gate area. And well, decision point number seven. In this case, you know, beer pairs well with breakfast, right? We have had to deal with all kinds of different challenges. And, well, there are no seats at the bar. The restaurant doesn't look too crowded. And, well, a table it is, if that's what we want to do. So DEF CON safe mode, secure aerospace travelers, what do we want to do? Do we, okay, take time, stop for one and one only? Because, well, again, beer pairs well with breakfast. Or do we decide to wait a little bit? Because quite frankly, we're in first class. Did I mention we only travel first class. And first class has beer, even in the morning. And it looks like the majority of us, well, chose beer first class, not going to stop, which is not a bad thing. Because one of the other hidden hazards are the point of sale systems, and the threats and restaurants, a data breaches. Not only that, there's also a potential for delays. You don't know what systems the airport or restaurants and airports are running off of. Are they bringing in their own Wi-Fi network, or are they piggybacking off of an airport facilities or nearby vendors or hers? Are they piggybacking off of, well, free airport Wi-Fi? That's not secure. But there's no rest for the Wicked. And as we reach decision point eight, well, not only is there no rest for the Wicked, there's no rest for travelers with laptops and deadlines. Because we don't get to fly first class, and we're not heading to DEF CON. Unless we're big shots, and we need to review a draft file and respond ASAP. So we pull out our laptop and DEF CON safe mode, secure airspace travelers. What do we do next? Do we tether to our cell phone to connect for Wi-Fi? Do we use the airport's free Wi-Fi? Or do we carry a cell tower in our backpack? Because, you know, Wi-Fi pineapple and Wi-Fi cactus, they could have made it through airport security. So let's see. And while we do miss the sites of pineapple Wi-Fi cell towers in our backpack, the good thing is, is our data coverage on our cell phone will allow us to tether to it, which tether not to free Wi-Fi, because the threats there are data breaches. So as we've sat, we've reviewed our documents, and we're looking around, we've reached decision point number nine, because storm clouds are gathering on the horizon. And we think, hmm, there may be potential flight delays, locust storms. It's not winter, but still, stranger things have happened. And what happens if we miss our connection? Luckily, the airline we're flying on has an app. We can see over in the distance that there's a counter. There's a little bit of a line at the counter, but not enough to deter us. So what are we going to do? One, are we going to face down the storm? Because as DEF CON Safe Mode Airspace travelers, let's admit it, we are the storm. Do we use the airlines app and switch to a later flight? Or do we go up to the counter and talk to the person from the airline and attempt to rebook? In a slight, slight majority, we decide to go up to the counter and rebook, which turns out to be probably a pretty good idea, because airline ticketing systems and those apps both have delays, because if the app is out or hasn't been developed, you have problems with data breaches. For example, EasyJet had 9 million travel records taken in a data breach. And the British Airways was fined a record $230 million after data breach exposed the booking details of over half a million customers. Hackers had siphoned off thousands of credit card numbers after installing skimming malware on its website. So it's a good thing we didn't go to the website or use the app because that would have been bad. Instead, we just talked to a live person, which is daunting enough, but at least we're still on track for our flight. Yet, because check encounters do have software glitches as well. And, well, unfortunately, as highlighted the Greater Toronto Airports Authority, they had an outage with their airline check-in system that impacted processes at both terminal one, three, and had IBM technicians working with the technology authority to solve the problem. So the fears aren't always just the airlines. You also have to look at, well, what happens with the airline authorities? And are they providing assistance? Can they have those handles? And what happens when their systems go down? In Toronto's case, if you had checked in online ahead of time, which we did, you would have been fine. But then what happens when you're trying to rebook? And if you're having checked baggage and having to move through the airport, it caused additional delays. So unfortunately, in our journey, we've had the potential, we've avoided most of this data breach issues, but we've been delayed. Not enough to miss our flight, but we've been delayed slightly, which leads us to, we finally get to our gate. We show up and it's decision number 10. Surprise. It's a gate change and it's a crowded and noisy terminal. And let's be honest, who can ever truly hear what the airline attendants are saying and when they're announcing where you're supposed to go? Because we didn't catch it. The PA system was terrible. Now, where did they move our flight? What gate? Is it even on the same terminal anymore? We need to find out. So DEF CON safe mode, secure airspace travelers, what do we do? Do we check the nearby display screens? Do we go to the airline app, cross our fingers and hope that it's updated? Or do we ask a stranger nearby? We've already spoken to one person. We spoke at the counter. That's a lot of peopleing for one day. So an overwhelming majority didn't trust the app. Instead, we chose to check the display screens. Well, gate display screens are one of the big areas for delays. And what do we mean? You knew it was going to pop its head somewhere in the story. Well, ransomware. It's not just about taking down data. It takes down the systems as well. And in this case, the, well, Bristol airport got to find out exactly what that means. When in 2018 ransomware took out their signage with their gate information. Staff were left with having to hold up whiteboards directing people for where their flights are going. So in real time, are having to take that information, write it out. And what happens when they start running out of whiteboard space? Well, they found out cause delays. So again, not a data breach, because our data information isn't on those screens. But instead, it did cause a delay. We're cutting it awfully close to departure time, aren't we? Well, it's about time for boarding. And we're, we think we found where the right gate is. But at decision 11, hmm, what happens when the direction that we go? I mean, we can either go right or left. And we're savvy travelers. And while our frustrations are mounting, we're not going to panic. No, instead, DEFCON safe mode, secure aerospace travelers. What do we decide to do? We can risk it, go left, if it's wrong, we'll go right. Well, turns out that airport has its own app that, of course, while we're bored, we downloaded it and we can talk about whether to download stuff to our cell phone without properly vetting. But it also has a navigation feature. We want to choose that. And again, we think about the issues with Garmin and all the other, well, where's our app data being sent? Where's our location data being sent? So maybe we're not going to go there. And while we know some of the signage in the airport is out, surely not. All of the signage is out. We can check the digital directory signs because, you know, they're running on a different system, aren't they? Spoiler alert. Most of the time, no. And the other thing is there's hidden dangers with the directory signs as well because let's think of, think back to, oh, I don't know, some of the botnets. The mirror I bought net that liked target IoT devices. Those LG screens you see all around the airport. What are those? But waiting, danger, waiting to happen. In this case, we're going to risk it. We're not going to panic. We're going to check those digital directory signs because surely, surely they're not all it again. Get ready for delays again, because ransomware has hit multiple airports again, impacting the digital of signage around the airport, displaying, again, only back black screens. Cleveland Hopkins International had this happen in April 2019, you know, back when people flew still. And took out their computing systems as well. So like that, you had to worry about whether their email, their internal app, their internal direction, if they're able to get some of the information at it. So, once again, wasn't our data that we were worried about as much here, but our ability to catch our flight. We're getting really delayed here, which leads us to, okay, we finally found the right direction. We're heading there. We're almost there. We skipped that beer, because there was going to be some of that on first class. So we're walking by the newsstand, and we spot the bestseller burning book. And we've been meaning to read it. I mean, on this call, and Peter Swinger did a great job, we heard in bringing and predicting all of these IOT connected smart city. And one of my favorite drone issues. And, well, we heard that lawyers get the short end of the stick. And this, and who doesn't like to see bad things happen to lawyers. So DEF CON safe mode, secure aerospace travelers, what are we going to do? Are we going to stop, get a book and, oh, wait, look, there's a sign. And check out says, if you pay via this payment app, you'll get a free coffee. So we didn't have a beer. Who doesn't want a free coffee? So do we decide to go for the coffee? Or buy the book, skip the coffee. We don't need another frequent shopper card. We don't need another stamp. And again, it's on our business credit card. So who cares? I would never do that. I would never pick that one. But the purposes of our narration cream. Who cares? It's the company's card. The data gets stolen. Not our problem. Well, luckily, you chose to buy the book and skip the coffee. Solid choice and excellent read, especially considering. Well, you didn't pick up the headphones. Because again, the payment systems and the shops are notorious for data breaches, as well as well, best practices. And with those third party payments, apps and different things, even within the airports, you've had currency exchanges go down to different attacks. So, okay. We finally made it to the gate. And, well, we've made its decision lucky 13. We've grabbed a seat in the boarding area, and we noticed that our cell phone battery is really low. I mean, we tethered it so that we could send and review those documents and those files. And, well, how are we going to tweet and text from the flight. So, savvy def con safe mode aerospace travelers. What are we going to do. Use the extra charger you're carrying in your backpack because while you're not carrying a cell phone tower. Well, you do know to pack an extra charger. We wait, risk it, because we are first class. And as we know from flying flying first class frequently. There's chargers, or there's outlets, and there's our free beer, or do we go and find an outfit, or excuse me, an outlet, because quite frankly, you never know. Again, tweeting, how else are we going to show people that we're sitting in first class. If we can't tweet a picture of us sitting in first class, holding our free beer. Well, charging devices. Well, in this case, we're going to fall victim to agent cyber squirrel. Because he just hyper squirrel captain chaos likes to cause brief power outages. And again, in this case, it was the bio buffalo Niagara Falls and Niagara International Airport caused a brief power outage. It affected gates. Well, a select number of gates. It only caused one flight to be delayed for a few minutes. But in this case, luckily, we had our, we had our charger with us. So while agent squirrel calls power outage at our gate. Again, he didn't cause us to have any issues because our backup charger was fully charged. Well, decision time. It's finally the gate agent is calling our flight and don't forget, we're first class, because that's how we roll. And with first class, we're the first ones to board. Oh, lovely. The airline is testing facial recognition for the boarding process. And you notice the line is piling up. So what are we going to do. We've made it this far. We have really cut it close. And quite frankly, we're tired. So weary def con safe mode secure aerospace travelers. What do you decide to do. Do you opt out because you've heard all those stories about facial recognition. And you know that a lot of those algorithms are wrong. And that's not to get into you. Well, quite frankly, it's just an upfront. You're not looking picture perfect right now. It might as well if it's going to keep the boarding process moving and if it's going to be convenient. Sure. But we did get that new AI facial recognition defeating tattoo and makeup. And while it was funny going through security. We're so close to boarding or flight. In this case, you decided stand up on principle. And no, we're going to opt out and use the paper boarding pass. Well, not only does facial recognition at the gates and also throughout the airports. But ticketing cause data breaches. And what happens are you going to get a new news job because your information your biometrics are out there. It also causes delays. So you can opt out. But that's often into wait and wait and wait. Because as we've learned through several different approaches that yeah, you can opt out. And as Zach Whitaker has a whole article from May 2019 that walks you through it, but know that opting out means they're going to go manual so that the airline staff will manually check manually, check your passport or boarding pass. Like they would normally do when you're boarding a plane. And that also means you've got to sit to the side and everyone else who's going through the facial recognition is probably going to bump up ahead of you. So what's the point of having our first class perks if we're going to sit to the side. Well, that's assuming the facial recognition technology and equipment is even working. Because according to one of the watchdog groups, the facial recognition systems at airports only worked 85% in some cases. And quite frankly, we've got that new face tattoo. And while all those delays and delays and delays were waiting and waiting and waiting. Well, and that's okay, because quite frankly, we still made it onto our flight with our data breached through several different choices, as well as our delays. But when the weather clears, and our flights cleared from ticketing to take off, we've made it. And really, through this hacking adventure, we've learned several different things we've watched how the airports, the airlines, and well vendors and different service providers all play together. And all some of the pressure points for where cybersecurity has a lot of policy has a lot of room for development. But one of the other things to keep in mind is with each of the choices. There was a lot that we haven't uncovered, or that we didn't get to discuss, much like the choose your own adventures. You chose, well, wisely, but you also chose poorly. You didn't die of dystery. You didn't die. Or excuse me, you didn't die of dysentery. You didn't die from agent cyber squirrel. But it's open the doors and discussions to see how you would do the next time you go through whether you would make the same choices, because from ticketing to take off, airports truly are a hacking choose your own adventure. It's been fun to be your tour guide. I encourage you to check out the rest of the aerospace village and all that DEF CON has to offer as we go into safe mode and go digital. Find me at lawyer Liz and also follow site at site underscore io. Thanks for flying with us.