 We're going to talk a little bit about hacking airplanes without kind of making a mess about it. Just as an example, this is me on an aircraft heavily censored. I hope you can't really know, you know, where is it? What kind of aircraft is it? But just as a heads up, we're going to talk about like commercial aviation. So I'm Zoltan. I work for F-Secure as a, you know, computer toucher. Lately, we've been doing quite a few aviation gigs in the past few years. And this is my colleague, Ben. Yeah, hello everybody. I'm Ben. I'm working with my fellow Zoltan, so both at F-Secure. I have a background in avionics and IT security, but currently I'm sick. So please bear with me if I'm talking some stupid things. So basically this talk is based on a talk done by Andrea Barzani a while ago. So thanks and heads up to him as well for that. So basically we're going to do a brief introduction into what are the root causes of miscommunication within the aviation industry and how these things are happening. And then we will give an overview of actually understanding the industry and how to actually collaborate with them and work with them in a good way and in a productive way. So we will have some analyzed examples as well to show. And then we'll have some closing remarks afterwards. So basically there has been quite a few years where there has been a lot of media coverage and fought around the aviation industry and how security is being done. And it's partly depending on that actually journalists who are actually publishing this information don't actually know security and they might even less likely know cyber security from an aviation perspective so they don't have necessarily the insights and they might not be able to get the right information from within the industry or from within the experts in the industry. And especially like looking at the aviation world and how complex it is and how many stakeholders are involved and what these stakeholders are actually doing. The journalists or the media coverage most of the time is missing the whole picture and actually what's happening behind the curtains which people sadly can't really talk about sometimes. And then as well like if you look into researching communities they sometimes just want to inflate the issues and as well they don't necessarily do it on purpose because they might not know better but it's hard for them to actually get this information from within the industry or from within like certain organizations which are there to help as well. So yeah just a couple of words about how the industry actually looks like from a bird's eye view basically. On this picture we found this picture in the Airbus Technical Magazine. It's a pretty good summary of all the players that are involved in securing the skies if you will. So just an example you have the operators i.e. the airlines you have the ANSPs your ATCs and navigation service providers you have your airports and you have all the manufacturers that work together to build set aircraft or just to supply additional components for the operators to integrate onto their aircraft that they bought from the manufacturers. And all of this is a really closely knit community which is not really open or hasn't been open so far to external input. Hopefully this is going to change in the future for the benefit of everyone but generally whenever there are issues reaching the news and media for example these issues are very complex and we are going to talk a little bit about the mitigation efforts that go into fixing these issues as well and you'll see that those are not easy either. So, yeah. And as I mentioned the industry is really entangled so there's a lot of players involved and each is dependent on the other. So whenever there's a vulnerability let's say in an LRU for example that is supplied by one manufacturer it needs to be fixed there and then it needs to be tested, certified, installed, maybe even retested in the whole integration of the aircraft and these things take time but we also get into the point where we learn a little about the domains. So yeah basically new aircraft like the Airbus A350 or the Boeing Dreamliner they are designed with security in mind and there's like certain implementations to actually separate these domains which are just to summarize I'm going to go from the right to the left so from the most critical domain the aircraft control domain which is like literally like autopilot flight controls navigation systems then we have the airline information services domain which covers systems which are SATCOM for example as well whatever systems are pilot EFB or the cabin crew needs to use and then there's like the passenger information entertainment and services domain which is the inflight entertainment, the inflight connectivity systems which are actually being connected to the passenger themselves and these domains are separated within the design and there's like certain practices like domain separation being implemented which we're going to cover on in a second so what I wanted to cover as well just had to look at my notes so basically this is new aircraft but there's like the legacy aircrafts which are like flying forward a few years a few tens of years and they don't have necessarily this kind of domain separation but again they are not as connected and interconnected and the systems are more isolated within the environment and whenever there might be an update to the systems for example when they add inflight connectivity to a legacy aircraft there's certain requirements and controls being implemented from the manufacturers and suppliers to actually ensure that these additional connectivity functionalities don't actually expose the critical systems of the aircraft so there are still some controls in place in that case as well so to go a little bit more details on the domain separation so in this example I'm just going to show data diets but there's other things like multiplexers and signal switching as well how you can actually ensure that you are separating these domains and obviously you need bi-directional communication between domains even though you might just mostly want to send data from the avionics control domains to the passenger domain for example everybody wants to see where the plane is flying how high you are, how fast you are and this is all information coming from the aircraft control domain but it's in a controlled manner that actually this is only flowing from the control domain to the passenger information service domain and whatever connection you might have to have to get back that's strictly controlled and tested independently as well to actually ensure that this is effectively implemented and separated so we just mentioned testing right the whole point of this talk is to give you an idea about the hard work that is actually happening behind the scenes that most people don't even realize and as we mentioned we've been doing some testing as well for the past few years so we kind of have an insight that we can share with you so basically when it comes to like certification of an aircraft and the security of any addition to an aircraft or during even design and building of an aircraft or any component on these planes there are some standards and guidelines that need to be taken into account so everything is really well planned and all testing is performed according to for example these guidelines basically you have the design assurance levels each component has their own design assurance level which basically dictates what would happen if that component would fail so let's say dial A would be a catastrophic like flight controls FMS things like that would have a really high design assurance level and in turn this connects to the security assurance level which these components need to reach during the certification process and this is where testing comes in so again there's loads of testing involved even internally but also externally so let's say you have a manufacturer they do their own design they do some of their own testing but most a lot of the times they also do third-party testing which is better for everyone the more eyes you use the more independent even eyes you use the better results you'll have everyone thinks differently so basically this is what happens and when it comes to security assurance level testing it's also important to remember that everything is planned into the testing activities that would have like from an integration perspective let's say you have different components with different SAL levels and the higher the SAL the higher integrity the more critical the system is and it is ensured during testing that lower integrity lower trusted or like less trusted components cannot really send messages or control higher criticality components so there's no for example uncontrolled communication between a SAL 0 to a SAL 3 or 2 component and everything again is planned so how are these activities performed well this is where aviation is not different at all from your regular security testing really you start with attack surface mapping you do risk analysis and then you build some drug scenarios and then you test start testing so this is like a mix of everything really you have to think about procedures you have to think about physical security and when you actually do like the computer touchy testing you start from the hardware layer to up to like the higher levels of software so as Ben already mentioned for example when you're testing domain separation you're looking at schematics you're looking at the implementation of those hardware diodes those signals which is those multiplexers and you ensure that the communication is controlled filtered and only the thing that needs to go through actually goes through right and whenever you're doing like unit testing so the independent component testing you assume that the lower tier cell components that they are connected to are compromised right that's the base assumption that's when doing security testing you always use the worst case scenario so you get higher grades of security and this is also one of the challenges so unit testing is one thing when you take one component test it on its own but when you actually integrate it into an aircraft or any other system in the aviation sector or anywhere else really this is not different from any other security testing practice integration testing can be very difficult because there's lots of NDAs there's lots of intellectual property there's lots of different companies starting to work together but they're also selling stuff to each other and they need to ensure that their property is their property and no unauthorized access is reached and then when you have third parties coming in testing your stuff you also need to be careful about what kind of accesses you give and this is also an opportunity or one of those hazards that are in the aviation industry when approached from a security perspective that these things can take time and things might fall through the cracks and this is very important to keep a sharp eye on and better openness to some extent would be needed in the industry in general and you also have to remember that realistically there's no such thing as 100% secure you can do testing with the best hardware hackers in the world which you actually kind of have but even then you have time limitations you have visibility limitations you might not have a wide box access or like source code access or full design access to all the connected components that you're testing you cannot always know what kind of data you might receive on the buses be it can, airing, Ethernet, whatever so you have to do fast testing which takes time and projects have time limitations again so it's complex so there's no such thing as 100% secure it's all about mitigating the risk to the lowest possible so just to go a bit more detail about the security engineering efforts actually which are done in aviation so basically this picture nicely represents this species model which is kind of like you normally have more than one control in place within security, so within aviation security so basically during the design and development phase you define your criticality of your system actually what interfaces you have how exposed the system is going to be and where it's actually allocated in the architecture and then you have to define what kind of controls do you actually need to have so as we've seen before there might be L.A. systems for example that you need to have Assault 3 and Assault 2 security assurance level implementation so you need two independent controls implemented within this architecture or this interface to actually have some kind of insurance that you're on a secure side in these kind of things and so basically this involves requirements capturing risk assessments as well as like the hardware software design and actually seeing like how do you actually implement these solutions and what kind of tools are you using then in the integration phase basically these audio systems are coming together so you as an aircraft manufacturer or integrator you don't just do everything yourself so you're depending a lot on suppliers and third parties which are actually designing the systems and you might just buy commercial of the systems so basically you need to ensure that your definitions of controls are actually being implemented and that you actually can test them as well to actually have this assurance for then if you go into the deployment phase actually when the operator is using this aircraft so basically you're not done with security because the plane is going to fly potentially for 30 40 50 years maybe even so you need to ensure that like the operator the airline actually knows how to actually use the aircraft not only from a safety perspective but also from a security perspective so what kind of environment they have to set up how to have to secure this environment and ensure that actually like the aircraft is staying in a state you have defined and as well like when it comes to vulnerabilities you have to have a solution which actually like ensures that whenever you find vulnerabilities or the operator runs across a problem that this is actually reported to you and you can actually investigate what's being done and obviously this involves as well continuous testing and vulnerability management to actually see where are you with your current system and what actually vulnerabilities you're facing what new threats you're facing and just one second so yeah basically it's like you're having a long exposure time and you need to make sure that during this whole operation of the aircraft you actually can ensure that it stays secure so we're going to have three small examples I'm going to start off with something from the aircraft control domain so basically it's like a canvas which is allocated in in the safety critical environment and as we have heard before like the scan bus is quite quite frequently used on an aircraft especially on like a person like general aviation but as well like there's some implementations in commercial aircraft as well but basically there's like a can aerospace definition which is kind of like the can definition for safety critical environment in the aerospace industry and most of the time these can buses are only used to complement other safety critical protocols for example like airing 4-9 or AFDX so most likely if you have a can bus on an aircraft this is not directly connected to the whole avionics domain but it's just like in a segregated environment even though it's in safety domain it's segregated from the rest of the avionics on a commercial aircraft but there's still like threats and areas you might have so basically you have the maintenance phases where you re-repair the aircraft and take out nearly everything of the aircraft and just like do the whole maintenance work there's insider threats which could have access to the can bus and tamper it and these are parts of the risk analysis analysis which are being done during the design of the aircraft and these are things which are being accounted for so basically if you have one of these can buses exposed within for example a more exposed environment somewhere in the cabin or close to the cabin you can be sure that this interface, this can bus interface is actually being identified during the design of the system or the design of the aircraft and it's actually being tested and most likely not most likely but it's not going to have a safety impact on the operation of the aircraft because if it would have a safety impact and if it would be exposed for somebody to be able to access that this aircraft would not be flying because it wouldn't be allowed to do that it wouldn't receive the certification another example that we've seen or that is very relevant especially in the newer aircraft which is in the airline information services domain which is basically the data loading process and the data loaders themselves they are in the cockpit of course used during maintenance to push software parts updates to certain LRUs to certain components in the ACD even sometimes and this is of course one of those things that needs rigorous testing you wouldn't want to have anything compromised during the update process just imagine your iPhone downloading and installing a compromised update so things similar to an iPhone update are in place for newer aircraft when it comes to data loading that is also dependent on the manufacturer that is also dependent on the operator actually so each manufacturer has their own processes for data loading and they still can't control everything so that also means handing over control to the airlines operating those aircraft at some point and then it also becomes the responsibility of the airline itself to secure further data loading environment and in newer aircraft those data loading environments are enabled which basically means they use modern media so not just floppies they're still used by the way 3.5 inch floppies for example but now you have also usb sticks you also have wifi you have cellular and you have ethernet through like a maintenance laptop that you can connect to the cockpit all of these transport media can be used to install the data loads and each has their own security risks right let's say like taking a usb stick how do you send a data load to an airport for example which is not in your home country but where you have maintenance presence you need to ensure the physical safety of the usb stick itself and here non-technical or less technical controls come into place and I know this is one and it's not that technical but just bear with me but imagine putting the usb stick in a sealed tamper proof envelope that's already control right and of course on top of that you have an encrypted pendrive you have your data loads signed and those signatures checked multiple steps along the way last of which is the data loader itself on the aircraft right and these are all you know considered these are all tested threat scenarios are drawn and tested so yeah there's a lot of work going on in the background and then yes you still have your insider threats and you have your external threats like let's say you have data loading on modern aircraft using cellular networks you know airplane pulls up to the gate while people are well maybe not done but during the nightly maintenance phase you have engineers not even leaving the airport because it's let's say it's like you know above the Arctic Circle and it's freaking cold so they just use these gate link technologies to push updates and in those cases WiFi and cellular networks need to be secured and not just again the channel itself but also the updates different procedures and those updates need to come from the manufacturers through servers that are hosted with the airline and the airlines need to secure those servers as well again lots of risk lots of testing going into these things not always to the fullest extent again because of all the different parties intellectual intellectual property and things like that but there is a lot of work going on and you have to also remember that Swiss cheese model that Ben showed you and our last example probably one of the easiest one to imagine let's say you have an aircraft with like inflight entertainment and connectivity or little screens and your WiFi on board during flight these things are the main things that reach the media when there is anything like either vulnerability or not even the vulnerability just you know some miscommunication going on so these things have the most exposure when it comes to like the general passengers right so when it comes to like the threat modeling of a component IFEs and IFCs which are in the PISD have different threat scenarios more exposure means more people to attack these systems or try to attack these systems and even the less likely scenarios will have a higher risk potentially because of the media presence but you have to think about back to the DAL and SAEL levels I forgot to mention but basically we can also identify two distinct categories of risks security risks one is safety one is brand the previous two examples that we've shown have a safety impact as well so these are the DAL A through D basically categories with security assurance levels 3 to 1 and SAEL 0 and DAL E which is like if there is a failure there is no safety impact and these are the least trusted components and the other IFC again completely usually or should be as separate as possible from the ACD of course there is some communication but that should be only unidirectional but these are most exposed so these are taken into account when test scenarios are done and in these cases it's usually the it's either the airline or the manufacturer who orders these tests from a consulting company so we have this third party perspective we are not bound as such by the burden of information that is present when it comes to the design and the manufacturing of these things so we have a clear set of eyes on these and we also help draw these threat scenarios and in these cases again as I mentioned the brand and reputation risk when it comes to the airline itself is the most important which means that you don't necessarily want your IFC to go down during flight people would get mad and scream hackers or you don't want your paid Wi-Fi to be bypassed so people would bypass your whole payment process and have free Wi-Fi on your flight or maybe you do and you don't care too much about that it's excuse me it's a case by case basis for different airlines excuse me and you have privacy concerns as well we don't want your credit card information to leak out to unauthorized third parties or PII personally identify information sorry excuse me my voice is going a little bit anyway much better so IFCs don't usually have a safety impact so you have to think about that too when you are reading news about it that if there is a vulnerability or there might not be a vulnerability but usually these don't have any safety impact of an aircraft otherwise they would not be flying right and just a couple of words about all the mitigation efforts that go into finding and actually fixing these vulnerabilities in our experience at least we've always had good responses from all the projects we did even if it was for third parties so you know we are consultants we are approached by our clients who might be using third-party software and component that they want to test because they are integrating it into their environment and we of course send the report to our clients who would in turn send it forward to the actual manufacturer the response was always positive of course findings are challenged sometimes we might not have the full picture but again this is a team effort between us our clients and the manufacturer or if the client is the manufacturer then it's just one step easier but you also have to consider that there is certification processes in place you can't just push an OTA update and expect even your IFC without safety impact to have updated overnight these things take months literally like half a year at least for a patch to be pushed out when it comes to like a security issue or some operational issue and again the flow of information can be better between the operators between the third parties sometimes the mitigation effort is further hindered apart from the certification process by the limited flow of information which in our mind is a bit of a room for improvement going towards the future work how actually the industry can improve even more so as we experience we have a lot of like contracts with suppliers, manufacturers operators and it's really difficult to talk about it so we would like to talk more technical but yes contractual agreements just don't allow us to be more transparent and it would be nice to see that there's like more collaboration especially between OEMs and operators so if the manufacturer would more collaborate with the airline for example to actually share the risks they identified before and so actually that the airline itself can actually use these this is knowledge actually to their advantage as well and as well if it comes to testing it's difficult to find agreements between third parties and OEMs or operators to actually agree on how the testing can be done what can be done because at the end it's a certified system and having access to like an environment, a lab environment to actually testing equipment it can be really challenging and this is something that would be really useful to have more collaboration to actually involve everybody who has the knowledge and the skills and the expertise to actually work on these things and obviously like I mentioned before the aircraft are flying really long like the first aircraft the oldest aircraft still flying are probably like 40, 50 years old and they are still being used by airlines and obviously there needs to be continuous vulnerability management and testing being involved to actually see that this systems are actually future-proof and actually can be used in the future as well and integrating new technologies that this is actually being done in a secure manner so basically there are a lot of efforts within the industry and I think like few people already have run across for example the aviation ISAC or on the European side the ECCSA which are actually like consortia of industry partners and regulators to actually see where like to actually use this knowledge of researchers to actually share the insights and as well like there's working groups working together within the industry to actually define standards or like define guidelines how to actually do security within the aviation industry so the final point we want to make as part of the presentation is that there's like actually more security efforts being done in the aviation industry that is normally perceived like we said it's hard to share this insights and actually to talk about it openly but we can say that there's like a lot being done behind the curtains and that there's a lot of efforts being implemented and actually that there's like a lot of collaboration going on as well within the industry and as well with external parties and you also have to remember to use that pinch of salt more frequently when you're reading news and you know you're talking to or hearing about vulnerabilities some I don't want to question the research effort that goes into this because there are amazing research by independent researchers in the aviation sector what we try to say is that they might not have the full picture the vulnerabilities that they find the actual technical bugs they find are correct and true again there's no such thing as a 100% secure system but when it comes to the extrapolation of those issues for the whole sector or even just the aircraft or the airline itself there might be some things that needs some second thoughts and maybe some further input again if there would be security issues that would impact the safety of flights those planes would not be flying right with some you know there's always an exception to the rule but generally the industry is very much hard at work to increase the security of these aircraft and it's been an increasing effort over the past few years it's much better now than it was four years ago when it comes to the openness and the involvement of all the parties towards like security controls when it comes to like cyber security sorry for cursing but yeah because security can also be physical which is you know a big part of airlines and aviation in general but the IT security risks are relatively new and the effort's been increasing and it's better and better every day and month and year it's a room for improvement and again just everything is better than expected I guess or like most people would like to think and that was us I think we did it a little bit faster than we planned to but if you have any questions either ask here we have like 15 more minutes or we'll be around as well but let's start here yeah so the question was Robert's claims about controlling the aircraft through the IFE we have no comments on that so the question was that we mentioned that the domain separation is relatively recent in aircraft manufacturing and how recent are we talking here so basically what we have to say is that there is two type of aircraft like legacy and new generation enabled whatever you want to call it as a couple of examples A350 is considered a new generation aircraft so is the 787 from Boeing for example all of these are designed differently than the aircraft that their original designs were from the 60s and 70s which are like examples like A320, 737 you know but again when we are talking even legacy aircraft and there is new component like the enabled component put on these aircraft there is a certification process there is a lot of testing going on with the different view as opposed to like the completely separated aircraft and again legacy aircraft has less of an attack surface because they come with less connected components Any more questions? Thank you for attending this talk I hope you leave with a bit more positive attitude towards aviation security than you came in with and see you around