 Hi everyone and thank you for choosing this talk and watching our presentation. I hope you are all in good health and the coronavirus pandemic will soon be over. Also I want to thank the Aerospace Village team for allowing us to present our research. My name is Mohammed Reza Zamedi. I'm a cyber security researcher. I'm mostly interested in cyber physical systems and industrial control systems. My other two colleagues are Reza, which is a reverse engineer and Javad who is working as a red team. If you are thinking why we are three persons in a 25 minute talk, and I should say that it was the most time consuming research we ever had because we had to make contact with people in aviation industry and it wasn't easy to find them and finally just a flight engineer answered to our questions and thanks to him we have a picture of our work on a real flight management system. This talk is divided into six main sections. First of all I will talk about recent cyber attacks against the aviation industry. Also some basic stuff about avionics systems and how these new technologies can turn an airplane into a target for cyber attacks. Secondly I will explain what is a flight management system, which is one of the most important avionics devices that could be found in a modern aircraft. After that I will discuss some risk scenarios against flight management systems and how we can see it from an offensive perspective. Then I will explain the process of analyzing an infamous data integrity check mechanism and how we found a weakness that allowed us to bypass it. And finally we have a demo which is about bypassing CRC algorithm and also the malware. Okay, here are some examples of recent cyber attacks against the aviation industry. The first one was the ransomware attack against New York airport. And the same kind of attack against Albania airport one year earlier. And also on 2019 Robin Air Group declared that it had experienced a malicious cyber attack on the company's IT network. The day before causing it to cancel all its flight. And in 2018 a ransomware attack turned off the electronic flight information screens at Bristol airport. So these are only some examples and we want to show that instead of common malware attacks and especially designed malware which is able to target the avionics system will be more challenging. Okay, what is avionics systems? A literal blend of the terms aviation and electronics. Avionics is a category of electronic systems and equipment, especially designed for use in aviation. Deviation installed in an aircraft or a spacecraft can include engine control, flight control system, navigation, communication, flight recorder, lighting systems, performance monitor and system that carry out hundreds of other mission and flight management tasks. Every modern aircraft, spacecraft and artificial satellite uses electronic system of varying types to perform a range of function, pertinent to the purpose and mission. A flight management system is a fundamental component of a modern airliner avionics. In many ways, it is like the GPS in your car with waypoint programmed in between the origin and the destination. You program in where you are going and off it goes. A primary function is in flight management of the flight plan using various sensors to determine the aircraft position. The FMS can guide the aircraft along with the flight plan. The FMS will allow the aircraft to hook up their autopilot and maintain the heating within a few seconds. Okay, typical flight management systems consist of a flight management computer and console display unit which enable display and modification of various parameters as well as allowing the flight crew to select the various FMS operation modes and also a data loader is one of its important components. The flight management computer is the heart of a flight management system providing centralized control for navigation and performance management. The FMS accepts information from numerous navigation sensors including VOR, distance measuring equipment and GPS. Data from each sensor is prioritized based on its non-percentage of error and can be blended to provide the most accurate position information. The flight management computer has a programmable database containing non-radio navigation stations allowing with it two level frequencies, A port, seats and stars as well as a first data for a runway. Because of frequent change, the database requires updating every 28 minutes. This is accomplished by loading electronic media files into some type of data loader which can rally from a flood driver or even a compact disk. In some cases the data loader can be used to download diagnostics or pod data to the same type of electronic media. The flight plan is generally determined on the ground before departure either by the pilot for a smaller aircraft or a professional dispatcher for a liner. It is inserted into the FMS either by typing it, selecting it from a save it library or common routes or via an ACARS data link with the airline dispatch center. All FMSs contain a navigation database and the navigation database contains the element from which the flight plan is constructed. These are defined here the AR, INC 424 standard. The navigation database is normally updated every 28 days and to ensure that its contents are current. Each FMS contains only a subset of the AR, INC data relevant to the capabilities of the FMS. The NDB contains all of the information required for building a flight plan consisting of waypoints, airways, airports, and roundways. And also a standard instrument is departure and terminal everyone, which in commonly we call them seed and stars that are procedures and checkpoints used to enter and leave the airways system by aircraft operation on the IFR flight plan. Okay, the airlines have to download NDB updates from the website of FMS vendors and they will extract these NDB files using the specific software and then we'll copy them into a floppy disk. After that the technician will upload the NDB files via the data loader to the FMS. The interesting point for us is that the FMS device has the capability of data integrity check and only accept NDB files which are not manipulated. Otherwise the technician will face an error at the time of loading the NDB file. Okay, so from an offensive standpoint one of the most likely attack vectors is to manipulate the NDB file which are willing to be loaded on the FMS device. So the attacker will only need to bypass the data integrity check mechanism and after that we'll be able to manipulate some information which are critical for flight. Data integrity refers to the accuracy and consistency of data over its life cycle. Maintaining data integrity is a core focus of many enterprise security solutions. Data integrity can compromise in several ways. Each time data is replicated or transferred it should remain intact and unaltered between updates. Error checking methods and validation procedures are typically relied on to ensure the integrity of data that is transferred or reproduced without the intention of operation. CRC or Sticklic redundancy check is an error detection code. It will change in data as it's traveled from one computer to another by adding a code to the end of the data stream. The sending computer creates the code and the receiving computer check it. If the code check out the data is accurate and if codes don't check out the data is cropped. Okay, so here's a real-world example. At the left side you can see the original message here which is going to be transmitted. And at the center we have a generator polynomial or CRC generator which is for it. It's coming from the algorithm. It can be morbid based on the different CRC algorithm. So the point here is that we should add one bit less than its actual length at the end of our original message. Okay, so we have to, this original message should be divided by our CRC generator. But the division of polynomial differs from the integer division. The underlying user arithmetic for CRC calculation is based on the X or operation. But I guess many of you have previous knowledge about it. This is very simple and the resulting bit, the resulting bit evaluates to one if only exactly one of the bits is set. Otherwise, when the number are the same, the result will be zero. Okay, so we will continue this operation in the end and finally we have here a checksum. This value is called checksum. We should add this to the end of the original message and the data is ready for transfer. Okay, so at the right side, this is what will be happen at the receiver side. If you look, we started here with some zeros and reach it to the checksum. So here the receiver will start this checksum at the end of our message and it must know the CRC generator. So it is the reverse process of our previous mathematical operation and it should reach to the zero and this way we can ensure that data is not outweigh. Okay, so how we can bypass the CRC check process. As you saw at the previous slide, the mathematical operation of CRC calculation is not very complicated and is easy to analyze. After finding the CRC algorithm, we can implement the same thing on our side. The only step which is challenging is to understand the mathematical operation by reading the assembly code at the time of analyzing CRC in a computer-based environment. Okay, after bypassing data integrity check, it's time to complete the attack vector. If we ignore the infection process, the attacker only needs to look for a specific NDV files and manipulate critical data. In addition to common malware attacks against the aviation industry, a malware that is especially designed to target avionic systems could be very challenging. Okay, here is the whole kill chain scenario. We consume that the first step is down via common attack methods like fishing. In the second step, the malware should be able to fetch the hard drive for the NDV files based on the specific NDV file format or file header. Then it's time for sending some data on the navigation database and bypass the file integrity check. At the fourth step of the, the technician will copy the manipulated NDV file on the full update. Then he or she will update the FMC device with this NDV file. Finally, the pilot will start flying with this altered NDV and will face some risk scenario. So, what are risk scenarios? Frankly speaking, it is not very clear that what will happen. But we know that the data from FMS will be sent for many other avionic systems and this could make some mistakes and challenge for flight. Also, we know that flying with manipulated FMS is not safe at all. Since many real life incidents originated from FMS data input there. Okay, let's move on to our research on the data integrity check of Honeywell's flight management system. Honeywell is the biggest FMS manufacturer and its products can be found on every mother nature. The OneNav tool is a desktop application which interprets the binary data format used by Honeywell FMS and by using this tool, you can see inside the navigation database. OneNav has wide capability to decode various formats of navigation database that's produced by Honeywell. Using OneNav can perform, compare, export, archive and plot the NavVB contents and create loadable media for Honeywell FMS. So, after some research, we investigated that Honeywell is using a CRC algorithm for its file integrity check. If we consider the OneNav as the sender, the FMC will be the receiver. It is clear that both the sender and the receiver should use the same CRC generator. By reversing and generating the OneNav software, finally we managed to detect the routine which is responsible for calculating the CRC. Because of security concerns, I'm not going to explain the details of this step. Okay, let's see a demo of our work. This is OneNav and I'm going to use engineering mode of this software. So here, I'm opening the database and you can see the CRC is correct. Okay, the first port, we can manipulate its data. For example, let's look at its data is related to its location. I will just copy it. Notepad. Okay, we can manipulate this NDB file with a hex editor. First, we should search for it. Okay, so just a little bit changed and saving as a new NDB file. If we check for CRC, we can see that it's failed because the NDB file is manipulated. And this side will not load on FMC device. Okay, so here is our program which is fixed CRC, CRC check. Okay, so if we check this new file, we can see that CRC is okay. And back to production version and we can check the location of the previous A port. Let's see what's happening here. Okay, if you look carefully, you can see that the location is changing. This is just an example of changing critical data. An attacker could change many other data. It was just for showing a demo. We use it, the location of A lines, A ports. Okay, so as I mentioned, as I mentioned before, this is not only a weakness in a computer software. If we can bypass the CRC algorithm in the OneLab, it must be possible to do it on a real FMC device. Okay, thanks to our Flight Engineer friends, we have a picture of loading our NDB file on a real FMC device. And the final part of this research is the malware, which is able to target NDB files and flight management system. This is the automating of the previous demo, but using a malware. Okay, you can see the same A port here. I'm running the malware. Okay. The file has the same name, but I want to keep it in the OneLab. So I'm going to rename it to show you what happened to this file in contrast to this previous one. Okay, so I'm going to open the same A ports and you can see our malware is working. Okay, about one year ago, we reported the vulnerability to the Honeywell PSIR-15. And after some months, they told us that they have issued mitigation and warned the customers. Okay, thank you guys for watching this presentation. In the end, I hope you find it useful and please let me know if you have any question or comments. Thank you again and have a good time.