 Welcome, DEF CON travelers. You found ticketing to take off an airport hacking, choose your own adventure, brought to you by the Aerospace Village at DEF CON. I'm Liz Wharton, Chief of Staff at Scythe, but today I will merely be your narrator, your guide, helping you through the decisions that have already been made because you've made and created and voted on this adventure. When we talk about airports and airport cybersecurity, and particularly when we talk about the aviation industry, cybersecurity in general, what we're forgetting is how far airlines and airports have come, that as we've become more digitized, as everything is connected, as air travel has grown, so has the threat landscape. And so has, well, the tax vulnerabilities and the pieces that make up this adventure. Decisions that you've made from the time you leave your home to transportation to the airport, departures, decisions made during flight, arrival, transit to your destination, all provide, well, additional players and pieces, but additional threats and opportunities for bad actors. As the GAO noted in a recent report that airlines and their IT infrastructure and their systems also provide opportunities for potential IT outage effects from planning the trip, reservations, frequent flyer systems, to check-in, to boarding, to at the airport with the Airlines mobile app, the airport kiosk, the check-in, the boarding, the baggage, the planes, the flight planning, the dispatch, all of these come together and have potential outage effects on, in some cases, systems that were not built nor designed for the amount of impact that they have. But when we look at the playing field for our adventure today, the tax surface, it's not bounded like you find in Moes. In fact, it's quite expansive. As you'll be traveling through our fictitious airports, you'll notice that, well, not everything is in the same place, not every airport is designed differently. So to create and craft policies, procedures, all the different pieces that will go into what I hope you gain from today's conversation and, well, future conversations is that airports and securing airports, be it the physical, the systems, the software, all of the pieces that come into play airports is not easy. In fact, we may not even get through or scratch the surface of all the different parts. Because, well, who knows? Between cyber squirrels and different choices that are made, you may not even get past well ticketing. Because within the airport attack surface, you also have a lot of players. You have, from air traffic control to the many cities that airports truly are to security, to your gate, it's a minefield. Protected and controlled by airlines themselves, each of the airlines plays a part in this. The airport authorities, be it the local governments or other authorities to the different, well, local law enforcement, to the FAA, DHS, security, concessions, vendors, the electricity, all the different telecommunication services that flow into each airport, well, those are a different provider. For example, at the Atlanta Airport, power is provided by Georgia Power under different agreements that have been put into place. So whether those provide opportunities for protection or vulnerabilities is open. Also, you have to look at the third party providers, the multi-use software and systems. For example, Garmin recently provided a great example of, well, when we think of Garmin, what do we really think of? Do we think of the watch, the directions, are tracking our steps, et cetera? Do we really think of the fact that Garmin provides aviation services from flight planning to mapping and that when a ransomware attack hits Garmin, then it's also impacting the avionics, the airports. In a shameless plug for a breakdown of the recent Garmin ransomware attack and attack factors, check out SICE Threat Thursday in the notes. And when we're talking and weaving our narrative story today also have to look at what is the intent that when we have incidents such as glitches, and well, agent cyber squirrel hitting airports, the intent and the result matter, but sometimes don't. Are is chaos, criminal, carnage, or really is it just an oopsie that results in chaos, criminal activities or carnage? And further, what are the incident impacts that a power outage at Delta's Operations Center in August of 2016, $150 million and two days worth of cancellations, that a software glitch with one vendor provided worldwide check-in and booking issues? That a data breach results and finds at one airport that a Southwest computer outage led to $177 million of damages and three days of outages and flight disruptions. All of these potentially could have been worse and all of them, well, potential threats. So from ticketing to takeoff, it's gonna be quite an adventure, shall we begin? And beware and warning because this talk is different from other talks, other technical talks and other talks in the aerospace village. For in this talk, you and you alone, assuming you voted in the Twitter polls, are in charge of what happens. The mission was to see if you and your data can make it safely to your flight from ticketing to takeoff. You have to dodge the delays and the data breaches. And so shall we begin? It's time to pack your things and head to the airport. And our first decision point, do you decide to pack it all? Check it back. I mean, you're going to Vegas for a week for DEF CON and all of the other villages. Or do you bring a carry-on, put everything in a bucket and see what happens? Well, you chose a carry-on, wise move because airline baggage check-in and tracking has the potential for delays, not to mention data breaches. So now that you've got your backpack on and you're about to head out, it's a digital and app world. Who even has a printer at home these days? So when it comes to your boarding pass and your ticket, do you print it at home? Do you use the airlines app boarding pass? Or like me, I do a combination. I also take a screenshot of my boarding pass should something go wrong? Well, almost evenly split, but did you choose wisely? You chose to print your boarding pass at home. Well, well done, because ticketing frequently leads to, well, delays and data breaches. So now that you have your bags packed, your tickets in hand, and you're heading into the airport, you know that sometimes there are long lines at ticketing and check-in. And what if you wanna switch your seat before you actually board the flight depending on what you see around you? So DEF CON safe mode, secure aerospace travelers, what do you decide to do? Overwhelming majority, you chose to check-in online with the 24-hour advanced window, avoiding the kiosks, and well, the airline app, because you know the check-ins are, well, the threat there are delays. So much so that when a third-party provider covers, well, most of the airlines, you see a 30-minute outage of their software can lead to three airlines going down. A couple days later, a different airport service provider covered five airlines in 40 minutes. Saver was added again on April 29th, just less than a month later, 90 minutes, three airlines. So you've checked-in online, you've shown up at the airport and you're a seasoned road warrior, even if it seems like forever since, well, our last flight. Cutting it close to departure time and it's a big airport, flying on a weekday morning, bold move. Are you feeling lucky? So for decision, the fourth decision point, DEF CON safe mode, secure aerospace travelers, what did you decide to do? TSA pre-check, clear or regular TSA security lines. Most of us seemed, most of you seem to be, well, hesitant with the facial recognition that comes with clear, but you're okay with providing some data and information because you're TSA pre-check. Well, what seems like a safe mood, move could lead to delays and a data breach. Well, here's what happens. Is it security theater where you have moving parts and multiple players? Because when you have nationwide US customs computer outages causing gigantic lines at airports, you had JFK, LAX, SSFO, Philadelphia, O'Hare, Midway, CTAC and other airports all confirming delays, our airport is probably hit by those. So not only do you have a delay with pre-check, but one of the recent trends has been for one provider to provide some of the software and systems support for TSA. In this case, facial recognition software provider and systems writer in EC. Well, pretty much covers European airports and mostly airports across the US. And while they take a long time to admit it, they've had a breach. The facial recognition data collected by US airlines and US citizens is stored for 12 hours, for between 12 hours and two weeks and seven to five years for non-US citizens. And that data is stored in several government databases which border officials can pull up when you're arriving or leaving the US, including at airports. And well, NEC is not very good at confirming their security breaches or giving a lot of detail. So in this case, you didn't avoid the delays and you didn't avoid the data breach, but you made it through security because when you have these data breaches, well, quite frankly, what are you gonna do? Well, worrying about that check-in and those security lines can be a headache. And of course you forgot to pack your headphones. It's a long flight ahead of us to Vegas. So DEF CON safe mode, secure aerospace travelers do you? Well, stop what you're doing because you've got to have your headphones, noise-canceling headphones and knowing your luck so far, there's probably going to be a screaming child or disruptive, I don't know, people. So do you stop and buy them now? Or maybe we'll wait a little bit. If there's a place to buy some closer to the gate, sure, we'll go with that. Or quite frankly, you're feeling lucky. You're gonna go for a roll of the dice and well, who cares? Well, a slight, slight, slight majority went with who cares? You'll figure something out and you'll find a way to entertain yourself without your headphones, which when it comes to airport vendors and the threats of data breaches, probably wasn't a bad idea. So now you've made it to decision point number six. Your departure gate is farther from the main terminal than you originally thought. It's time to move and get in those steps but quite frankly, who wants to carry our bags that far? I mean, keeping in mind, we've got to carry on and a backpack and while we've got our traveling shoes on, we haven't been exercising quite as much during COVID. So DEF CON safe mode, secure aerospace travelers, what do you wanna do? Do you wanna take the people mover, take the airport train or one two step, let's walk there. And you chose to walk there, which while we're gonna get in the steps and we're gonna walk this way, we had a double whammy, both delays as well as the dreaded agent cyber squirrel. Well, in this case, just an agent squirrel because LAX on Thanksgiving Day, 2015 had cyber squirrel reports, a squirrel plus a transformer, which in this case, while the power outages weren't severe in the surrounding area, at the airport, you had the moving walkways, the elevators, the escalators, the screening equipment, the baggage screening equipment that just stopped. So while none of the outages completely shut down the airport, well, for those of us trying to get our bags from security checkpoint to terminal, it's gonna be a little bit of a long hike. All those speedy ways to get there are no longer at our advantage thanks to Captain Chaos cyber squirrel. But we finally made it to the gate area and well, decision point number seven. In this case, you know, beer pairs well with breakfast, right? We have had to deal with all kinds of different challenges and well, there are no seats at the bar. The restaurant doesn't look too crowded and well, a table it is if that's what we want to do. So DEF CON safe mode, secure aerospace travelers, what do we want to do? Do we, okay, take time, stop for one and one only? Because well, again, beer pairs well with breakfast or do we decide to wait a little bit? Because quite frankly, we're in first class. Did I mention we only travel first class and first class has beer even in the morning and it looks like the majority of us, well, chose beer first class, not gonna stop, which is not a bad thing because one of the other hidden hazards are the point of sale systems and the threats in restaurants are data breaches. Not only that, there's also a potential for delays. You don't know what systems the airport or restaurants at airports are running off of. Are they bringing in their own wifi network or are they piggybacking off of an airport facilities or nearby vendors or hers? Are they piggybacking off of well, free airport wifi? That's not secure. But there's no rest for the wicked and as we reach decision point eight, well, not only is there no rest for the wicked, there's no rest for travelers with laptops and deadlines because we don't get to fly first class and we're not heading to DEF CON unless we're big shots and we need to review a draft file and respond ASAP. So we pulled our laptop and DEF CON safe mode, secure aerospace travelers, what do we do next? Do we tether to our cell phone to connect for wifi? Do we use the airport's free wifi? Or do we carry a cell tower in our backpack? Because you know, wifi pineapple and wifi cactus, they could have made it through airport security. So let's see. And while we do miss the sites of pineapple, wifi, and cell towers in our backpack, the good thing is, is our data coverage on our cell phone will allow us to tether to it, which tether not to free wifi because the threats there are data breaches. So as we've sat, we've reviewed our documents and we're looking around, we've reached decision point number nine because storm clouds are gathering on the horizon. And we think, hmm, there may be potential flight delays, locusts, storms, it's not winter, but still, stranger things have happened. And what happens if we miss our connection? Luckily the airline we're flying on has an app. We can see over in the distance that there's a counter, there's a little bit of a line at the counter, but not enough to deter us. So what are we gonna do? One, are we going to face down the storm? Because as DEF CON Safe Mode Airspace Travelers, let's admit it, we are the storm. Do we use the airlines app and switch to a later flight? Or do we go up to the counter and talk to the person from the airline and attempt to rebook in a slight, slight majority? We decide to go up to the counter and rebook, which turns out to be probably a pretty good idea because airline ticketing systems and those apps both have delays because if the app is out or hasn't been developed, you have problems with data breaches. For example, EasyJet had nine million travel records taken in a data breach. And the British Airways was fined a record $230 million after data breach exposed the booking details of over half a million customers. Hackers had siphoned off thousands of credit card numbers after installing skimming malware on its website. So it's a good thing we didn't go to the website or use the app because that would have been bad. Instead, we just talked to a live person which is daunting enough, but at least we're still on track for our flight. Yet, because check encounters do have software glitches as well. And well, unfortunately, as highlighted the Greater Toronto Airports Authority, they had an outage with their airline check-in system that impacted processes at both terminal one, three, and had IBM technicians working with the technology authority to solve the problem. So the fears aren't always just the airlines. You also have to look at, well, what happens with the airline authorities? And are they providing assistance? Can they have those handles? What happens when their systems go down? In Toronto's case, if you had checked in online ahead of time, which we did, you would have been fine. But then what happens when you're trying to rebook? And if you're having checked baggage and having to move through the airport, it caused additional delays. So unfortunately in our journey, we've had the potential, we've avoided most of this data breach issues, but we've been delayed. Not enough to miss our flight, but we've been delayed slightly, which leads us to, we finally get to our gate. We show up and it's decision number 10. Surprise, it's a gate change. And it's a crowded and noisy terminal. And let's be honest, who can ever truly hear what the airline attendants are saying and when they're announcing where you're supposed to go? Because we didn't catch it. The PA system was terrible. Now, where did they move our flight? What gate? Is it even on the same terminal anymore? We need to find out. So DEF CON, Safe Mode, Secure Airspace Travelers, what do we do? Do we check the nearby display screens? Do we go to the airline app, cross our fingers and hope that it's updated? Or do we ask a stranger nearby? We've already spoken to one person. We spoke at the counter. That's a lot of peopleing for one day. So an overwhelming majority didn't trust the app. Instead, we chose to check the display screens. Well, gate display screens are one of the big areas for delays. What do we mean? You knew it was gonna pop its head somewhere in the story. Well, ransomware. It's not just about taking down data. It takes down the systems as well. And in this case, the Bristol Airport got to find out exactly what that means when in 2018, ransomware took out their signage with their gate information. Staff were left with having to hold up whiteboards, directing people for where their flights are going. So in real time, we're having to take that information, write it out, and what happens when they start running out of whiteboard space? Well, they found out. It caused delays. So again, not a day to breach because our data information isn't on those screens, but instead it did cause a delay. Cutting it awfully close to departure time, aren't we? Well, it's about time for boarding. And we think we found where the right gate is. But at decision 11, what happens when the direction that we get? I mean, we can either go right or left and we're savvy travelers. And while our frustrations are mounting, we're not gonna panic. Now instead, DEFCON Safe Mode, secure aerospace travelers, what do we decide to do? We can risk it, go left, it's wrong, we'll go right. Well, turns out that airport has its own app that of course, while we're bored, we downloaded it. And we can talk about whether to download stuff to our cell phone without properly vetting, but it also has a navigation feature. We wanna choose that. And again, we think about the issues with Garmin and all the other, well, where's our app data being sent? Where's our location data being sent? So maybe we're not gonna go there. And while we know some of the signage in the airport is out, surely not all of the signage is out. I mean, we can check the digital directory signs because, you know, they're running on a different system, aren't they? Spoiler alert, most of the time, no. And the other thing is there's hidden dangers with the directory signs as well because let's think back to, oh, I don't know, some of the botnets, like the Mirai Botnet that liked target IoT devices. Those LG screens you see all around the airport, what are those? But waiting, danger, waiting to happen. In this case, we're gonna risk it, we're not gonna panic, we're gonna check those digital directory signs because surely, surely they're not all out again. Well, get ready for delays again because ransomware has hit multiple airports again, impacting the digital of signage around the airport, displaying, again, only back black screens. Cleveland Hopkins International had this happen in April, 2019, you know, back when people flew still and took out their computing systems as well. So like that, you had to worry about whether they're email, their internal app, their internal direction, if they're able to get some of the information out. So once again, wasn't our data that we were worried about as much here but our ability to catch our flight, we're getting really delayed here which leads us to, okay, we finally found the right direction. We're heading there, we're almost there, we skipped that beer because there was gonna be some of that on first class. So we're walking by the newsstand and we spot the bestseller Burnin' Book and we've been meaning to read it. I mean, August Cole and Peter Swinger did a great job, we heard in bringing and predicting all of these IoT connected smart city and one of my favorite, drone issues. And well, we heard that lawyers get the short end of the stick and who doesn't like to see bad things happen to lawyers. So DEF CON safe mode, secure aerospace travelers, what are we gonna do? Are we gonna stop, get a book and oh wait, look, there's a sign. A checkout says if you pay via this payment app, you'll get a free coffee. So when we didn't have a beer, who doesn't want a free coffee? So do we decide to go for the coffee or buy the book, skip the coffee? We don't need another frequent shopper card, we don't need another stamp. Then again, it's on our business credit card, so who cares, I would never do that, we'd never pick that one. But the purposes of our narration are game. Who cares, it's the company's card, the data gets stolen, not our problem. Well, luckily, you chose to buy the book and skip the coffee, solid choice and excellent read, especially considering, well, you didn't pick up the headphones because again, the payment systems and the shops are notorious for data breaches as well as well best practices and with those third party payments, apps and different things, even within the airports, you've had currency exchanges go down two different attacks. So okay, we finally made it to the gate and well, we've made its decision lucky 13. We've grabbed a seat in the boarding area and we noticed that our cell phone battery is really low. I mean, we tethered it so that we could send and review those documents and those files. And well, how are we gonna tweet and text from the flight? So, savvy DEF CON, Safe Mode, aerospace travelers, what are we going to do? Use the extra charger you're carrying in your backpack because while you're not carrying a cell phone tower, well, you do know to pack an extra charger. Do we wait, risk it? Because we are first class and as we know from flying first class frequently, there's chargers or there's outlets and there's our free beer or do we go and find an outlet and outlet because quite frankly, you never know. And again, tweeting, how else are we gonna show people that we're sitting in first class if we can't tweet a picture of us sitting in first class holding our free beer? Well, charging devices. Well, in this case, we're gonna fall victim to agent cyber squirrel because agent cyber squirrel, Captain Chaos likes to cause brief power outages. And again, in this case, it was the Biaf Buffalo Niagara Falls or Niagara International Airport caused a brief power outage. It affected gates, well, a select number of gates. It only caused one flight to be delayed for a few minutes but in this case, luckily we had our charger with us. So while agent squirrel caused power outages at our gate, again, he didn't cause us to have any issues because our backup charger was fully charged. Well, decision time. It's finally, the gate agent is calling our flight and don't forget, we're first class because that's how we roll. And with first class, we're the first ones to board. But we notice, oh, lovely. The airline is testing facial recognition for the boarding process and you notice the line is piling up. So what are we gonna do? We've made it this far. We have really cut it close and quite frankly, we're tired. So weary, DEF CON safe mode, secure aerospace travelers. What do you decide to do? Do you opt out? Because you've heard all those stories about facial recognition and you know that a lot of those algorithms are wrong and that's not to get into, well, quite frankly, it's just an affront. You're not looking picture perfect right now. Might as well. If it's gonna keep the boarding process moving and if it's gonna be convenient, sure. But we did get that new AI, facial recognition, defeating tattoo and makeup. And while it was funny going through security, we're so close to boarding our flight. In this case, you decided stand up on principle and no, we're gonna opt out and use the paper boarding pass. Well, not only does facial recognition at the gates and also throughout the airports, but ticketing cause data breaches and what happens? Are you gonna get a new nose job because your information, your biometrics are out there? It also causes delays. So you can opt out, but that's opting into weight and weight and weight. Because as we've learned through several different approaches that yeah, you can opt out. And Zach Whitaker has a whole article from May 2019 that walks you through it, but know that opting out means they're going to go manual so that the airline staff will manually check your passport or boarding pass like they would normally do when you're boarding a plane. That also means you've got to sit to the side and everyone else who's going through the facial recognition is probably gonna bump up ahead of you. So what's the point of having our first class perks if we're gonna have to sit to the side? Well, that's assuming the facial recognition technology and equipment is even working. Because according to one of the watchdog groups, the facial recognition systems at airports only worked 85% in some cases. And quite frankly, we've got that new face tattoo. And while all those delays and delays and delays were waiting and waiting and waiting, well, and that's okay. Because quite frankly, we still made it onto our flight with our data breached through several different choices as well as our delays. But when the weather clears and our flights cleared from ticketing to takeoff, we've made it. And really through this hacking adventure, we've learned several different things. We've watched how the airports, the airlines and well, vendors and different service providers all play together. And some of the pressure points for where cybersecurity has a lot of policy has a lot of room for development. But one of the other things to keep in mind is with each of the choices, there was a lot that we haven't uncovered or that we didn't get to discuss much like the choose your own adventures. You chose, well, wisely, but you also chose poorly. You didn't die of dysteria. You didn't die, or excuse me, you didn't die of dysentery. You didn't die from agent cyber squirrel, but it's opened the doors and discussions to see how you would do the next time you go through, whether you would make the same choices because from ticketing to takeoff, airports truly are a hacking choose your own adventure. It's been fun to be your tour guide and I encourage you to check out the rest of the aerospace village and all that DEF CON has to offer as we go into safe mode and go digital. Find me at Lawyer Liz and also follow Scythe at Scythe underscore IO. Thanks for flying with us.