 Thank you so much for coming today. My name is Ken, this is my colleague Alex, and we're here to talk about aviation security. And the first thing I want to say is don't hack planes. It is illegal, it's dangerous, you'll go to jail. But what we want to show you today is some of the 101, some of the terminology you'll find up on planes, some of the systems you'll find, some of the security levels you'll find. There are huge levels of redundancy, isolation and security on planes. You can't hack planes. But there are lots of interesting technologies you're going to find on there. A little background to us. So Alex and I are both light aircraft pilots. Alex, I found out five minutes ago, he's actually a qualified aeronautical engineer. I didn't know that. But it's actually quite a useful set of skills to bring together. Sort of things that we've done in the past looking at embedded system security. So we're well known for our work in automotive, so car hacking, also in shipping and IoT. You've probably seen lots of our work out there in the press. Some of you might be familiar with John McAfee's cryptocurrency wallet, the BitFi, the unhackable one that we hacked. But hey, all very useful and relevant experience when you come to looking at embedded system security. We've even tested oil rigs and shown how from the public internet we could shift a rig off station. Crazy stuff, eh? Now, Alex is the clever one. I'm just the monkey who gets to hold probes in ports. That's him working. We've had some really interesting experience of late. One of the huge challenges for a security researcher is there are big barriers to entry, not least cost of components. We've got an avionics device out there on our table, a switch that's $75,000 to buy new. So there are huge barriers to entry. And there are also huge challenges with understanding, getting access to data sheets, and understanding how the technology works. Now, we've been very lucky. We found a friendly boneyard that we asked nicely. And they said, can we come and have a look at some of your end of life airframes? And they said, yeah. So usually when they fly in to be parted out, they're going to be sat there for two, three, four days to get the engines off, which have already been pre-sold. But the ground power systems are still working. But you're working on an end of life device that isn't going to fly anymore. So you can look at it. You can inspect it. You can play with it without fear for affecting people's safety. And that was been really, really interesting. We learned a huge amount about that. Now, words of caution, airliners, airplanes last a long time. If you find issuers with them, they're very difficult to fix. They have to go through testing, recertification, and that takes a long time. So vulnerability disclosure in this industry isn't 90 days. It takes a long time to get that code checked, recertified, deployed for safety reasons. So don't expect manufacturers to come back to you and go, hey, yeah, that's fine. Publish that. It doesn't work like that. You need to be safe. I fly. I travel a lot. And I want to feel safe when I'm flying. I don't want people messing around with planes. However, in the past, the security model was fundamentally physical with huge layers of redundancy. So for example, in the case of autopilots, if you want to do a CAT 3C auto land in zero vis, three autopilots need to be working and operating. If one does something odd, the other two disregard it and can land safely. There's huge areas of redundancy and failover. There are routes to disclose responsibly. You can work direct with manufacturers. You can work direct with regulators. There are routes to get vulnerabilities disclosed confidentially and safely. So please, if you find anything, do it responsibly. There is no value to publishing a story in the press that scares everyone off flying. That doesn't help anybody. Disclose responsibly. So how do we get started? Well, we've got access to end of life airframes in the boneyard. That one don't work so well anymore. There's more missing than present, I think. But we've had access to various airplanes, landed the day before, and got the chance to start looking at them. So my turn to hand over Alex is going to tell you what sort of things we looked at and what to find and what's there. Well, thanks, Ken. So I'm going to walk through kind of all the interfaces you might find on aircraft. Some of them might be familiar to you and others not. But broadly, the aircraft is split or the avionics are split into three domains. Passenger information and control. So control is the highest level of safety. So this is anything that is going to be safety of flight critical. So autopilot, engines, that kind of stuff. There's an information domain, so this is nice to have info. So weather, navigational routing updates, efficiency, connections to airline systems. So they might be able to help you if the aircraft is running late. They might be able to rebook you on to another flight actually from the aircraft itself. So they're not flight critical, but they're kind of nice to have. And then finally, there's the passenger domain. So that's where you have your in-flight entertainment, the screens on the seat back, in-flight wifi, that kind of stuff. So these are from the least trusted to the most trusted. And there should be no route from the least trusted to the most trusted domain. So there should be no way to get from the passenger domain up to the flight control domain, as you would expect. So I know this is going to sound a bit 101, but that was the title of the talk I came up with. But here's an airplane. There's a point of it in a hangar. When it's in a hangar, it actually has ground power connected to it and we'll touch on the challenges around power and testing later. But if it's in a hangar, it's going to be connected to a main supply. There are going to usually be two avionics base and access is through a hatch in the side of the aircraft. So this is how the physical control of security is implemented. These things are airside, all these avionics are behind locked doors and avionics base. Inside these avionics base, it looks something quite dank and horrible and it's really noisy. They have forced air conditioning so when the power is up and running, it's deafening. So if you're thinking of working in there, take air plugs please. It's really horrible to work in. So these are what are termed line replaceable units. So there is a rack and they lift out via a handle and they push into connections. The idea being that these are interchangeable units. So if there's a fault on one, they can be easily pulled out and swapped back in again. Hence, LRUs. So you can see at the back, lots of discrete cabling and this is the traditional way that aircraft have been built is that there are line replaceable units and they are cabled via their own cable routes up to the cockpit. So these cable routes have to be checked and certified so that things don't interfere with each other. If you want to install a new bit of kit, then everything has to be re-certified all over again so that there's no interference between neighbouring cable runs. So really starting at the basics. What do we have on aircraft? Well, we have radios. We have VHF and HF radios. VHF is used for speaking to air traffic control but also for navigational aids that we'll touch on later. If you want to travel further, then we have HF radios. VHF is line of sight only so although aircraft fly really high, you still have a fairly limited range. So if you're flying across a big ocean, then you're going to need a HF radio system. The VHF and HF radios also integrate with a system called ACARS and ACARS is a short text messaging service. And of course, ideally we would have afforded our own aircraft to come here today but it's quite a long way so the best we can do is to have a party flight on ACARS. But we have hundreds and hundreds of thousands of aircraft airborne every day. We can't have encrypted communications over radio. It's just not feasible to manage the cryptographic keys between aircraft themselves and the ground. So VHF and HF is all unencrypted. You can buy a $20 receiver and you can listen into your local airport, you can listen into stuff. People even broadcast it on the internet so you can sit there and listen to planes talking indecipherable gibberish with air traffic. So the air car system actually is really, really interesting in that you can actually push out routes to ACARS and do other things with it. Aside from just text message, those routes have to be approved by the pilot and accepted. So there is always a human in the loop there. Obviously these days aircraft will have some sort of satellite navigation system like GPS. The precision levels of GPS aren't quite there for full automatic landing so there are these overlay services. So there is a GPS ground station that is in a very known fixed position and that is compared with the GPS signal that is coming down and a differential between the known location and what GPS location says is applied. So you can have sort of atmospheric effects that distort the signal. So this is then broadcast over radio and satellite to give a much higher degree of precision, sub meter levels of precision. But we all know that GPS, although there are encrypted levels, the unencrypted system used on civil levels can be jammed. So I've got an example here, sorry at the back, but here's an example of a notice to airmen. I'm sorry it's a really gendered terminology, but notice to airmen that in the UK that the military are operating a jamming exercise in this area and it's really interesting that when you read the NOTAM actually for, you know, 100 miles around this area potentially GPS could be affected. So GPS spoofing and jamming is definitely an issue. The military and foreign governments have certainly been known to do it. There are, I would term legacy navigational systems on the aircraft as well so we're not just reliant on GPS as the sole navigational system, there are radio navigational aids. So some of these date from the 1930s. So for example, VOR and NDB and DME, these all date from the 1930s along with the instrument landing system, but ILS is in use daily. So ILS is used to guide the aircraft in to land and there has been work shown relatively recently on how spoofed ILS signals could cause an aircraft to land off-center. But I think it's really important to take that in context in that if you've got visual with the runway, then a pilot is going to notice that you're landing off-center. But obviously if it's zero visibility, then you may not actually be able to see the painting, paint on the runway to be able to realize that that's happening. So there is this interoperability between GPS, the overlay services and other radio navigational aids to kind of bring a holistic view and kind of mitigate some of these risks. So if we look on our aviation chart, we can actually see some of these legacy beacons listed. So the if I can zoom in, doesn't work, great. But the circle in the center labeled EGLL, that's London Heathrow. We're starting to replace these legacy navigational aids with just waypoints in a database. So rather than rely on fixed radio navigational beacons, we have waypoints, three-dimensional waypoints in the sky and we give them cute names. And air traffic controllers kind of get to name them and name these routes. And these are programmed in the flight management system. So there has to be a regular update of the flight management system, waypoint database to every time new ones are issued that these are set up. So air traffic control might tell you to route to Whiskey or to Bravo or to Star or Juliet or whatever and you would find that waypoint name in your database and the aircraft will then fly to it. It's a virtual thing. There is no physical beacon that shows you where that is. It's all based on the navigational systems in the aircraft itself. So in this you can see that sort of traditionally some of the upper airways and navigational routes have converged on these legacy beacons just because of how they are. But now they're starting to converge on these virtual waypoints instead. So this is kind of the way that we're moving because we want to maximize efficiency of airspace. So having and running physical beacons is expensive and difficult to maintain and less flexible. So we're moving now to these waypoints in databases instead. Aircraft have SACCOM on them. They're not only used for inflight and entertainment purposes but they're used for by people like Rolls-Royce. I think it's an apocryphal story but I think it might be true that Rolls-Royce lose money on every engine sale that they make. If you buy an engine from Rolls-Royce you buy it for less than it costs Rolls-Royce to make it. But they make all the money back over the lifetime on sales and maintenance and if you pay them a giant budget money they will monitor your engine in real time over things like SACCOM. So they can see and their network operation center in Derby in the UK if one of your engines is running out of performance they can even get a part to wait for that aircraft when you land at JFK for example they could have a part waiting for you so you can get it on and get that aircraft away really quickly. So it's not only engine data but it's for passenger Wi-Fi and also tracking as the MH370 that disappeared in Malaysia showed that Amos had this really great work on being able to look at pings and find out where the aircraft kind of potentially was although kind of sadly never been found. Now we've done an awful lot of work on SACCOM in Maritime and not all of it great. Yeah so this is some of the work we started looking at in shipping. Now shipping tends to be much less secure than aviation but we started to notice a lot of commonalities so for example this is a terminal that we were looking at on a particular vessel we've actually got one of these terminals sat over in the Maritime Village right now and we tend to find is in Maritime people don't really pay attention to keeping the software up to date and this particular terminal we found on a boat we found we could remotely compromise it and route all the way through the vessel networks into the OT systems and take control of the engine. So this is why it's so important to keep software and technology bang up to date and that's another interesting challenge for aviation is lots of different systems needing checked validation certification confidence they're secure which is all difficult to do when you're trying to keep up with security and security vulnerabilities. It's just another challenge to add the layer of complexity that you've got. Now I don't believe that these these sort of vulnerabilities are to be found in aircraft. I think aviation manufacturers are much more responsible they have much more vested interest in keeping it that way but we do find significant problems in SATCOMs in Maritime. So sorry to continue with the acronym BLAST I mean IT is notorious for acronyms but aviation is way way worse and you bring the two together and it's just horrific but I think it's maybe less than known that when you're on on Wi-Fi you kind of assuming that on your your plane that everything is going up in the sky via satellites when you're browsing Twitter or whatever but actually in most of Europe and US there is a termed a complementary ground component so when you're over land there are actually just LTE masks that operate on the 2 gigahertz band so it's just the same as your mobile phone except that the the antennas are pointed upwards rather than horizontally so next time you're kind of surfing the internet and you're flying over the continent of the US the chances are that your internet traffic is going out of the bottom of the airplane and back over the mobile phone network rather than SATCOM connection so there is Wi-Fi on on on aircraft not only for passenger access but also for gate link and gate link started as a sort of proprietary radio protocol and it was used for exchanging data about the past sector that the the aircraft has just flown back to the airline but also for receiving information about the next sector is going to fly so it's trying to cut down on the time it takes for the people of the gate to print out the load sheet get you your waypoints routing again it's just trying to maximize the efficiency of the aircraft by minimizing the amount of time that it's actually on the ground every time it's got weight on wheels then you know the aircraft isn't really making money so you want it flying kind of all the time so gate link has kind of morphed and there are now gate link boxes and aircraft that use Wi-Fi so gate link set up access points at participating airports and when the aircraft detects that it's landed so there's weight on wheels and there it will also will receive a feed from the GPS system so it knows which airport it's at and it will look in it in its box and it will work out which Wi-Fi SSIDs to connect to what the passphrase is what the security etc so when as the aircraft arrives at gate it will join that Wi-Fi network and it will then again exchange information back with the airlines receive data for the next segment and and again try and maximize efficiency but again it's I think it's showing that where there were proprietary protocols it's now moving to commodity ones and it's kind of lowering that that bar to malicious actors where gate link was something you might have to really decipher and spend thousands dollars trying to understand what Wi-Fi is stuff that we all know out here at DEFCON. There are other sources of data on aircraft so flight data acquisition units and quick access recorders so again airlines want to do sort of almost big data analytics on their fleet they want to know when in advance that there is a problem not not a safety critical one but an efficiency one if there's a problem with the engines where they're consuming a bit more fuel than they anticipate then they want to start trying to bring forward maintenance to address that fuel is the major cost in in airline operations so if it's something's consuming more fuel than you expected you kind of want to address that and traditionally the way of doing this was having a flight data acquisition unit in the aircraft that sucked in lots of parameters from all sorts of systems and we've got one out on our on our stand in the aviation village so you can come and have a look and the one that we've got uses a magneto optical drive yeah really but you've also see ones with PC cards but these require someone to climb into the avionics bay eject that disk and then ship it back to the airline so again to maximize efficiency they're starting to put in wireless ones so they're putting in Wi-Fi and they're putting in wireless 4g modems so that when the aircraft lands all this data is kind of instantly transmitted back so this is a wireless quick access recorder off the FCC website so again it's showing that the bar to access this information whereby you may be previously had to buy buy avionics are huge premium you can just go to the FCC website and this information is public so here you can see what wireless cars are in use there's a USB port on the other side so this is all kind of interesting information when you're trying to explore the interfaces to aircraft so radar is an interesting one there are primary radar so the big spinny thing you see our airports sends out pulses of radio waves and listens for the responses but radar primary radar is not great you get returns of things like thunderstorms flocks of birds insects I saw recently like a whole ants flying ants in the UK showed up on radar passing trucks will even give radar returns and all this adds clutter to traffic and it's difficult for them to work out what is noise versus real aircraft so we started putting transponders in aircraft so as soon as they were illuminated by primary radar source they send back over a different radio channel information about their height a serial number so that traffic control air traffic control can associate and see much better what aircraft are doing what height they are and assign them kind of a unique code so they can track them better now this is started to evolve a bit and there is a protocol called ADS B and ADS B is starting to become mandatory in the US from next year so if you fly a light aircraft you will have to have an ADS B transmitter fitted to your aircraft and ADS B interfaces with GPS to provide also rather than just a code but also your exact height and location information in that return and Renderman who was in the panel previously you probably heard has done some work on ADS B spoofing this is all an encrypted information so you can you can view ADS B transmissions from aircraft so you can see where they are I think maybe it's not a known thing that if you look on something like flight radar they do actually filter out certain ADS B channels from military police helicopters things like that but you can buy a five dollar TV dongle of eBay and you can listen to ADS B returns on your own and if you come to the village and people show you how to do that so you can see unfiltered ADS B responses and again I don't think regulators have quite cottoned on something that was a safety critical service now it's kind of security implications because it's an unencrypted broadcast protocol there is another service on commercial analysts called TCAS which is a traffic collision avoidance system TCAS operates on its own bands and aircraft communicate with themselves to try and keep them away from each other but TCAS can also take a feed-in from ADS B so only large commercial aircraft will have TCAS fitted but smaller light aircraft may also infringe into the airspace of commercial aircraft and therefore you kind of want to know where they might be coming from so TCAS can use ADS B transmissions to give you a deconfliction advice now on really really modern aircraft A350s A380s there is an option for TCAS to be coupled with the autopilot and if a pilot doesn't take evasive action then TCAS will drive the autopilot and move the aircraft for you so you can see the potential risk for spoofed ADS B transmissions to start moving aircraft around in the sky so where there's no real aircraft it could potentially cause it to climb or descend now I think it's really important to note that some of these systems are disengaged when aircraft are near the ground for example when they're in landing configuration and that there is a lot of separation in controlled airspace between other aircraft so the chances of this actually causing an incident I think is very very low but it could be enough to unsettle a pilot and so I think airlines needs to be quite careful when they couple collision avoidance systems with automatic systems in this way they need to be conscious that ADS B is unencrypted and broadcast people can see it and manipulate it and spoof it and therefore relying on this as a security system is maybe not the best idea so here's one of our flight data acquisition units not to be confused with the orange black box so it's a pet thing you know they're they're not black they're orange but the flight data recorders is black so if you want to come and see a flight data acquisition unit come over to the village and you can have a look at the crazy Magneto optical drive but these things store much more information than a copy of voice recorder or a flight data recorder they only store a few hundred parameters and for an hour a flight data acquisition unit stores pretty much everything thousand thousand parameters and for much longer 72 hours or more so maybe the bit that's kind of more interesting is in the passenger domain now what are you seeing when you sit there all this stuff is up to now has kind of been hidden away from you so a lot of the stuff flying you probably know is really tiny screens really crappy I FE that's really fuzzy and it's quite old but you know 20 year old stuff it is not uncommon to find on aircraft and it's still current and flying they're starting to move maybe towards Android tablets but again they're they're of an older vintage some of them have a USB on them not only for charging but so you can play your media through the screen there's an integration with a flight management system so that moving map you see with the aircraft moving there is a connection to the aircraft's navigational systems to do that now this is crossing domains from the flight control domain into the passenger domain but it's going from a high a highly trusted area to a less trusted area and there are data diodes in use so that this is a unidirectional connection only now I think there was has been some previous alarmist reporting on being able to control the aircraft through I FE systems and I find that highly highly unlikely that there are multiple layers you would have to jump through and aircraft networks are segregated and segmented and frankly I have seen way worse network segmentation when I go and break into corporate IT officers than I see on aircraft so I think you should as with everything in IT take some things with a bit of a pinch of salt so there is also the delightfully named FAP the flight attendant panel so when you come on to the aircraft there is a touch screen now that allows the flight crew to dim the light set the boarding music or that kind of stuff and if you look there's often USB on there USB is used for updating the music but also to tell the aircraft about new seating arrangements airlines like to move and resize business class and where I sit at the back in in cattle class so in order to kind of adjust air conditioning and stuff like that they need to update the seat layout and that's done via USB but USB inputs on these on the on the flight attendant panels are heavily filtered so that they don't accept any old inputs again there's Wi-Fi there is a passenger domain Wi-Fi and there is a crew domain Wi-Fi and the crew Wi-Fi gives them more access they don't have to pay for it for a start but it also gives them maybe dedicated access through to the airline system so they can rebook you and stuff through through iPads we've got some IFE seat boxes at the village so here's kind of yeah it looks pretty old and and it is but you still see them flying so it's it's it's an x86 space system it's actually got AT if you look on it it's got a sound blaster card in it it's like properly vintage and really really retro and yeah there are there are PLCC's on there there's all that kind of good stuff from from you know 20 years ago I'm up at the pointy end I mean I was lucky to grow up when you are still allowed to go to the cockpit when I was in flight and I'm not sure many people get the opportunity these days but if you haven't been up there that's what I like that looks like I think they're really really cool interesting places they have you know really really fancy screens but what of the screens do well there's again redundancy for everything we've got two humans in the cockpit captain and a first officer and we we duplicate even in fact triplicate the really really important stuff so on the left hand side the left and most screen is the primary flight display so that's showing you which way is sky in which way is earth how fast you're going how high you're going which way you're pointing the really really critical things for flying an aircraft the one next to it is showing a navigational display where the autopilot is planning to take the aircraft next and this is duplicated on the first officer side and in fact there's another primary flight display which is completely segregated from all these systems so if all else fails they can still fly the aircraft by hand so up on the top is the autopilot and navigational mode display so the autopilot has many many many modes so you can get it to climb at a certain rate hold a heading hold an altitude hold a speed configure for landing all that kind of stuff and all that has done from the glass shield above so both both pilots can see what mode the aircraft is set in the middle here and depending on which airframe manufacturer is the crew alerting system or alert management system and this is designed to kind of tell you when there are problems show you what state the avionics are in or the engines are doing stuff that isn't need to be right there in front of you but needs to be readily accessible and shows you when there is a problem that we don't want to give you unnecessary information but we want to be sure that you can see it and be alerted to it when there is actually a problem at the bottom here is all the radio settings so for voice and data and for hf and for navigation and for interfacing with a cars and we have our two MCD use or interfaces into the flight management system again we've got a really awesome vintage one on our stands if you want to come and have a look at one inside beautiful wire wrapping and the levels of redundancy again that go into the design of these and please come and have a look but these are designed to be kind of a multiple interface interface multiple systems on the aircraft so this is what drives your route how you update the navigation system all that kind of thing so on more modern aircraft we're starting to integrate what called electronic flight bags back in the day you would see the pilot come on with a big suitcase powerful of flight manuals and paper charts and plates and you know they would get repetitive strain injury from carrying these things through airports so initially this transition to just having an iPad or similar that the crew carried on to the aircraft with these things in electronic form and these were termed sort of class one devices they had power from the aircraft but but nothing else they would sit on there on the side with the glare shield and just be sort of an electronic replacement for the paper charts and manuals that they already carried but now we're starting to move on to more integrate systems class two and class three devices that actually integrate with aircraft systems they can connect via cable or through Wi-Fi and actually start transferring a route directly onto the flight management system itself so you can start to see that there is an enterprise IT management segment it's not just avionics anymore we're having to manage not only pilot iPads and backend systems for electronic flight bags but also for maintenance crews when they come on to the aircraft they want to do updates they want to retrieve data they have to plug in their laptop somehow and again there's an enterprise IT management issue in in how those laptops are maintained made malware free so it's not just black boxes in an aircraft anymore these are now you know connected systems but how are these things all kind of connected together well back in the 1970s we came up with our in 429 and because is the 1970s cryptography wasn't a thing back then or at least you know to Joe public so there is no encryption and there is no authentication on our in 429 but that's okay because it's a point-to-point protocol it's used to connect line replaceable units in the aircraft together there is no bus you can see you can't connect to our in 429 from from the passenger domain so so again the physical access controls kick in so it's a single source to single sync protocol it uses a differential voltage type setup so it's looking for sort of plus 10 and minus 10 volts in order to eliminate interference issues you can readily obtain our in 429 decoders either sort of USB ones people have written raspberry pines faces if you've got a pico scope there's a 429 decoder now you can see 429 in aircraft cockpits but on a very limited way and these are used for interfacing with the flight management system and other bits and bits and pieces and although data load is a separate protocol itself but if you did have access to 429 then yeah you can intercepts you can replay messages there's none of none of no replay comparison there's no encryption but but it is a point-to-point protocol and the chances of you being able to find out on an aircraft are low so it does have a really strange message structure I probably don't want to go into it but there was an attempt to fix this issue of all this proliferation of cabling so when Boeing designed the 777 they came up with a protocol called 629 so this is a bus and there are inductive couplers and again you can take a look at one in the village and inductive couplers connect to a pair of wires there is an A bus and a B bus and this is a multi-source multi-sync true bus protocol but again these wires run through bits of the aircraft that you're never going to get to see they don't run through the passenger domain so the physical access control is sufficient mitigation to deal with the fact that you can just clip on to one of these cables now decoding 69 is really tough in fact there's kind of pretty much only one manufacturer that we found so shout out to them who've lent us kit in the past so if you want to decode it with max technologies and you want to buy one that's $30,000 if you want to buy this piece of kit and a good one so 69 is only found on on the 777 but as we now go to modern aircraft so a 350 a 380 787 737 max family for example we've gone we've gone to ethernet so this is starting to sound quite familiar to the people here at Defconn so it's got a posh name AFDX or Arring 664 but under the hood it is kind of ethernet and in fact if you go to avionics test beds they use commodity ethernet switches to save money now we don't use quality ethernet switches on aircraft they're gonna be optical they are highly resilient we use them in multiple redundant pairs they're segmented and they use what are called virtual links rather than IP addressing but it is still common to find ICMP UDP SNMP floating around on these networks so it's all stuff that's that's really familiar to us so again you're starting to see maybe the bar of bar of access starting to decrease rather than these kind of esoteric protocols can also appears on aircraft on the A380 the overhead panel with all the buttons and environmental sensors and temperature and environmental controls is all run on can so again differential voltage protocol to minimize interference and shout out to people in the village who have talked about can but in general aviation in the last couple of weeks in this case it was a fuel sender but again can yes is an unencrypted unauthenticized protocol but you have to have the skill access to manipulate this and we put aircraft airside we put things behind lock cockpit doors so there are mitigations again if it was a general aircraft it's going to be in a hangar you're going to lock the door hopefully if someone has physical access to your plane they're probably going to rob it more than mess with the fuel senders on it now power on aircraft is really weird so it's 115 volt AC 400 hertz or 28 volt DC in some places so if you're working on an aircraft you're going to have to take your own power there's no way for you to plug your laptop in if you want to hoover vacuum an aircraft then you're going to have to buy a very special 400 dollar vacuum cleaner to do that this is what you know when they clean the aircraft this is what they bring on to do it so you're going to have to consider this when you're working in an aircraft environment and it is tricky so we bought some avionics and I use with us they're they're all of a certain vintage but they are still flying today even though they're 20 years old but that that hardware reverse engineering strategy is pretty similar to everything else is that you take boards apart you look for data sheets you look for them part numbers start tracing tracks everything that's like really familiar to us and what's kind of really irritating is it's dipped in a conformal coating so if you want to start tracing and buzzing out it's really irritating to do but you know they're designed to be living in a hostile environment so you would expect that there are PLCC's on there so you can try and drop the firmware out of it a lot of them have readout protection on them but some of them maybe don't but all of the tools that you're familiar with Sega's Salas you are all that kind of stuff is completely applicable so if you've done any hardware RE then you can start looking at these from a black box perspective as Ken has said you know if you're starting to find stuff then you need to be reporting that through the appropriate channels but these things are designed for redundancy you see PLCC's a lot they are designed just in ICS and SCADA they are designed to be used in a highly resilient and fail safe and safety critical way but things are kind of starting to change so we're now starting to see common compute systems common compute resources so rather than having discrete line replaceable units and black boxes in avionics base there are line cards and commodity processes that run software so VX works is quite common to see and there are firmware updates for this so you can go to a vendor website and you can download and modify the behavior of the aircraft in limited ways so on those nice flat screens in the aircraft you might want to have different checklist items for start up and take off for example and airlines can customize that to a certain degree using a line provided tools that are then uploaded and these are actually cryptographically signed so again you can see there is significant mitigation it's not like someone hacking a text file these are quite controlled devices but because it's you know VX works there's hypervisors there's Linux kernels again you can see that the bar of access is starting to drop down so as my voice is starting to give out we've kind of come to the end and what I want to say is that yes stuff back in the day was predicated on the physical access model but we've always had humans in the loop you know if the aircraft starts behaving a bit weirdly the autopilot can be disengaged the human could start flying it and that and I think is fine and I think people need to keep that perspective but yes in the drive for efficiency airlines and manufacturers are starting to put on Wi-Fi 4g satcom and these carry a security risk and they have done due diligence but there is room to meet in the middle and that's why we're running the aviation village here is to is to bring together the minds of people who've worked on automotive and hardware security and to bring that unpredictability of of that threat and together with aviation so that everything is safer we all want to carry on flying and 20 years ago maybe the threat model was who would want her aircraft and now I think that has definitely changed and that is a good good place to be but there are many many mitigations as we've talked about there's built-in redundancy there's lots of systems you can't just go hack a plane so forgive for the slightly click-baity title but hopefully that's a quick run-through of all of the acronyms and things you might find on aircraft and hopefully when you're flying you're going to feel a bit safer so thank you if there's any questions we've got a few minutes to take them but otherwise we're going to be at the aviation village do come and find us thank you