 Hello, and in the morning, I am Nicholas Childs, and I want to give you this talk today about basic 101 bus systems So don't fear the bus We'll run you over So legalese I will let you know don't be evil. I'm not encouraging bad things. It's for educational purposes only You're gonna see a patch coming up on the next screen and the story of the patches 2018 we deployed that was when we bombed Syria as the 28 Bombing me and a bunch of other airmen as part of the offensive avionic systems, which is what we are calm nav wizards We created that patch So this talk is not sanctioned or sponsored But it is approved by the United States Air Force and our are there any pilots in the house? Yep. Yep, we'll screw you screw all of you. All right. You made my life a living hell for the last 20 years I'm taking this exact moment to tell you for you and Follow it with me. Okay Input validation is not a thing It will come up So who am I? I'm Nicholas Childs. I'm security manager OAS V1 systems controller to do for both operator bus driver customs inspector CSL cut train cruci commercial aircraft servicing technician and a retiree and an intern I will put this talk on my github as soon as I get done with it just a PDF version and You can contact me on Twitter or my email I'm perfectly happy to speak with any of you about aircraft avionic systems as long as it's I don't get in trouble for talking about it, you know So also a little bit more information about me. I am currently an intern with full circle communications LLC I have 20 years experience communication navigation systems. I have an aeronautical engineering degree. Yeah, that's right I got my associates. Hey. Yeah, I have a mechanical repair and servicing Experience with 737s old 1011s DC 10s and 747s I'm proficient with multiple airframe avionic systems C 17 C 5 C 141s. Yes. I'm that old KC 135s and B ones. It's our piece of crap I have five years experience as an active directory administrator in the do need I work and have multiple cybersecurity certifications I'm telling you a freaking lot. They're all expired and I have an FCC radio telephone operator license with a radar endorsement That's my wizard degree and yeah, that's it So my original one I put this talk together because things are broken avionics bus systems were designed for use not for security like most legacy systems ICS the addition of new technologies has introduced vulnerabilities. I need your help or We're all gonna die But I did calm down a little bit once I saw some projects come out and people actually Going more into the systems that I've been talking about in the first place. So I have a new Y Avionics bus systems and integrated flight management systems now seem to be things of magic So let's demystify and educate. I promise we can easily learn things that high school educated airmen know Not as painful as you think additionally input validation is Not a thing So I'd say viewers like you because without y'all support. I could not have put this together There's been a lot of things that People have exposed over the last few years and I'm absolutely loving it seeing things that I've been worried about being in the military and seeing them come to fruition Especially publicly because that means they can be repaired So if any of y'all have questions or whatever you can contact me as I said at the beginning of the slide Please do I would love to have a conversation with you Because I might be having questions with you about a lot of this stuff, especially when you go into the weeds with the vulnerabilities So we're going to go over the history of aircraft networking systems Communications along those bus systems a few networks You should know about an attack vectors and upgrades not good with this type of stuff So we'll go over the original things. This is the history of aircraft network systems So you have a distributed analog that's your old school straight wire to wire Distributed digital. They actually had a different communication network along those wires They were able to cut the wires down from being physical to to and then sending signal along it Federated digital. That's what I was used to working in when I first joined the military 1553 and stuff and then the integrated modular which was introduced in the 1990s So the federated digital and integrated modular is still popular today And you'll find that on a lot of systems still in the air So the original distributed analog had dedicated wiring had dedicated power supplies Sensor excitation. So basically whatever the sensor is receiving is sitting directly to the indicator There's no in between. There's no communication. It's just plus or minus voltages. You're good to go You'll see that a lot with the ILS systems. They upgraded this from there, but That's just the way it is dedicated LR using subsystems dedicated displays and controls some standard interfaces, but very few You go on to the distributed digital and as I said this decreased the wires, but it just Didn't change a whole lot because you did not have a network. You just had individual items communication between major units via serial databases You had dedicated wiring digital processing used for control function software programmable off aircraft And you could actually upgrade the software on the LRU's Dedicated LRU subsystems increased use of standard interfaces increased accuracy and performance over the old analog system So with the network interchangeable with the federated digital, this is your network buses. This is where things started It's as hot swappable LRU's you have full power on you can actually swap LRU's around Future proof when I say future proof that just means that you can stack the newer systems on top of it Software programmable on the aircraft instead of removing the the item itself You could actually plug into the network itself and update the item the LRU depending on what it is Increased accuracy and performance performance increase cross talk between devices So there's a lot of cross talk outside of the bus But with this bus it made it a lot simpler for Other systems to pick up on the information one example is your air data computer, which we'll go over And then the integrated modular architecture use of COTS commercial off-the-shelf system and adapted it bus technology Use of standard modules aircraft wide installed cabinet and racks Normal network commercial off-the-shelf stuff pertaining to aircraft system the domains aircraft system domains functionality imparted by portion software operating on common processors Reprogrammable on aircraft. So you'll have a radio set a Navigation computer they'll have the same processor in so that allows a boilerplate when it comes to doing software updates and things like that Which is great for software engineers, but we all know the vulnerabilities that you have with standardization So I wanted to give an example of a federated digital network just so y'all can see it all put together I created three layers on here that should make things a little bit simpler We have a network layer an LRU layer and line replaceable unit layer and an interface layer so on the network layer we have an A and B bus room with remote terminals and the Yeah, the remote terminals are impedance matching they actually help with the network to communicate to the LRU It's kind of like a standardized thing. So It allows you to change those items out because you have a remote terminal that is connected directly to the bus It also helps with voltage spikes and stuff. Otherwise, we call it matching impedance So every one of these networks These legacy networks has a controller. It's a hub every communication on the network comes and goes to the controller It comes from the controller and goes to the controller. So I'll repeat every communication on that work Network comes from and goes to the controller Bus system errors are ignored and dropped and then try it again until they actually make communication There are errors. I mean voltages three voltages happen all the time on aircraft aircraft are incredibly noisy when it comes to voltages Vibration and everything else you can imagine So we'll look at our layer two In here we have our line replaceable units. I've got a BSI you a bus system interface unit Radio set just like your calm one or calm two radio ADC air data computer MFD controller That's your LRU that controls the back end for your MFDs your multifunction displays your t-cast transponder and Yep, that's everything that I have in there. So I did put some cross lines on here Which don't show up on this slide, but they're basically between here and here and here and here so there's a one Way directional from the ADC to the transponder and from the transponder to the t-cast Now what this gives you so you have an air data computer when you have a transponder getting pinged by a tower It needs to know the location of the aircraft They actually have communication going between the ADC and the transponder. It doesn't even talk on the bus There is some on the bus But there's some that are completely hardwired directly into it same thing with t-cast It's kind of an ad hoc system the traffic collision avoidance system It was ad hoc, but it does rely on all information coming from the transponder for the aircraft locational data But I wanted to point that out. Unfortunately, it didn't show up on my slide once I changed it over But uh, there are one directional lines just like you see here to the maintenance computer That's what I have going from here to here and from here to here so also, there's uh situations when we have radar systems that have a blanking line Connecting that isn't part of the bus It's a little line connected between the two system so that whenever you're using one radar system the other one turns off There's a lot of that inside aircraft systems. There's a lot of communication that doesn't exist on the bus simply because of the Priority and another good example. I'll explain when we get to the interface layer layer free So in the interface layer, we have the maintenance computer It's also the maintenance recorder the maintenance output A word about maintenance computer output data validation Is not a thing We don't need another unit just better codes for ids now say I bring this up Because a lot of people have said what if we include an ids and then in intrusion detection system on these Uh network systems on the aircraft, but you don't need it You have a controller that receives all the information already You have a maintenance computer that kicks out all the fault buses It can also monitor all the traffic on there. Most airframes that I've touched they have Different types of records that allow you to record the traffic literally So it's really just a creating a program in which we can see codes that we understand what injection looks like Code injection or an impossible hack you spit it out in the maintenance computer And then uh maintainers will have an indicator. We can actually deal with it at that point in time So the nice thing about this system is because the way it is it's sturdy is how You do not need to install a lot of new systems in it to have some kind of flexibility like that But also on your layer three you have an emergency calm controller There's another one that's hardware devices hard wire devices So if uh, we lose all power except for 28 volts dc Which is scary, but that's what therefore you have a emergency calm controller that's connected directly to a radio set There's not along a bus it's not on anything else There's not even any other wires to it it may go through some bulkheads, but that's about it It's connected that way. So the pilot the co-pilot Can have communication. We all know how important that is But also on this layer three this is where cots would be installed commercial off-the-shelf systems The cool thing about 1553 as I said future proof You can put adapters on the layer two and then you can install cots on layer three I've seen this with other target acquisition systems that just happen to be modern and carried across multiple airframes As well as other radio sets combat track or two things like that They exist as mostly commercial off-the-shelf systems, but they still communicate on the 1553 data bus One thing also you can do with this is the ofp loading operational flight plan This goes back to the software loading for the individual lru's typically you'll have a maintenance computer or a Software loader where you will connect to and you flip a stem switch And it'll actually let you load the software onto these lru's but understand that that information is simply coming across that bus so You know as we said input validation is not a thing so you can imagine what kind of mess you can make with that As you can see I put a box around the flight management system just to help understand a lot of stuff with the data loader You can load a lot of things Into the bsiu your flight plans and stuff like that and I know there's a lot of expansion with the electronic flight bag Unfortunately, I've never touched one but based on what I've worked with I would understand that it would connect with the flight management system I did do a little bit of research, but I didn't want to talk too much about it because I've never had hands on with it So I'm gonna be asking you all a lot of questions about that when it comes around to it And yeah, that's basically the federated digital network stack I want to give an example of the maintenance computer as I said, it's very important kind of live and die by this thing as maintainers Faults can ground an aircraft and we also use a patrol machining system So I wanted to show you on the b1 is the sits the uh central integrated testing system I could actually run ops checks from that panel. It's on the right side of the the photo there Right over here. I can actually run ops checks right there And I can also look at maintenance data for faults and things like that along the bus It helps me tremendously when it comes to troubleshooting systems knowing what to replace what went wrong and things like that um data can also be offloaded from this from a PCMCA card to a cds, which is the deployable diagnostic system Um, and you can run a full test and things like that It's basically those snapshots of the aircraft in flight and I know other frames do the same thing They just have different acronyms for it. So we'll go over the different buses. There are many buses But these ones are mine. Um Also, these are the only ones that fit on the slide deck So we got the mill standard 1553 federated digital aric 429 another example federated digital and the afdx Which is our integrated modular So with the mill standard 1553 coded language, you got manchester 2 encoding binary phase shift bpsk That means there's no no It's just a positive or a negative in order to send And as you can see you have your 1 megahertz clock and then these are the signals that are in there 1 megabyte per second accuracy of 0.01 percent short term and 0.1 percent long term. That's important as I said Data can get dropped and when data gets dropped your bus controller is going to send information to your mate Its computer I've also thought about what could you do if you can mess with packets enough to where you can denial of service in the entire network So, you know, as I said Input validation is not a thing. So what if you could inject something in there to make it drop codes? The only thing you would need to know is the addresses on the network And in some cases you just need to make sure you're not hitting those addresses It's a vulnerability. I've always been a little bit afraid of But each word is a 16-bit plus sync wave and parity And this is what the packet itself looks like. So you have a sync a time sync in the command word A remote terminal address of the lru that's your address the lru sub addresses As I showed you with the cdcdu and stuff here. We'll go back Sub-address because you have a network within a network information is going to the bsiu And then it's also going to have to go to these items. That's where you have your sub network addresses also, if you have really complicated lru some of the modern lru's actually have like a virtual sub network in them to give multiple commands It's just because they're more complicated than the original 1553 database was And uh transmit receive that's typically a off-on bit to say hey transmit or receive That's how important it is for calm. Uh, and then the sub addresses I was saying So uh data word that is the packet itself everything that's going to be in there Uh 32 data words may be transmitted in any one message and once again as we said Input validation is not a thing So now we're going to the bowing standard ari and c4 29 coded language This one does have a null byte and as you can see with the a and b you have the exact opposite On the a and the b bus this adds for that parity to make sure that you have a valid signal going across it You know, it has the same thing with some errors I don't know what the error validation is on this one because I haven't really messed with the system But you have 32 words 32 bits and a word No more than 20 receivers on a single wire and it's unidirectional on a wire and only transmits one way And it goes up to 100 kilobytes per second 12.5 or 50 just depends on how well your setup is Um, yep, and that's the basic of that. Here's the packet. It contains five filled to every word five fields to every word. Sorry Paradol parity Sign status matrix data source destination label. So with the parity, it's for timing SSM as you can see Right here 31 and 30 that is your signal status matrix your data. That's the packet that you're going to have That's the information in the packet your sdi source destination identifiers and label identifying data type so If you understand the network on the system maybe maybe not injection can happen because Input validation is not a thing But this is what one of those networks looks like When you're looking at an a r i m c bus you have your general systems When they do have commercial aircraft or military aircraft, but you still see everything is integrated along a normal data bus So that's the problem. I've always has like what if you can inject some stuff along as long as you can get it on that bus And you know the addresses of things, you know, there could be some issues This is now onto the a f dx a r i m c 6 64. This is our modular system It is the avionics full deep duplex ethernet switching And it is the airbus standard. It has 128 data terminals per controller two megabytes per second Each word is 32 bits and cots integration. So with the other stuff We had to do cots with adapters special l r u's things like that This is in the system itself because it speaks on tcp i p because it speaks on that It's cots integrated, but you also know the dangers of bringing foreign devices and putting them on any network not a big fan of byod anyway and Inside this this is the frame that we're going to speak the afdx frame afdx frame is 8023 compliant Layout is very similar to ethernet framing can be transported via cots as I said It exists on the osi layer two The structure of the ipv4 header remains unchanged Yes, and as I said input validation Is not a thing So yes, this is inside of a tcp ip packet when communicating on the ar and c64 network so We went over the system some basic systems that I understand there's there's more out there, but these are primary These are our main ones So we're going to go over a commercial off the shelf devices how they can be used as an attack vector local data connections External data connections and people Always with the people I do want to change that to pilots because I know you guys What do they want to mess my stuff up but people in general? Yeah, they they're the worst thing we know for security So we look at network hubs of this is the commercial off the shelf system stuff There's network hubs usb hubs literally commercial design For it infrastructure surprisingly enough cots protocols and services as well So there's a lot of stuff in there. So this laptop right here. I wanted to show this to you this house You can see what windows version is on there The username and password is underneath the sticky Which it makes sense because when it comes to maintenance things have to be standardized for quickness You know, I need to be able to hand this to an airman and hand them the book on how to do it And I've seen the same thing with commercial aircraft and then they go through and follow the instructions The problem is Even on the 1553 data bus whenever I was loading The ofp operational flight programs into stuff which is just a software updates It's for security sustainability sometimes adding new features They use standardized Cots That's not cost the cost services. I guess is the best way to put it. I've used ftp sftp http telnet and ssh to move files around along that network None of those are vulnerable at all are they? Come on say it with me again Input validation is not a thing So I wanted to give you a good picture what this looks like this is the usb I mean it says right there plug it into the laptop and we're able to connect directly to the network And you run a few softwares in order to load things so Um, it's pretty straightforward. This is whenever you have the standard processors and you're loading software on them Along the network. I just wanted to show you what the hardware looked like so you can get an idea uh, they also introduces Attack factors as I was saying What if I wanted to load some bad stuff in the inertial navigation unit? Or the air data computer or the primary flight computer? If they have a standardized this unit and I have physical access to the aircraft um I could quite possibly put some stuff in there to make it non operational And I have some opera. I have some examples of ofp and real world stuff Uh towards the end of this slide just things that we've seen in the news and and I've been able to Some eyes with my own research and stuff So other things look out for maintenance data made it as I said in my case. It was a pc mc ia There's a lot of other airframes that use different stuff hot swappable r drives usb cards and sd cards I've seen many of those things Used in laptops connected to networks. It's that whole b y o d You got to make sure everything's sanitized before you bring but those are possible vectors Now so we go with external data connections as vectors so Setting the bus code directly to a component with a proper address and command for the spit specific bus So, you know, if we could receive a cp dlc information it is going along that bus It's going along the main network system So what would it take to inject some code into that because input validation is not a thing I want to go over cp dlc a cars and fans, which is the future air navigation systems because that's Everything that we want to build on the future for making aircraft more safe We're using fans and it's a very unstable system. I'll show you in just a second Cool thing about cp dlc using text messages to take off and land I don't know if I should bring this up if someone at the talk Joshua smells the university of oxford oxford is covering this very well And I suggest that you watch this We actually have the same resources when it comes to doing this on your own as well But he broke down everything as As I can imagine just it's exceptionally well Put together and I enjoy it. I got a lot of questions for you too, josh. So it's going to happen Uh cp of the cp lbc the control pilot data link controller. I just wanted to show this to you It's running on vdl2 vhf data link too. Uh, that's the problem and I'll I'll explain that in a moment As I said it's used for sending clear messages back and forth Vhf bay and use that's what the vdl2 is and then a cars Which is the aircraft communication addressing reporting system I believe there was a talk about this last year The airframe that I worked on with a cars was a c5 and it was used for weather updates And all it did was print out a printer But the problem is you can receive information through a cars in the vhf data link and it's going across 15 53 bus So You know, it's not secure There's no way to secure it and any kind of code is in there. In fact, you can just receive it on your own Uh, I believe there's a project in my notes here that lets you receive a cars data if you like So it's on vhf and hf receive data to print the thermal paper. That's what I was talking about with the weather relies on readily available commercial networks and also a vdl2 project So I wanted to show you what fans was feature air navigation systems a lot of these systems are going to be coming out They're going to rely on this vdl2 So I have a feeling that if we understand vdl2 enough We'll be able to take apart these systems like they need to be tested and looked at so that's vhf limited to 200 nautical models Um, I have an aircraft at 3,000 or 4,000 feet and that's the project. I was talking about scr dump vdl2 on github and I do have a link to it This is what the packet looks like Your transmitter synchronization reserve length header data EEC data and you have another data frame and then the fec and a 85 bits now this is kind of confusing, but I actually have a Better breakdown of it showing the network layers 1 through 7 of the application presentation session layer Now as I said, if you go to this this project You'll be able to understand this data Link better and you'll be able to take apart all these other systems that consist of the a cars and the cpdlc Because they all rely on the vdl2 Which is fine, but there are ways that we need to start Encrypting it a pre shared key. I believe was one of the suggestions made and I and that's In my opinion one of the best ways to go. I mean it's worked out really well with ipv4 But overall like the infrastructure of that it's not very secure So this is what we have So these are the hurdles if you want to hack aircraft these are hurdles You have to understand the aircraft infrastructure that you're trying to hack You have to understand specific components and their functions You have to have physical access to a lot of the hardware. That's really hard aircraft components are very expensive And very difficult to get a hold of same the testing tabletop access that software and hardware I've actually been looking for a 1553 software Everything runs on old windows systems and I'm having a hell of a time because aeronautical engineers just tend to be that way They've been putting a lot of things together on those older systems and all the older legacy systems And that's just the way they design stuff Also learning the insane amount of acronyms. I mean you got vdl a and dbt u h f e h f i and s c adc d f d r You got all this stuff. You got to learn those acronyms. There's a lot of them to aircraft But the str will open the door for many and that's why I put the str projects in here So addendums things that are happening. These are things going on right now. A lot of you might be familiar with the bombardier data link I went through it myself as a maintainer and It's sensitive, but it didn't seem too bad But i'm also not a really in-depth radar engineer So what I found from it was yeah, okay now, I know the center of gravity of the aircraft And I know a data linkage at a certain um white position on the aircraft but It really wasn't a lot from that but in the future there probably could be some more leaks that are more damaging than that With the radar all I saw was what the the guide vein looked like the um Oh, I forgot was guide to where the rf goes through and the physical structure of it But as long as I don't see the software structure, there's not a lot leaked there. So a good idea so Software as I was saying how sensitive the software can be we all know that the 737 max Accidents that were happening was because they did a physical change in the saw on the aircraft But they didn't do an olfp upload So what if you were to manage to get a hold of the legacy olfp? Loaded into an aircraft and now you've ruined it again and it was all based off of center gravity It's needed to understand how sensitive some of this information can be And of course, uh, as of recently the u.s. Government probes aircraft loans only a matter of time They also understand this that this is a very sensitive system. It is only a matter of time before we have some really bad vulnerabilities And that's it. Uh, there is my references. I suggest you all use them as much as you can All the links still work and this is an amazing amount of information Even I still learn from it. Sometimes these are basically the white papers for a lot of these Thank you. It was wonderful talking to you today