 Hi everyone, I'm Alex and joining me is my colleague Phil and we both work for Pantest Partners in the UK and we're going to talk about a couple of inflight and statement systems we recently worked on. One really really ancient and one absolutely more recent. Both of these were on decommissioned 747s sadly laid up due to the downturn and travelling last year. But I guess the upside from a hacker perspective is that we're able to go and have a good poke at them without fear of leaving things in a serviceable or dangerous state because they were just going to get broken up anyway. Just before we continue I just want to be really clear this first picture it's not one of the aircraft we worked on. We're just being a bit careful about identifying the aircraft that were broken up and operators just in case they're a bit sensitive. So just to give you a taste of a glamorous life that we lead and an idea of the aircraft vintage. These ports and computers and keyboards were absolutely grim. I'm pretty sure they'd never been cleaned in the entire aircraft's history. So yeah this is the kind of thing that you're going to come across if you're scrabbling around an aircraft. Take gloves is the advice. Yeah take gloves absolutely. So our first system is actually based on lovely old NT4. We found it in what is termed as the cupboard under the stairs on the 747. So this is usually preserved for the cabin crew or the senior cabin crew and it's kind of like where they hide out during the flight. So although it is in the cabin it's still on a traffic part of the aircraft and usually crew are going to be around there so it's not particularly accessible on the slide. This particular IFE the control unit has a keyboard and a monitor and a rack of media servers for content. Things like the today's news and crappy TV shows that they're going to have. So yeah as we turned it on we found it was what was NT4 which totally makes sense because when this aircraft was built in the mid 1990s NT4 was bleeding edge and current. So once it's booted up into its normal mode there is actually some semblance of security. The cabin crew are forced to use I mean it's an ID only there's no username and password but the six or seven digits it's still millions of combinations and realistically you're not going to be able to kind of brute force it just via that console in flight in any reasonable time or frankly without being noticed anyway. But when it booted up we could interrupt that through the keyboard and it was really good to see MS-DOS making appearance under the hood. But actually if we looked at the build of the the software that was in use although the actual hardware was made in the 1990s it was still being updated through to 2009 even. So although that might seem a really long time these aircraft were designed decades ago and it takes a long time to certify and design aircraft and all the kit that goes on them. So you would expect to see things with much longer longevity than a kind of a standard computer and you know if you've touched anything in operational technology well then this isn't actually too bad. And one of the biggest problems that I think we were faced which was actually having to remember how to do stuff for NT4. So there was a lot of us you know typing things into the machine trying to work out you know what it was doing and you know we were actually having to get our phones out and Google cheat sheets to do various things whilst we were there. So yeah it's one of those things you kind of forget about having how to do things. If we connected on to some of those really scuzzy network ports that we found at the beginning we got a DHCP address and we found ourselves on the same network as our good old NT4 box. And yeah there's IS right there and making the new appearances the NT4 option pack it's great stuff. So again we're starting to think this is going to be a complete walkover of ponying this box. Another thing we found on the the console was the you know we could actually write and upload content to floppy disks so that was really great to see. Last year I think we showed and it went really viral that floppy disks were being used to update the NAVDB on a 747 and yeah here we are in the other end of the aircraft and floppy disks are being used to export and import content onto these things. So Phil tell us how we ended up honing this box. Yes so as you said lots of it was googling the archive.org internet history came in very helpful for cached pages from the mid 90s but rather than trying to do all this on the plane at what is quite a steep $250 per hour for the fuel we decided to build our own lab which in itself was a bit of a challenge to find the right ISOs to get the option pack installed and working but we thought you know be a good lesson by myself I was learning how to pad up when NT4 was in use so I'd never really played with it before so quite a good good history lesson for all of us. But what we found was we spun up our lab and we were having a play and a lot of the tools that we use now just don't work Metasploit doesn't have NT4 modules that work very well. Mimicat don't know what else that is we can't use that. So we really had to go back to how did sysadmins and hackers do this pre point and shoot effectively and what we found were there were two main exploits that we found two of them that both used IIS and both needed the option pack to do it so we're quite lucky that the plane was that up to date even if it's that far behind. The first one was documented by SAMS back in the year 2000 this is a directory traversal now it's quite a nice simple directory the only complication with it now is NT4 used UTF16 rather than the modern UTF8 so the encoding characters were different once you've got your head around that and how to do that it was fine it was a standard directory traversal that let you get to cmd.exe and then put in a variable as your command so we could ping back um NT4 by default has an open fdp so we're able to put netcap on there get a connection back and kind of get remote code execution on a on an NT4 box which was really cool. The second one so the only problem with that is the with the directory traversal the operating system and the IIS and still has to be on the same drive so it all has to be on C drive if IIS followed best practice it was on D drive it wouldn't work now we don't we have no idea on the plane how it was configured so what we really didn't want to do is spend another day another thousand pounds on fuel to find out that they've followed best practice and it's still there on D drive so we managed to find a second exploit this again used IIS but this was using the Microsoft data access components and effectively it's the database that sits behind IIS what work what happens there is there is the shell command so you are able to access that database through IIS and call that shell command so this worked on any however it was configured so if it was on the different drive this would still work because it was using that core database function so for us brilliant two ways in you know the second one is is guaranteed so right let's work out once we're in how are we going to get the passwords how are we going to work out what to do next get that persistence now one thing that I wasn't aware of back in the 90s is how critical having the correct DLL in the correct folder was with Windows 10 instead of turning 19 you know it's it's pretty clever it works it all out but putting pw dump on there without the DLL will give you hours of headaches put the DLL on there password stump immediately and then able to the aim is able to crack those actions that come out so we're ready we're great let's book another trip to the yard unfortunately the fact that it was a breaker's yard they also had work to do and their work sadly involved breaking up the plane that we were on so we organised a visit we all travelled down there and the moment we arrived we got told that plane effectively no longer exists here's another one if you want to have a go so we kind of went onto the plane and it was it was different it was not old it was again the same age of plane but they've recently done an update to the whole IFE system so this time it was a twin it was a bionic beaver ubuntu box rather than 94 so not even in the same family of operating systems so effectively we had to start again but because all the IFE are being updated it meant that there was new vectors and new things that we could look at which was nice so they had wi-fi on this plane which is brilliant with a nice classic who doesn't love a master wi-fi switch and then they were slightly cleaner I'm happy to say RJ45 ports that we could use now the wi-fi gave us access into the IFE which is great we could have a bit more comfort but you still will have to be on the plane to access this and the IFE is still it is a closed system so you can't go completely nuts from your seat but managed to turn off the wi-fi might be a bit annoying for some business travelers other than that not too much of an impact but what it did mean is we had a whole new system to look around so what we found was quite a few open web applications a lot of them didn't have much on well there were quite a few with strong passwords that we can get through in the time that we had however running things like uh running password brute forces against them didn't didn't result in anything but running a der buster go buster whichever tool you like managed to find a conf config page and in that config page was s3 bucket details which is crazy to think a plane from the 90s using up-to-date s3 details um was brilliant so we uh had a chat with the vendor and they said okay sure what what what would you be able to do um so we we logged on it was really bright access for the s3 bucket and what it hosted was all the daily movies and uh news broadcasts so as the plane was there i'm really ready to take off it would download all the news broadcasts for the day from the s3 bucket so you know what could you do you could replace the news with something funny you could delete all the media that'd be a bit annoying um maybe pep and pig rather than the than the news who knows um but we spoke spoke to the vendor and they quickly fixed that and uh have changed it for however many planes that was used on what there was also which was really quite fun was a very tempting number pad now we love a good number pad fixed amount of of options what was great about this one there was no brute force protection so with no brute force protection lot of tools can rapidly go through a lot of numbers and we managed to get access now what was what was great about that was it gave us access to all of the seatbacks so with one click you can change every single screen to be the maintenance screen it looked quite cool nice bright colors on a plane where you could see 50 rows of seats it looked quite impressive again reputational damage a little bit annoying if you just got on a 12 hour flight to australia but other than that you know no real harm done um the network we kind of had a sniff around the network and as you'd kind of expected this in these kind of environments there were plain text protocols there was you know you could sit and you could sniff but in reality none of it would really get you that far other than the ability to irritate your passengers i just love this because it's like the cloud in the clouds to me and and i think it yeah it's it's reputational damage if if if he goes down but an awful lot of airlines give out you know frequent fly miles or some kind of compensation if your iof doesn't work and if there was a whole aircraft and that that could actually add up to a fair amount of money for for an operator so um yeah it's not a safety critical thing but it's yeah could could be financially annoying and maybe wipe out the revenue for that aircraft um you know we we found that the um the the router that was used for um satcom and for the 4g on the ground had been removed when the aircraft went for for decommissioning um so we couldn't have a poke at those unfortunately but they did kindly leave the password behind in the cupboard um that seems quite routine we've we've often seen passwords written on the sides of bulkheads of aircraft and ships and stuff like that so yeah that's that's really common um the iof seat boxes themselves well here's a delightful view of one of my colleagues trying to get a one and what what we found was that they they use doxess which is the cable tv protocol that runs to your home probably um and the reason doxess is used is because it's it's lighter to run a ring between all the seat boxes than it is a traditional hub and spoke ethernet model and also you don't need to manage your switch um obviously it took us ages to get these out from these seats it was a really awkward position um it had weird screws i think a couple of cuts ourselves doing it it was a right pain so practically speaking you know you're not going to be able to do this um on a busy flight when there's people's you know feet and rows or crowded so um you know all these do is is play videos basically so there's not a lot of of interesting stuff um we did open them up to have have a look um but again inside there's not that much interesting stuff on there apart from um the SSDs at the bottom there um where they the the um media for for this particular vendor is stored on all of the seat boxes rather than being a central media server so it's kind of sharded out um which is kind of interesting and again kind of saves white and um and gear on board um yeah again getting access to this stuff is you're going to get you spotted i think it definitely didn't go back in either yeah it was really a lot to put back together yeah um so i mean the only other portion of this um was a module a line replaceable unit down in the avionics bay um and this is used for generating the the moving map um everyone likes to see where they are and how long they've got left are we nearly there yet kind of attitude so um again there was an rj45 port on the phone that dropped you onto the same network does it really count i mean not really i mean if you saw um my walkthrough the 747 last year you'll know that there is actually access to the avionics bay um from the cabin over 747 um but again you're going to get spotted pretty quickly it's noisy it's horrible i wouldn't want to be in there and fly um again it's not going to get you anything you couldn't get anywhere else anyway um so yeah it's practically speaking it's it's pretty difficult now both these airframes are are retired now um and i think it's important to remember that when you are working on um research in these kinds of areas that just because it's old doesn't necessarily mean that it's not in use somewhere else um in the world or most recently up to day one is definitely um still in use and we've spoken with both of the ife vendors involved here um they were really responsive they addressed the current issues where they they needed to and it had the potential to impact um current operations they they were quite happy for us to to talk through um these issues and and publish um again i just want to reinforce that there is strong segregation between what is called a passenger domain and the control domain so you can't just connect to the network port for the ife and suddenly be able to control the airplane um so although we might be able to play our own videos and maybe brick the ife there's no real safety impact from from these kinds of systems but if you are researching these then you really absolutely need to um be careful um how you present and discuss these issues um you know media outlets are certainly going to jump on reports like this if they're not handled in in the right way so definitely worth bearing in mind if you're researching these issues i really just sum up then um definitely really interesting things we found you know pretty much with with most walks of operational technology there's going to be our data components clear text protocols lots of old hardware things you can plug into um but your religion um unless you are researching a decommissioned aircraft i think it's important to again say that these older systems probably don't reflect the current state of new ife particularly um and of course don't forget we've we've got a fair number of physical security controls um these aircraft are always going to be um airsides behind security at airports you're never going to be kind of allowed to run right on one on your own it's all going to be crew and other people around um who are trying to look out for kind of people tinkering with things with screwdrivers so um yeah it's fun nonetheless but practically speaking um yeah that's there's not much you can do with them um more more over than i think it was a great down sort of memory lane on the nc4 front and having to you know kind of relearn how we did stuff 20 years ago so that's what my takeaway was well you say relearn i said that for the first time yeah yeah definitely i remember in t4 it was bleeding edge anyway thank you thank you so much um and thank you phil for talking us through some of these great things no problem thanks alex cheers