“The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot … [it] does not pose a flight safety concern because it does not work on certified flight hardware.” FAA commented.
“We live in a world where data is constantly flowing. It is clear that those who control communications traffic have a distinct advantage. The ability to disrupt, inspect, modify or re-route traffic provides an invaluable opportunity to carry out attacks,” Santamarta wrote in his paper.
“In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it.” “These devices are wide open. The goal of this talk is to help change that situation.” Santamarta anticipated to the Reuters media agency.
As explained by Santamarta wrong design habit in the firmware of the device, hardcoded credentials, implementation of insecure protocols, presence of backdoors, and adoption of weak password reset processes are some sample of the flawed processed identified on the SATCOM equipment.
The improvements confirm the possibility that attackers, under particular conditions, may harm the security of the flights. Boeing announced that it was upgrading the 777-200, 777-300 and 777-300ER series with the new security features.
“These special conditions are issued for the Boeing Model 777-200, -300, and -300ER series airplanes. These airplanes, as modified by the Boeing Company, will have novel or unusual design features associated with the architecture and connectivity of the passenger service computer network systems to the airplane critical systems and data networks. This onboard network system will be composed of a network file server, a network extension device, and additional interfaces configured by customer option. The applicable airworthiness regulations do not contain adequate or appropriate safety standards for this design feature. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing airworthiness standards,” states the report.
As described in the above announcement, the experts at Boing were concerned about the possibility that the passenger inflight entertainment system would be connected to critical systems of the aircraft.
The “open door” for hackers are passenger seatback entertainment systems which have USB ports and come with Ethernet. Before the modifications mentioned, there was no “separation” between entertainment systems and the overall network of the aircraft. Boeing requested the Federal Aviation Administration the permission to add a “network extension device” to separate the various systems from each other. The design features designed for Boeing Model 777-200, -300, -300ER series airplanes include an on-board computer network system and a network extension device to improve the domain separation between the airplane information services domain and the aircraft control domain.
Let’s wait for the Santamarta presentation …
(Security Affairs – satellite, hacking)