Your SlideShare is downloading. ×
Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Hugo Teso - Profundizando en la seguridad de la aviación [Rooted CON 2014]

1,692

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,692
On Slideshare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Going Deeper AVIATION SECURITY on 2014
  • 2. Safety IS NOT Security 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 3. Part I Previously on... Part II Faster, Stronger and Higher Agenda 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 4. PART I Previously on... 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 5. Attack Review Info Gather ✈ ACARS Exploit ✈ SYSTEMS Discovery ✈ADS-B http://blog.nruns.com/blog/2013/10/14/Aviation-Security-Hugo/ 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 6. ADS-B In/Out Aircraft Position Speed, Altitude ... Discovery Target discovery/mapping GSP and/or SDR Passive m onitoring 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 7. ACARS Flight Plan, DB Systems updates ... Gather System enumeration 011010101001010100101011101111100000 010101010101001001010101000101010101 010101100000010101010000011110111000 Passive m onitoring 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March Info
  • 8. ACARS MALFORMED DATA ... Exploit System exploitation 011010101001010100101011101111 010101010101001001010101000101 010101100000010101010000011110 GSP and/or SDR 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 9. Complexity++ 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 10. ATTACK++ 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 11. Worldwide targeting Fewer requirements Standard technologies The “glue” of the aviation ecosystem Worldwide targeting Fewer requirements Standard technologies ✈ ✈ ✈ 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 12. [URL] + "></span></td></table></form> <script>alert('XSS')</script><" 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 13. [GDC ID] = meow" id="gdc_id" /><br/><script>alert('XSS')</script><" 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 14. » Send messages » View position reports » Advanced search » Activity logs » Export data » ... 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 15. Complexity-- Not from a phone they said... 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 16. DEMO TIME! How Is that useful? 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 17. PART II Faster Stronger Higher! 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 18. The Internet 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 19. Send me two! No Credit card? 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 20. Erm... I... nop :'( Do you have an aircraft poor lad...? 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 21. 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 22. Thanks ARINC! :D Next day on my mailbox... 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 23. Who cares... ¡it's FREE! 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 24. AMI (Airline Modifiable Information) Modifying system functionality with new software instead of with new hardware... ● All Boeing ● All Airbus ● Etc ... 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 25. LSP (Loadable Software Parts) OPC* ✈ Confg AMI ✈Airline OPS* ✈Software * Operational Program Software/Confguration 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 26. LSP (Loadable Software Parts) ● Operational program software (OPS) ● The operating system of a Line Replaceable Unit (LRU) ● Operational program confguration (OPC) ● Specialized DB that determines the LRU confguration ● Database ● FMC NDB, Engine, Performance, takeofs, ACARS, etc. ● Airline modifable information (AMI) ● Supplies information to the OPS ● Include logic units, which are high-level program code 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 27. LSP (Loadable Software Parts) Attack vector? (...) Digital storage media (typically 3.5-in disks) 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 28. 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 29. Stubborn as I am... AMI Wireless data loader 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 30. TELEDYNE TECHNOLOGIES 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 31. TELEDYNE TECHNOLOGIES Teledyne LoadStar Server Enterprise Eliminate media (foppy disks, CDs) Web-based distribution instantly transfers Software Parts to data loaders and directly to the aircraft via wireless links This integrated solution makes it possible to electronically distribute Software Parts from desktop to data loaders across the feet with a single press of a button 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 32. TELEDYNE TECHNOLOGIES A reliable and cost efective way to move data on and of the aircraft Simultaneous use of 3G/4G cellular radios using enhanced HSPA Requires a Wireless Access Point in or near the cockpit. 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 33. TELEDYNE TECHNOLOGIES Supported Aircrafts Boeing 787, 747-8, A380 and A350 Airbus EFB and Boeing EFBs All legacy aircraft A320, A330, B737, B747, etc. Boeing 777 and Embraer ERJ 170/190 Targets! Targets! Targets! In use at over 40 airlines worldwide 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 34. TELEDYNE TECHNOLOGIES Load Confgurations Fight Management Systems (FMS) Integrated Display System (IDS) Aircraft Condition Monitoring System (ACMS) Advanced Cabin Entertainment and Service System (ACESS) Central Management System (CMS) Automatic Flight System (AFS) Centralized Fault Display System (CFDS) Aircraft System Controller (ASC) Flight Management Computer System (FMCS) Electronic Display System (EDS) Aircraft Data Acquisition System (ADAS) FMS: NZ 2000 / Mark III CMU? 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 35. 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 36. New Attack WiFi, 3G/4G WiFi/3G/4G MALFORMED LSP/AMI/NAV DB ... System exploitation Fleetdeploym ent 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 37. Delivery Used by over 100 operators 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 38. Delivery Finding targets... Help me? 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 39. My two cents Airlines Maintenance How to get the code? Either... Or... 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 40. Source Code Training SW System SW ¿Simulator? 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 41. Source Code Training SW Compile 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 42. Source Code Training SW System System System System Emulated Compile 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 43. Emulated Source Code Training SW System System System System RCE Compile 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 44. Emulated SAME Source Code Real SW Compile 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 45. Emulated SAME Source Code Real SW System System System System Emulated Compile 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 46. VxWorks An embedded, RTOS developed by Wind River Systems ● Multitasking kernel ● Preemptive and round-robin scheduling ● Fast interrupt response ● User-mode applications ("Real-Time Processes", or RTP) ● Isolated from other user-mode applications as well as the kernel via memory protection mechanisms. ● SMP and AMP support ● Error handling framework ● Binary, counting, and mutual exclusion semaphores with priority inheritance ● Local and distributed message queues ● POSIX certifed 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 47. VxWorks Really...? ● All “applications” run as kernel threads ● Little memory protection between apps ● Everything runs with the highest privileges ● ...but not necessarily the highest priority. Fun with VxWorks (H D Moore) 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 48. DEMO TIME! 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 49. Catenstein! Project... 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 50. Catenstein 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 51. Airplane I can't haz... Aircraft sensors AutopilotFMS 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 52. Drone I can haz... Aircraft sensors AutopilotFMS 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 53. Catenstein Sensors Telemetry REAL CODE Brain transplant 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 54. DEMO TIME! 2014 Rooted CON 2014 6-7-8 Marzo / / 6-7-8 March
  • 55. hugo.teso@nruns.com since 2009 @hteso http://www.commandercat.com http://blog.nruns.com Hacking Aircrafts 2014

×